diff --git a/rules/application/app_python_sql_exceptions.yml b/rules/application/app_python_sql_exceptions.yml index fe5169085..6523adc2d 100644 --- a/rules/application/app_python_sql_exceptions.yml +++ b/rules/application/app_python_sql_exceptions.yml @@ -1,4 +1,5 @@ title: Python SQL Exceptions +id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9 description: Generic rule for SQL exceptions in Python according to PEP 249 author: Thomas Patzke references: diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index debae7fa3..dd411340d 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -1,4 +1,5 @@ title: Suspicious SQL Error Messages +id: 8a670c6d-7189-4b1c-8017-a417ca84a086 status: experimental description: Detects SQL error messages that indicate probing for an injection attack author: Bjoern Kimminich diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/appframework_django_exceptions.yml index fd5302b4b..b44075737 100644 --- a/rules/application/appframework_django_exceptions.yml +++ b/rules/application/appframework_django_exceptions.yml @@ -1,4 +1,5 @@ title: Django framework exceptions +id: fd435618-981e-4a7c-81f8-f78ce480d616 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts author: Thomas Patzke references: diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/appframework_ruby_on_rails_exceptions.yml index 06513dfef..e87751afd 100644 --- a/rules/application/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/appframework_ruby_on_rails_exceptions.yml @@ -1,4 +1,5 @@ title: Ruby on Rails framework exceptions +id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts author: Thomas Patzke references: diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/appframework_spring_exceptions.yml index c3931636d..c05bd82ca 100644 --- a/rules/application/appframework_spring_exceptions.yml +++ b/rules/application/appframework_spring_exceptions.yml @@ -1,4 +1,5 @@ title: Spring framework exceptions +id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts author: Thomas Patzke references: diff --git a/rules/apt/apt_apt29_thinktanks.yml b/rules/apt/apt_apt29_thinktanks.yml index 2fdc7af0d..fe907c490 100644 --- a/rules/apt/apt_apt29_thinktanks.yml +++ b/rules/apt/apt_apt29_thinktanks.yml @@ -1,5 +1,6 @@ -title: APT29 -description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' +title: APT29 +id: 033fe7d6-66d1-4240-ac6b-28908009c71f +description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ tags: diff --git a/rules/apt/apt_apt29_tor.yml b/rules/apt/apt_apt29_tor.yml index b3fd89d18..9e4f8f982 100755 --- a/rules/apt/apt_apt29_tor.yml +++ b/rules/apt/apt_apt29_tor.yml @@ -1,7 +1,8 @@ ---- action: global title: APT29 Google Update Service Install -description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' +id: c069f460-2b87-4010-8dcf-e45bab362624 +description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe + so the service names and executable locations used by APT29 are specific enough to be detected in log files. references: - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html tags: diff --git a/rules/apt/apt_babyshark.yml b/rules/apt/apt_babyshark.yml index e0d83a198..fe7bc28c5 100644 --- a/rules/apt/apt_babyshark.yml +++ b/rules/apt/apt_babyshark.yml @@ -1,4 +1,5 @@ title: Baby Shark Activity +id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35 status: experimental description: Detects activity that could be related to Baby Shark malware references: diff --git a/rules/apt/apt_bear_activity_gtr19.yml b/rules/apt/apt_bear_activity_gtr19.yml index 00696a713..b8062c123 100644 --- a/rules/apt/apt_bear_activity_gtr19.yml +++ b/rules/apt/apt_bear_activity_gtr19.yml @@ -1,4 +1,5 @@ title: Judgement Panda Exfil Activity +id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ diff --git a/rules/apt/apt_carbonpaper_turla.yml b/rules/apt/apt_carbonpaper_turla.yml index e8ce84234..3770c4d38 100755 --- a/rules/apt/apt_carbonpaper_turla.yml +++ b/rules/apt/apt_carbonpaper_turla.yml @@ -1,5 +1,6 @@ title: Turla Service Install -description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' +id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 +description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET references: - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ tags: diff --git a/rules/apt/apt_chafer_mar18.yml b/rules/apt/apt_chafer_mar18.yml index 3b8b0cf00..2ed718dbe 100755 --- a/rules/apt/apt_chafer_mar18.yml +++ b/rules/apt/apt_chafer_mar18.yml @@ -1,7 +1,7 @@ ---- action: global title: Chafer Activity -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 +description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/apt/apt_cloudhopper.yml b/rules/apt/apt_cloudhopper.yml index 8591f4138..025300a22 100755 --- a/rules/apt/apt_cloudhopper.yml +++ b/rules/apt/apt_cloudhopper.yml @@ -1,4 +1,5 @@ title: WMIExec VBS Script +id: 966e4016-627f-44f7-8341-f394905c361f description: Detects suspicious file execution by wscript and cscript author: Florian Roth references: diff --git a/rules/apt/apt_dragonfly.yml b/rules/apt/apt_dragonfly.yml index 34ce2970f..9c5349fbe 100755 --- a/rules/apt/apt_dragonfly.yml +++ b/rules/apt/apt_dragonfly.yml @@ -1,8 +1,9 @@ -title: CrackMapExecWin +title: CrackMapExecWin +id: 04d9079e-3905-4b70-ad37-6bdf11304965 description: Detects CrackMapExecWin Activity as Described by NCSC status: experimental references: - - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control + - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control tags: - attack.g0035 author: Markus Neis diff --git a/rules/apt/apt_elise.yml b/rules/apt/apt_elise.yml index 1d4cd9b11..f64210d2c 100755 --- a/rules/apt/apt_elise.yml +++ b/rules/apt/apt_elise.yml @@ -1,7 +1,8 @@ title: Elise Backdoor +id: e507feb7-5f73-4ef6-a970-91bb6f6d744f status: experimental -description: Detects Elise backdoor acitivty as used by APT32 -references: +description: Detects Elise backdoor acitivty as used by APT32 +references: - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting tags: - attack.g0030 diff --git a/rules/apt/apt_emissarypanda_sep19.yml b/rules/apt/apt_emissarypanda_sep19.yml index 3422f68b7..5a21841ca 100644 --- a/rules/apt/apt_emissarypanda_sep19.yml +++ b/rules/apt/apt_emissarypanda_sep19.yml @@ -1,4 +1,5 @@ title: Emissary Panda Malware SLLauncher +id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014 status: experimental description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 references: diff --git a/rules/apt/apt_empiremonkey.yml b/rules/apt/apt_empiremonkey.yml index 97be67e6d..5e82be5d5 100644 --- a/rules/apt/apt_empiremonkey.yml +++ b/rules/apt/apt_empiremonkey.yml @@ -1,7 +1,7 @@ ---- action: global -title: Empire Monkey -description: Detects EmpireMonkey APT reported Activity +title: Empire Monkey +id: 10152a7b-b566-438f-a33c-390b607d1c8d +description: Detects EmpireMonkey APT reported Activity references: - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b tags: diff --git a/rules/apt/apt_equationgroup_c2.yml b/rules/apt/apt_equationgroup_c2.yml index 83a57b5b5..fc2614e1f 100755 --- a/rules/apt/apt_equationgroup_c2.yml +++ b/rules/apt/apt_equationgroup_c2.yml @@ -1,8 +1,9 @@ title: Equation Group C2 Communication +id: 881834a4-6659-4773-821e-1c151789d873 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools references: - - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation' - - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195' + - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation + - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 tags: - attack.command_and_control - attack.g0020 diff --git a/rules/apt/apt_equationgroup_dll_u_load.yml b/rules/apt/apt_equationgroup_dll_u_load.yml index 1a99c6baf..c4c81bac8 100755 --- a/rules/apt/apt_equationgroup_dll_u_load.yml +++ b/rules/apt/apt_equationgroup_dll_u_load.yml @@ -1,4 +1,5 @@ title: Equation Group DLL_U Load +id: d465d1d8-27a2-4cca-9621-a800f37cf72e author: Florian Roth description: Detects a specific tool and export used by EquationGroup references: diff --git a/rules/apt/apt_equationgroup_lnx.yml b/rules/apt/apt_equationgroup_lnx.yml index ccac67e02..fa4bbcadf 100755 --- a/rules/apt/apt_equationgroup_lnx.yml +++ b/rules/apt/apt_equationgroup_lnx.yml @@ -1,4 +1,5 @@ title: Equation Group Indicators +id: 41e5c73d-9983-4b69-bd03-e13b67e9623c description: Detects suspicious shell commands used in various Equation Group scripts and tools references: - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 diff --git a/rules/apt/apt_hurricane_panda.yml b/rules/apt/apt_hurricane_panda.yml index 5f0544231..bea4a8602 100755 --- a/rules/apt/apt_hurricane_panda.yml +++ b/rules/apt/apt_hurricane_panda.yml @@ -1,8 +1,9 @@ title: Hurricane Panda Activity +id: 0eb2107b-a596-422e-b123-b389d5594ed7 author: Florian Roth status: experimental -description: Detects Hurricane Panda Activity -references: +description: Detects Hurricane Panda Activity +references: - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ tags: - attack.privilege_escalation diff --git a/rules/apt/apt_judgement_panda_gtr19.yml b/rules/apt/apt_judgement_panda_gtr19.yml index 8e726ec30..a9924f6e8 100644 --- a/rules/apt/apt_judgement_panda_gtr19.yml +++ b/rules/apt/apt_judgement_panda_gtr19.yml @@ -1,4 +1,5 @@ title: Judgement Panda Exfil Activity +id: 03e2746e-2b31-42f1-ab7a-eb39365b2422 description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ diff --git a/rules/apt/apt_oceanlotus_registry.yml b/rules/apt/apt_oceanlotus_registry.yml index 245a60329..a4af84cf2 100644 --- a/rules/apt/apt_oceanlotus_registry.yml +++ b/rules/apt/apt_oceanlotus_registry.yml @@ -1,4 +1,5 @@ title: OceanLotus Registry Activity +id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4 status: experimental description: Detects registry keys created in OceanLotus (also known as APT32) attacks references: diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml index 9337231f8..670bc3424 100755 --- a/rules/apt/apt_pandemic.yml +++ b/rules/apt/apt_pandemic.yml @@ -1,6 +1,6 @@ ---- action: global title: Pandemic Registry Key +id: 47e0852a-cf81-4494-a8e6-31864f8c86ed status: experimental description: Detects Pandemic Windows Implant references: diff --git a/rules/apt/apt_slingshot.yml b/rules/apt/apt_slingshot.yml index 84890b904..f91a0f34f 100755 --- a/rules/apt/apt_slingshot.yml +++ b/rules/apt/apt_slingshot.yml @@ -1,6 +1,6 @@ ---- action: global title: Defrag Deactivation +id: 958d81aa-8566-4cea-a565-59ccd4df27b0 author: Florian Roth description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group references: diff --git a/rules/apt/apt_sofacy.yml b/rules/apt/apt_sofacy.yml index 18033b893..09a580315 100755 --- a/rules/apt/apt_sofacy.yml +++ b/rules/apt/apt_sofacy.yml @@ -1,8 +1,9 @@ title: Sofacy Trojan Loader Activity +id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 author: Florian Roth status: experimental -description: Detects Trojan loader acitivty as used by APT28 -references: +description: Detects Trojan loader acitivty as used by APT28 +references: - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100 - https://twitter.com/ClearskySec/status/960924755355369472 diff --git a/rules/apt/apt_sofacy_zebrocy.yml b/rules/apt/apt_sofacy_zebrocy.yml index 303d2616d..49a8df3b0 100644 --- a/rules/apt/apt_sofacy_zebrocy.yml +++ b/rules/apt/apt_sofacy_zebrocy.yml @@ -1,4 +1,5 @@ title: Sofacy Zebrocy +id: 8545cb01-102e-41ee-babd-46bd24e8cb97 author: Florian Roth description: Detects Sofacy's Zebrocy malware execution references: diff --git a/rules/apt/apt_stonedrill.yml b/rules/apt/apt_stonedrill.yml index e8555c31b..72f4dfa6e 100755 --- a/rules/apt/apt_stonedrill.yml +++ b/rules/apt/apt_stonedrill.yml @@ -1,5 +1,6 @@ title: StoneDrill Service Install -description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky' +id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 +description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky author: Florian Roth references: - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ diff --git a/rules/apt/apt_ta17_293a_ps.yml b/rules/apt/apt_ta17_293a_ps.yml index 9531e8f56..2cf87531a 100755 --- a/rules/apt/apt_ta17_293a_ps.yml +++ b/rules/apt/apt_ta17_293a_ps.yml @@ -1,4 +1,5 @@ title: Ps.exe Renamed SysInternals Tool +id: 18da1007-3f26-470f-875d-f77faf1cab31 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report references: - https://www.us-cert.gov/ncas/alerts/TA17-293A diff --git a/rules/apt/apt_tropictrooper.yml b/rules/apt/apt_tropictrooper.yml index 75f62e0c2..2dc2dbfd1 100644 --- a/rules/apt/apt_tropictrooper.yml +++ b/rules/apt/apt_tropictrooper.yml @@ -1,5 +1,6 @@ title: TropicTrooper Campaign November 2018 -author: "@41thexplorer, Windows Defender ATP" +id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79 +author: '@41thexplorer, Windows Defender ATP' status: stable description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia references: diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index a6b951266..a863c95e3 100755 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -1,8 +1,8 @@ ---- action: global -title: Turla Group Lateral Movement +title: Turla Group Lateral Movement +id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: experimental -description: Detects automated lateral movement by Turla group +description: Detects automated lateral movement by Turla group references: - https://securelist.com/the-epic-turla-operation/65545/ tags: diff --git a/rules/apt/apt_turla_namedpipes.yml b/rules/apt/apt_turla_namedpipes.yml index e0636bf0a..f3c3f24cf 100755 --- a/rules/apt/apt_turla_namedpipes.yml +++ b/rules/apt/apt_turla_namedpipes.yml @@ -1,4 +1,5 @@ -title: Turla Group Named Pipes +title: Turla Group Named Pipes +id: 739915e4-1e70-4778-8b8a-17db02f66db1 status: experimental description: Detects a named pipe used by Turla group samples references: diff --git a/rules/apt/apt_turla_service_png.yml b/rules/apt/apt_turla_service_png.yml index 2c95c6cd8..642809a5c 100644 --- a/rules/apt/apt_turla_service_png.yml +++ b/rules/apt/apt_turla_service_png.yml @@ -1,5 +1,6 @@ title: Turla PNG Dropper Service -description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018' +id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 +description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 references: - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ author: Florian Roth diff --git a/rules/apt/apt_unidentified_nov_18.yml b/rules/apt/apt_unidentified_nov_18.yml index 076607b31..57352b80e 100644 --- a/rules/apt/apt_unidentified_nov_18.yml +++ b/rules/apt/apt_unidentified_nov_18.yml @@ -1,11 +1,12 @@ ---- action: global title: Unidentified Attacker November 2018 +id: 7453575c-a747-40b9-839b-125a0aae324b status: stable -description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. +description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with + YYTRIUM/APT29 campaign in 2016. references: - https://twitter.com/DrunkBinary/status/1063075530180886529 -author: "@41thexplorer, Windows Defender ATP" +author: '@41thexplorer, Windows Defender ATP' date: 2018/11/20 modified: 2018/12/11 tags: diff --git a/rules/apt/apt_zxshell.yml b/rules/apt/apt_zxshell.yml index 266915c75..e6a5f4594 100755 --- a/rules/apt/apt_zxshell.yml +++ b/rules/apt/apt_zxshell.yml @@ -1,5 +1,6 @@ title: ZxShell Malware -description: Detects a ZxShell start by the called and well-known function name +id: f0b70adb-0075-43b0-9745-e82a1c608fcc +description: Detects a ZxShell start by the called and well-known function name author: Florian Roth references: - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 diff --git a/rules/apt/crime_fireball.yml b/rules/apt/crime_fireball.yml index 02957a29d..8c714f371 100755 --- a/rules/apt/crime_fireball.yml +++ b/rules/apt/crime_fireball.yml @@ -1,4 +1,5 @@ title: Fireball Archer Install +id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d status: experimental description: Detects Archer malware invocation via rundll32 author: Florian Roth diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index 091751784..d17698008 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -1,109 +1,111 @@ action: global title: Cleartext Protocol Usage -description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. +id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f +description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption + is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. references: -- https://www.cisecurity.org/controls/cis-controls-list/ -- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf -- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf author: Alexandr Yampolskyi, SOC Prime status: stable date: 2019/03/26 falsepositives: -- unknown + - unknown level: low tags: -- CSC4 -- CSC4.5 -- CSC14 -- CSC14.4 -- CSC16 -- CSC16.5 -- NIST CSF 1.1 PR.AT-2 -- NIST CSF 1.1 PR.MA-2 -- NIST CSF 1.1 PR.PT-3 -- NIST CSF 1.1 PR.AC-1 -- NIST CSF 1.1 PR.AC-4 -- NIST CSF 1.1 PR.AC-5 -- NIST CSF 1.1 PR.AC-6 -- NIST CSF 1.1 PR.AC-7 -- NIST CSF 1.1 PR.DS-1 -- NIST CSF 1.1 PR.DS-2 -- NIST CSF 1.1 PR.PT-3 -- NIST CSF 1.1 PR.PT-3 -- ISO 27002-2013 A.9.2.1 -- ISO 27002-2013 A.9.2.2 -- ISO 27002-2013 A.9.2.3 -- ISO 27002-2013 A.9.2.4 -- ISO 27002-2013 A.9.2.5 -- ISO 27002-2013 A.9.2.6 -- ISO 27002-2013 A.9.3.1 -- ISO 27002-2013 A.9.4.1 -- ISO 27002-2013 A.9.4.2 -- ISO 27002-2013 A.9.4.3 -- ISO 27002-2013 A.9.4.4 -- ISO 27002-2013 A.8.3.1 -- ISO 27002-2013 A.9.1.1 -- ISO 27002-2013 A.10.1.1 -- PCI DSS 3.2 2.1 -- PCI DSS 3.2 8.1 -- PCI DSS 3.2 8.2 -- PCI DSS 3.2 8.3 -- PCI DSS 3.2 8.7 -- PCI DSS 3.2 8.8 -- PCI DSS 3.2 1.3 -- PCI DSS 3.2 1.4 -- PCI DSS 3.2 4.3 -- PCI DSS 3.2 7.1 -- PCI DSS 3.2 7.2 -- PCI DSS 3.2 7.3 + - CSC4 + - CSC4.5 + - CSC14 + - CSC14.4 + - CSC16 + - CSC16.5 + - NIST CSF 1.1 PR.AT-2 + - NIST CSF 1.1 PR.MA-2 + - NIST CSF 1.1 PR.PT-3 + - NIST CSF 1.1 PR.AC-1 + - NIST CSF 1.1 PR.AC-4 + - NIST CSF 1.1 PR.AC-5 + - NIST CSF 1.1 PR.AC-6 + - NIST CSF 1.1 PR.AC-7 + - NIST CSF 1.1 PR.DS-1 + - NIST CSF 1.1 PR.DS-2 + - NIST CSF 1.1 PR.PT-3 + - NIST CSF 1.1 PR.PT-3 + - ISO 27002-2013 A.9.2.1 + - ISO 27002-2013 A.9.2.2 + - ISO 27002-2013 A.9.2.3 + - ISO 27002-2013 A.9.2.4 + - ISO 27002-2013 A.9.2.5 + - ISO 27002-2013 A.9.2.6 + - ISO 27002-2013 A.9.3.1 + - ISO 27002-2013 A.9.4.1 + - ISO 27002-2013 A.9.4.2 + - ISO 27002-2013 A.9.4.3 + - ISO 27002-2013 A.9.4.4 + - ISO 27002-2013 A.8.3.1 + - ISO 27002-2013 A.9.1.1 + - ISO 27002-2013 A.10.1.1 + - PCI DSS 3.2 2.1 + - PCI DSS 3.2 8.1 + - PCI DSS 3.2 8.2 + - PCI DSS 3.2 8.3 + - PCI DSS 3.2 8.7 + - PCI DSS 3.2 8.8 + - PCI DSS 3.2 1.3 + - PCI DSS 3.2 1.4 + - PCI DSS 3.2 4.3 + - PCI DSS 3.2 7.1 + - PCI DSS 3.2 7.2 + - PCI DSS 3.2 7.3 --- logsource: - product: netflow + product: netflow detection: - selection: - destination.port: - - 8080 - - 21 - - 80 - - 23 - - 50000 - - 1521 - - 27017 - - 1433 - - 11211 - - 3306 - - 15672 - - 5900 - - 5901 - - 5902 - - 5903 - - 5904 - condition: selection + selection: + destination.port: + - 8080 + - 21 + - 80 + - 23 + - 50000 + - 1521 + - 27017 + - 1433 + - 11211 + - 3306 + - 15672 + - 5900 + - 5901 + - 5902 + - 5903 + - 5904 + condition: selection --- logsource: - product: firewall + product: firewall detection: - selection1: - destination.port: - - 8080 - - 21 - - 80 - - 23 - - 50000 - - 1521 - - 27017 - - 3306 - - 1433 - - 11211 - - 15672 - - 5900 - - 5901 - - 5902 - - 5903 - - 5904 - selection2: - action: - - forward - - accept - - 2 - condition: selection1 AND selection2 + selection1: + destination.port: + - 8080 + - 21 + - 80 + - 23 + - 50000 + - 1521 + - 27017 + - 3306 + - 1433 + - 11211 + - 15672 + - 5900 + - 5901 + - 5902 + - 5903 + - 5904 + selection2: + action: + - forward + - accept + - 2 + condition: selection1 AND selection2 diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index 72d214e1e..0dcac1431 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -1,107 +1,109 @@ title: Default Credentials Usage -description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. +id: 1a395cbc-a84a-463a-9086-ed8a70e573c7 +description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials + usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. author: Alexandr Yampolskyi, SOC Prime status: stable references: -- https://www.cisecurity.org/controls/cis-controls-list/ -- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf -- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf -- https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists date: 2019/03/26 logsource: - product: qualys + product: qualys detection: - selection: - host.scan.vuln: - - 10693 - - 11507 - - 11633 - - 11804 - - 11821 - - 11847 - - 11867 - - 11931 - - 11935 - - 11950 - - 12541 - - 12558 - - 12559 - - 12560 - - 12562 - - 12563 - - 12565 - - 12587 - - 12590 - - 12599 - - 12702 - - 12705 - - 12706 - - 12907 - - 12928 - - 12929 - - 13053 - - 13178 - - 13200 - - 13218 - - 13241 - - 13253 - - 13274 - - 13296 - - 13301 - - 13327 - - 13373 - - 13374 - - 13409 - - 13530 - - 13532 - - 20065 - - 20073 - - 20081 - - 27202 - - 27358 - - 38702 - - 38719 - - 42045 - - 42417 - - 43029 - - 43220 - - 43221 - - 43222 - - 43223 - - 43225 - - 43246 - - 43431 - - 43484 - - 86857 - - 87098 - - 87106 - condition: selection + selection: + host.scan.vuln: + - 10693 + - 11507 + - 11633 + - 11804 + - 11821 + - 11847 + - 11867 + - 11931 + - 11935 + - 11950 + - 12541 + - 12558 + - 12559 + - 12560 + - 12562 + - 12563 + - 12565 + - 12587 + - 12590 + - 12599 + - 12702 + - 12705 + - 12706 + - 12907 + - 12928 + - 12929 + - 13053 + - 13178 + - 13200 + - 13218 + - 13241 + - 13253 + - 13274 + - 13296 + - 13301 + - 13327 + - 13373 + - 13374 + - 13409 + - 13530 + - 13532 + - 20065 + - 20073 + - 20081 + - 27202 + - 27358 + - 38702 + - 38719 + - 42045 + - 42417 + - 43029 + - 43220 + - 43221 + - 43222 + - 43223 + - 43225 + - 43246 + - 43431 + - 43484 + - 86857 + - 87098 + - 87106 + condition: selection falsepositives: -- unknown + - unknown level: medium tags: -- CSC4 -- CSC4.2 -- NIST CSF 1.1 PR.AC-4 -- NIST CSF 1.1 PR.AT-2 -- NIST CSF 1.1 PR.MA-2 -- NIST CSF 1.1 PR.PT-3 -- ISO 27002-2013 A.9.1.1 -- ISO 27002-2013 A.9.2.2 -- ISO 27002-2013 A.9.2.3 -- ISO 27002-2013 A.9.2.4 -- ISO 27002-2013 A.9.2.5 -- ISO 27002-2013 A.9.2.6 -- ISO 27002-2013 A.9.3.1 -- ISO 27002-2013 A.9.4.1 -- ISO 27002-2013 A.9.4.2 -- ISO 27002-2013 A.9.4.3 -- ISO 27002-2013 A.9.4.4 -- PCI DSS 3.2 2.1 -- PCI DSS 3.2 7.1 -- PCI DSS 3.2 7.2 -- PCI DSS 3.2 7.3 -- PCI DSS 3.2 8.1 -- PCI DSS 3.2 8.2 -- PCI DSS 3.2 8.3 -- PCI DSS 3.2 8.7 + - CSC4 + - CSC4.2 + - NIST CSF 1.1 PR.AC-4 + - NIST CSF 1.1 PR.AT-2 + - NIST CSF 1.1 PR.MA-2 + - NIST CSF 1.1 PR.PT-3 + - ISO 27002-2013 A.9.1.1 + - ISO 27002-2013 A.9.2.2 + - ISO 27002-2013 A.9.2.3 + - ISO 27002-2013 A.9.2.4 + - ISO 27002-2013 A.9.2.5 + - ISO 27002-2013 A.9.2.6 + - ISO 27002-2013 A.9.3.1 + - ISO 27002-2013 A.9.4.1 + - ISO 27002-2013 A.9.4.2 + - ISO 27002-2013 A.9.4.3 + - ISO 27002-2013 A.9.4.4 + - PCI DSS 3.2 2.1 + - PCI DSS 3.2 7.1 + - PCI DSS 3.2 7.2 + - PCI DSS 3.2 7.3 + - PCI DSS 3.2 8.1 + - PCI DSS 3.2 8.2 + - PCI DSS 3.2 8.3 + - PCI DSS 3.2 8.7 diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index bb0feb639..c06eb2887 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -1,57 +1,61 @@ title: Group Modification Logging -description: Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects Event ID 4728 indicates a ‘Member is added to a Security Group’. Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’. Event ID 4730 indicates a‘Security Group is deleted’. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP. +id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e +description: "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\ + \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\ + . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\ + \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP." author: Alexandr Yampolskyi, SOC Prime status: stable references: -- https://www.cisecurity.org/controls/cis-controls-list/ -- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf -- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729 -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730 -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 date: 2019/03/26 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: - - 4728 - - 4729 - - 4730 - - 633 - - 632 - - 634 - condition: selection + selection: + EventID: + - 4728 + - 4729 + - 4730 + - 633 + - 632 + - 634 + condition: selection falsepositives: -- unknown + - unknown level: low tags: -- CSC4 -- CSC4.8 -- NIST CSF 1.1 PR.AC-4 -- NIST CSF 1.1 PR.AT-2 -- NIST CSF 1.1 PR.MA-2 -- NIST CSF 1.1 PR.PT-3 -- ISO 27002-2013 A.9.1.1 -- ISO 27002-2013 A.9.2.2 -- ISO 27002-2013 A.9.2.3 -- ISO 27002-2013 A.9.2.4 -- ISO 27002-2013 A.9.2.5 -- ISO 27002-2013 A.9.2.6 -- ISO 27002-2013 A.9.3.1 -- ISO 27002-2013 A.9.4.1 -- ISO 27002-2013 A.9.4.2 -- ISO 27002-2013 A.9.4.3 -- ISO 27002-2013 A.9.4.4 -- PCI DSS 3.2 2.1 -- PCI DSS 3.2 7.1 -- PCI DSS 3.2 7.2 -- PCI DSS 3.2 7.3 -- PCI DSS 3.2 8.1 -- PCI DSS 3.2 8.2 -- PCI DSS 3.2 8.3 -- PCI DSS 3.2 8.7 + - CSC4 + - CSC4.8 + - NIST CSF 1.1 PR.AC-4 + - NIST CSF 1.1 PR.AT-2 + - NIST CSF 1.1 PR.MA-2 + - NIST CSF 1.1 PR.PT-3 + - ISO 27002-2013 A.9.1.1 + - ISO 27002-2013 A.9.2.2 + - ISO 27002-2013 A.9.2.3 + - ISO 27002-2013 A.9.2.4 + - ISO 27002-2013 A.9.2.5 + - ISO 27002-2013 A.9.2.6 + - ISO 27002-2013 A.9.3.1 + - ISO 27002-2013 A.9.4.1 + - ISO 27002-2013 A.9.4.2 + - ISO 27002-2013 A.9.4.3 + - ISO 27002-2013 A.9.4.4 + - PCI DSS 3.2 2.1 + - PCI DSS 3.2 7.1 + - PCI DSS 3.2 7.2 + - PCI DSS 3.2 7.3 + - PCI DSS 3.2 8.1 + - PCI DSS 3.2 8.2 + - PCI DSS 3.2 8.3 + - PCI DSS 3.2 8.7 diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index 4a5e24699..527d7ecae 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -1,29 +1,30 @@ title: Host Without Firewall +id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9 description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. author: Alexandr Yampolskyi, SOC Prime references: -- https://www.cisecurity.org/controls/cis-controls-list/ -- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf -- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf date: 2019/03/19 status: stable level: low logsource: - product: Qualys + product: Qualys detection: - selection: - event.category: Security Policy - host.scan.vuln_name: Firewall Product Not Detected* - condition: selection + selection: + event.category: Security Policy + host.scan.vuln_name: Firewall Product Not Detected* + condition: selection tags: -- CSC9 -- CSC9.4 -- NIST CSF 1.1 PR.AC-5 -- NIST CSF 1.1 PR.AC-6 -- NIST CSF 1.1 PR.AC-7 -- NIST CSF 1.1 DE.AE-1 -- ISO 27002-2013 A.9.1.2 -- ISO 27002-2013 A.13.2.1 -- ISO 27002-2013 A.13.2.2 -- ISO 27002-2013 A.14.1.2 -- PCI DSS 3.2 1.4 + - CSC9 + - CSC9.4 + - NIST CSF 1.1 PR.AC-5 + - NIST CSF 1.1 PR.AC-6 + - NIST CSF 1.1 PR.AC-7 + - NIST CSF 1.1 DE.AE-1 + - ISO 27002-2013 A.9.1.2 + - ISO 27002-2013 A.13.2.1 + - ISO 27002-2013 A.13.2.2 + - ISO 27002-2013 A.14.1.2 + - PCI DSS 3.2 1.4 diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 93f2c166f..6938a14d0 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -1,45 +1,47 @@ title: Locked Workstation -description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019. +id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4 +description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 + and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019. author: Alexandr Yampolskyi, SOC Prime status: stable references: -- https://www.cisecurity.org/controls/cis-controls-list/ -- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf -- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 date: 2019/03/26 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: - - 4800 - condition: selection + selection: + EventID: + - 4800 + condition: selection falsepositives: -- unknown + - unknown level: low tags: -- CSC16 -- CSC16.11 -- ISO27002-2013 A.9.1.1 -- ISO27002-2013 A.9.2.1 -- ISO27002-2013 A.9.2.2 -- ISO27002-2013 A.9.2.3 -- ISO27002-2013 A.9.2.4 -- ISO27002-2013 A.9.2.5 -- ISO27002-2013 A.9.2.6 -- ISO27002-2013 A.9.3.1 -- ISO27002-2013 A.9.4.1 -- ISO27002-2013 A.9.4.3 -- ISO27002-2013 A.11.2.8 -- PCI DSS 3.1 7.1 -- PCI DSS 3.1 7.2 -- PCI DSS 3.1 7.3 -- PCI DSS 3.1 8.7 -- PCI DSS 3.1 8.8 -- NIST CSF 1.1 PR.AC-1 -- NIST CSF 1.1 PR.AC-4 -- NIST CSF 1.1 PR.AC-6 -- NIST CSF 1.1 PR.AC-7 -- NIST CSF 1.1 PR.PT-3 + - CSC16 + - CSC16.11 + - ISO27002-2013 A.9.1.1 + - ISO27002-2013 A.9.2.1 + - ISO27002-2013 A.9.2.2 + - ISO27002-2013 A.9.2.3 + - ISO27002-2013 A.9.2.4 + - ISO27002-2013 A.9.2.5 + - ISO27002-2013 A.9.2.6 + - ISO27002-2013 A.9.3.1 + - ISO27002-2013 A.9.4.1 + - ISO27002-2013 A.9.4.3 + - ISO27002-2013 A.11.2.8 + - PCI DSS 3.1 7.1 + - PCI DSS 3.1 7.2 + - PCI DSS 3.1 7.3 + - PCI DSS 3.1 8.7 + - PCI DSS 3.1 8.8 + - NIST CSF 1.1 PR.AC-1 + - NIST CSF 1.1 PR.AC-4 + - NIST CSF 1.1 PR.AC-6 + - NIST CSF 1.1 PR.AC-7 + - NIST CSF 1.1 PR.PT-3 diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index f974b4585..d1a937009 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -1,4 +1,5 @@ title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems +id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 status: experimental description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. references: diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index 89e5f3a22..54563bf9b 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -1,6 +1,8 @@ title: Masquerading as Linux crond process +id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0 status: experimental -description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. +description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and + observation. Several different variations of this technique have been observed. author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 204008b12..db4ca9053 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -1,8 +1,9 @@ title: Detects Suspicious Commands on Linux systems +id: 1543ae20-cbdf-4ec1-8d12-7664d667a825 status: experimental description: Detects relevant commands often related to malware or hacking activity references: - - 'Internal Research - mostly derived from exploit code including code in MSF' + - Internal Research - mostly derived from exploit code including code in MSF date: 2017/12/12 author: Florian Roth logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index c4380ce91..03f84ba9d 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -1,8 +1,9 @@ title: Program Executions in Suspicious Folders +id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc status: experimental description: Detects program executions in suspicious non-program folders related to malware or hacking activity references: - - 'Internal Research' + - Internal Research date: 2018/01/23 author: Florian Roth logsource: diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index e21fa2ff1..67c8e7804 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -1,6 +1,8 @@ title: System Owner or User Discovery +id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 status: experimental -description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not + the adversary fully infects the target and/or attempts specific actions. author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index d7c6463cd..28068f7ab 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -1,10 +1,7 @@ title: Webshell Remote Command Execution +id: c0d3734d-330f-4a03-aae2-65dacc6a8222 status: experimental description: Detects posible command execution by web application/web shell -# You need to add to the config auditd.conf: -# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www -# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www -# change 33 to id you webserver user. default: www-data:x:33:33 tags: - attack.persistence - attack.t1100 diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index 057ebd405..e22fc0d4b 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -1,6 +1,8 @@ title: Data Compressed +id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount + of data sent over the network author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index 03188b359..b4d629211 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -1,6 +1,8 @@ title: Network Sniffing +id: f4d3748a-65d1-4806-bd23-e25728081d01 status: experimental -description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary + may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index 9664665aa..39249915e 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -1,4 +1,5 @@ title: Buffer Overflow Attempts +id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781 description: Detects buffer overflow attempts in Unix system log files references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index 336c636fa..4ac050bc6 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -1,4 +1,5 @@ title: Relevant ClamAV Message +id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb description: Detects relevant ClamAV messages references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index d8d5796e1..9ee72f09f 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -1,6 +1,7 @@ title: Clear Command History +id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e status: experimental -description: Clear command history in linux which is used for defense evasion. +description: Clear command history in linux which is used for defense evasion. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml - https://attack.mitre.org/techniques/T1146/ diff --git a/rules/linux/lnx_shell_priv_esc_prep.yml b/rules/linux/lnx_shell_priv_esc_prep.yml index 67befa8be..23df63e88 100644 --- a/rules/linux/lnx_shell_priv_esc_prep.yml +++ b/rules/linux/lnx_shell_priv_esc_prep.yml @@ -1,4 +1,5 @@ -title: Privilege Escalation Preparation +title: Privilege Escalation Preparation +id: 444ade84-c362-4260-b1f3-e45e20e1a905 status: experimental description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. references: diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index 8f691c218..370cf9800 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -1,4 +1,5 @@ title: Suspicious Activity in Shell Commands +id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695 description: Detects suspicious shell commands used in various exploit codes (see references) references: - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html diff --git a/rules/linux/lnx_shell_susp_log_entries.yml b/rules/linux/lnx_shell_susp_log_entries.yml index 592424283..f89298799 100644 --- a/rules/linux/lnx_shell_susp_log_entries.yml +++ b/rules/linux/lnx_shell_susp_log_entries.yml @@ -1,16 +1,15 @@ title: Suspicious Log Entries +id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 description: Detects suspicious log entries in Linux log files author: Florian Roth logsource: product: linux detection: keywords: - # Generic suspicious log lines - - 'entered promiscuous mode' - # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml - - 'Deactivating service' - - 'Oversized packet received from' - - 'imuxsock begins to drop messages' + - entered promiscuous mode + - Deactivating service + - Oversized packet received from + - imuxsock begins to drop messages condition: keywords falsepositives: - Unknown diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/lnx_shell_susp_rev_shells.yml index 66b177c67..e6feb1e99 100644 --- a/rules/linux/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/lnx_shell_susp_rev_shells.yml @@ -1,4 +1,5 @@ title: Suspicious Reverse Shell Command Line +id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab status: experimental description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell references: diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 3b89b68a7..43d639d45 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -1,4 +1,5 @@ title: Shellshock Expression +id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e description: Detects shellshock expressions in log files references: - http://rubular.com/r/zxBfjWfFYs diff --git a/rules/linux/lnx_ssh_cve_2018_15473.yml b/rules/linux/lnx_ssh_cve_2018_15473.yml index 9069a12f1..be54cade7 100644 --- a/rules/linux/lnx_ssh_cve_2018_15473.yml +++ b/rules/linux/lnx_ssh_cve_2018_15473.yml @@ -1,4 +1,5 @@ title: SSHD Error Message CVE-2018-15473 +id: 4c9d903d-4939-4094-ade0-3cb748f4d7da description: Detects exploitation attempt using public exploit code for CVE-2018-15473 references: - https://github.com/Rhynorater/CVE-2018-15473-Exploit diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index b39aa277c..f472e028d 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -1,6 +1,6 @@ ---- action: global title: Sudo Privilege Escalation CVE-2019-14287 +id: f74107df-b6c6-4e80-bf00-4170b658162b status: experimental description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 references: diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/lnx_susp_failed_logons_single_source.yml index 6754b1960..5c9e6abe3 100644 --- a/rules/linux/lnx_susp_failed_logons_single_source.yml +++ b/rules/linux/lnx_susp_failed_logons_single_source.yml @@ -1,18 +1,18 @@ title: Multiple Failed Logins with Different Accounts from Single Source System +id: fc947f8e-ea81-4b14-9a7b-13f888f94e18 description: Detects suspicious failed logins with different user accounts from a single source system logsource: product: linux service: auth detection: selection: - pam_message: "authentication failure" + pam_message: authentication failure pam_user: '*' pam_rhost: '*' - timeframe: 24h + timeframe: 24h condition: selection | count(pam_user) by pam_rhost > 3 falsepositives: - Terminal servers - Jump servers - - Workstations with frequently changing users + - Workstations with frequently changing users level: medium - diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/lnx_susp_jexboss.yml index 9b7a91e7a..1cb8713a2 100644 --- a/rules/linux/lnx_susp_jexboss.yml +++ b/rules/linux/lnx_susp_jexboss.yml @@ -1,4 +1,5 @@ title: JexBoss Command Sequence +id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae description: Detects suspicious command sequence that JexBoss references: - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml index b4d995b02..11972f4d5 100644 --- a/rules/linux/lnx_susp_named.yml +++ b/rules/linux/lnx_susp_named.yml @@ -1,6 +1,7 @@ title: Suspicious Named Error +id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365 status: experimental -description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml author: Florian Roth diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index ac226cac6..23bb364ca 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -1,5 +1,6 @@ title: Suspicious SSHD Error -description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc +description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/openssh/openssh-portable/blob/master/ssherr.c - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index bbc5e04a8..614112e29 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -1,5 +1,6 @@ title: Suspicious VSFTPD Error Messages -description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe +description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/dagwieers/vsftpd/ author: Florian Roth diff --git a/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/rules/linux/modsecurity/modsec_mulitple_blocks.yml index b2692fb73..310b94db7 100644 --- a/rules/linux/modsecurity/modsec_mulitple_blocks.yml +++ b/rules/linux/modsecurity/modsec_mulitple_blocks.yml @@ -1,5 +1,6 @@ title: Multiple Modsecurity Blocks -description: Detects multiple blocks by the mod_security module (Web Application Firewall) +id: a06eea10-d932-4aa6-8ba9-186df72c8d23 +description: Detects multiple blocks by the mod_security module (Web Application Firewall) logsource: product: linux service: modsecurity diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index 90a889dc2..68228d9ec 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -1,6 +1,8 @@ title: Possible DNS Tunneling +id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e status: experimental -description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. +description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, + which can be an indicator that DNS is used to transfer data. references: - https://zeltser.com/c2-dns-tunneling/ - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/ diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 1c3cb36a3..91cb4a9c9 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -1,4 +1,5 @@ title: Cobalt Strike DNS Beaconing +id: 2975af79-28c4-4d2f-a951-9095f229df29 status: experimental description: Detects suspicious DNS queries known from Cobalt Strike beacons references: diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml index 6ab0a8ef5..b1abba07c 100644 --- a/rules/network/net_susp_dns_b64_queries.yml +++ b/rules/network/net_susp_dns_b64_queries.yml @@ -1,4 +1,5 @@ -title: Suspicious DNS Query with B64 Encoded String +title: Suspicious DNS Query with B64 Encoded String +id: 4153a907-2451-4e4f-a578-c52bb6881432 status: experimental description: Detects suspicious DNS queries using base64 encoding references: diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 73eeacf84..4a9cc7a6b 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -1,6 +1,7 @@ -title: DNS TXT Answer with possible execution strings +title: DNS TXT Answer with possible execution strings +id: 8ae51330-899c-4641-8125-e39f2e07da72 status: experimental -description: Detects strings used in command execution in DNS TXT Answer +description: Detects strings used in command execution in DNS TXT Answer references: - https://twitter.com/stvemillertime/status/1024707932447854592 - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index c0de5d6fa..337bfbd56 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -1,4 +1,5 @@ title: Network Scans +id: fab0ddf0-b8a9-4d70-91ce-a20547209afb description: Detects many failed connection attempts to different ports or hosts author: Thomas Patzke logsource: diff --git a/rules/network/net_susp_telegram_api.yml b/rules/network/net_susp_telegram_api.yml index 2743da750..66194485e 100644 --- a/rules/network/net_susp_telegram_api.yml +++ b/rules/network/net_susp_telegram_api.yml @@ -1,4 +1,5 @@ title: Telegram Bot API Request +id: c64c5175-5189-431b-a55e-6d9882158251 status: experimental description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind references: diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index f479507b7..c3fcbb0fa 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -1,4 +1,5 @@ title: APT40 Dropbox Tool User Agent +id: 5ba715b6-71b7-44fd-8245-f66893e81b3d status: experimental description: Detects suspicious user agent string of APT40 Dropbox tool references: diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 8bef9d900..550a6d65d 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -1,4 +1,5 @@ title: Chafer Malware URL Pattern +id: fb502828-2db0-438e-93e6-801c7548686d status: experimental description: Detects HTTP requests used by Chafer malware references: diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 6366b81c0..6c178c3f6 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -1,6 +1,7 @@ title: CobaltStrike Malleable Amazon browsing traffic profile +id: 953b895e-5cc9-454b-b183-7f3db555452e status: experimental -description: Detects Malleable Amazon Profile +description: Detects Malleable Amazon Profile references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index 8e8958250..5bcf706d9 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -1,4 +1,5 @@ title: CobaltStrike Malleable (OCSP) Profile +id: 37325383-740a-403d-b1a2-b2b4ab7992e7 status: experimental description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL references: diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index d7159c770..53bd1f059 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -1,8 +1,9 @@ title: CobaltStrike Malleable OneDrive browsing traffic profile +id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc status: experimental -description: Detects Malleable OneDrive Profile +description: Detects Malleable OneDrive Profile references: - - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile author: Markus Neis tags: - attack.t1102 diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index a4058fa04..56ea7ac4f 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -1,4 +1,5 @@ title: Download from Suspicious Dyndns Hosts +id: 195c1119-ef07-4909-bb12-e66f5e07bf3c status: experimental description: Detects download of certain file types from hosts with dynamic DNS names (selected list) references: diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index f52932a78..fae2afddb 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -1,6 +1,7 @@ title: Download from Suspicious TLD +id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19 status: experimental -description: Detects download of certain file types from hosts in suspicious TLDs +description: Detects download of certain file types from hosts in suspicious TLDs references: - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index 8d61de93b..db73cb99c 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -1,4 +1,5 @@ title: Download EXE from Suspicious TLD +id: b5de2919-b74a-4805-91a7-5049accbaefe status: experimental description: Detects executable downloads from suspicious remote systems author: Florian Roth diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index d7b55d293..b3920a644 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -1,4 +1,5 @@ title: Windows WebDAV User Agent +id: e09aed7a-09e0-4c9a-90dd-f0d52507347e status: experimental description: Detects WebDav DownloadCradle references: diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index da28473a1..a616d3869 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -1,4 +1,5 @@ title: Empty User Agent +id: 21e44d78-95e7-421b-a464-ffd8395659c4 status: experimental description: Detects suspicious empty user agent strings in proxy logs references: diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index 7021bc8ed..58bc53617 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -1,4 +1,5 @@ title: iOS Implant URL Pattern +id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6 status: experimental description: Detects URL pattern used by iOS Implant references: diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index ccf64bfcf..fe6a71773 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -1,4 +1,5 @@ title: Windows PowerShell User Agent +id: c8557060-9221-4448-8794-96320e6f3e74 status: experimental description: Detects Windows PowerShell Web Access references: diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 8fa9bf423..fecc08902 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -1,4 +1,5 @@ title: Flash Player Update from Suspicious Location +id: 4922a5dd-6743-4fc2-8e81-144374280997 status: experimental description: Detects a flashplayer update from an unofficial location references: diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index 7889e05c8..14d2902e3 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -1,4 +1,5 @@ title: Telegram API Access +id: b494b165-6634-483d-8c47-2026a6c52372 status: experimental description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent references: diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 632f0281f..7aa317924 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -1,4 +1,5 @@ title: APT User Agent +id: 6ec820f2-e963-4801-9127-d8b2dce4d31b status: experimental description: Detects suspicious user agent strings used in APT malware in proxy logs references: diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 60ead0244..869b97fac 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -1,8 +1,7 @@ title: Bitsadmin to Uncommon TLD +id: 9eb68894-7476-4cd6-8752-23b51f5883a7 status: experimental -description: Detects Bitsadmin connections to domains with uncommon TLDs - - https://twitter.com/jhencinski/status/1102695118455349248 - - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ +description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth date: 2019/03/07 logsource: diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml index e2c3ecbac..b0c696e94 100644 --- a/rules/proxy/proxy_ua_cryptominer.yml +++ b/rules/proxy/proxy_ua_cryptominer.yml @@ -1,4 +1,5 @@ title: Crypto Miner User Agent +id: fa935401-513b-467b-81f4-f9e77aa0dd78 status: experimental description: Detects suspicious user agent strings used by crypto miners in proxy logs references: diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 7d110b14a..9538c30ae 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -1,4 +1,5 @@ title: Exploit Framework User Agent +id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f status: experimental description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs references: diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index ee1b411f6..e2ab7d36f 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -1,4 +1,5 @@ title: Hack Tool User Agent +id: c42a3073-30fb-48ae-8c99-c23ada84b103 status: experimental description: Detects suspicious user agent strings user by hack tools in proxy logs references: diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index b7f328c85..265b78407 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -1,4 +1,5 @@ title: Malware User Agent +id: 5c84856b-55a5-45f1-826f-13f37250cf4e status: experimental description: Detects suspicious user agent strings used by malware in proxy logs references: diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index 5eb184af0..7e2d3f091 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -1,4 +1,5 @@ title: Suspicious User Agent +id: 7195a772-4b3f-43a4-a210-6a003d65caa1 status: experimental description: Detects suspicious malformed user agent strings in proxy logs references: diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index ed3352d9d..effe92f7a 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -1,5 +1,6 @@ title: Apache Segmentation Fault -description: Detects a segmentation fault error message caused by a creashing apacke worker process +id: 1da8ce0b-855d-4004-8860-7d64d42063b1 +description: Detects a segmentation fault error message caused by a creashing apacke worker process author: Florian Roth references: - http://www.securityfocus.com/infocus/1633 diff --git a/rules/web/web_apache_threading_error.yml b/rules/web/web_apache_threading_error.yml index 492e7ce72..8d2461998 100644 --- a/rules/web/web_apache_threading_error.yml +++ b/rules/web/web_apache_threading_error.yml @@ -1,4 +1,5 @@ title: Apache Threading Error +id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c status: experimental description: Detects an issue in apache logs that reports threading related errors author: Florian Roth diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index 7610865a2..4a2d6467f 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -1,9 +1,10 @@ title: Oracle WebLogic Exploit +id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000 description: Detects access to a webshell droped into a keytore folder on the WebLogic server author: Florian Roth date: 2018/07/22 status: experimental -references: +references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894 - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml index 935b406ae..650f68866 100644 --- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml +++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml @@ -1,4 +1,5 @@ title: Multiple suspicious Response Codes caused by Single Client +id: 6fdfc796-06b3-46e8-af08-58f3505318af description: Detects possible exploitation activity or bugs in a web application author: Thomas Patzke logsource: diff --git a/rules/web/web_source_code_enumeration.yml b/rules/web/web_source_code_enumeration.yml index f5a4f6a2c..1544a70c1 100644 --- a/rules/web/web_source_code_enumeration.yml +++ b/rules/web/web_source_code_enumeration.yml @@ -1,9 +1,10 @@ title: Source Code Enumeration Detection by Keyword +id: 953d460b-f810-420a-97a2-cfca4c98e602 description: Detects source code enumeration that use GET requests by keyword searches in URL strings author: James Ahearn -references: - - 'https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html' - - 'https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1' +references: + - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html + - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 logsource: category: webserver detection: diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index 44a6917d0..ac014b1f7 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -1,13 +1,14 @@ title: Webshell Detection by Keyword +id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729 description: Detects webshells that use GET requests by keyword searches in URL strings author: Florian Roth logsource: category: webserver detection: keywords: - - '=whoami' - - '=net%20user' - - '=cmd%20/c%20' + - =whoami + - =net%20user + - =cmd%20/c%20 condition: keywords fields: - client_ip diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index cbb528d6f..3aa5a5653 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -1,4 +1,5 @@ title: Persistence and Execution at scale via GPO scheduled task +id: a8f29a7b-b137-4446-80a0-b804272f3da2 description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale author: Samir Bousseaden references: diff --git a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml index db9abdd80..a41f052a4 100644 --- a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml @@ -1,5 +1,7 @@ title: Powerview Add-DomainObjectAcl DCSync AD Extend Right -description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer +id: 2c99737c-585d-4431-b61a-c911d86ff32f +description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync + Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer status: experimental date: 2019/04/03 author: Samir Bousseaden diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/win_account_discovery.yml index 237792c85..ce8b889ba 100644 --- a/rules/windows/builtin/win_account_discovery.yml +++ b/rules/windows/builtin/win_account_discovery.yml @@ -1,4 +1,5 @@ title: AD Privileged Users or Groups Reconnaissance +id: 35ba1d85-724d-42a3-889f-2e2362bcaf23 description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs references: - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml index d69540422..796757320 100644 --- a/rules/windows/builtin/win_admin_rdp_login.yml +++ b/rules/windows/builtin/win_admin_rdp_login.yml @@ -1,4 +1,5 @@ title: Admin User Remote Logon +id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a description: Detect remote login by Administrator user depending on internal pattern references: - https://car.mitre.org/wiki/CAR-2016-04-005 diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index 277c77a46..40afb2d8d 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -1,4 +1,5 @@ title: Access to ADMIN$ Share +id: 098d7118-55bc-4912-a836-dc6483a8d150 description: Detects access to $ADMIN share tags: - attack.lateral_movement diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index e8f4a9028..7e4a42b2a 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,4 +1,5 @@ title: Enabled User Right in AD to Control User Objects +id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. tags: - attack.privilege_escalation diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index 9548a4824..5bddbe57e 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -1,4 +1,5 @@ title: Active Directory User Backdoors +id: 300bac00-e041-4ee2-9c36-e262656a6ecc description: Detects scenarios where one can control another users or computers account without having to use their credentials. references: - https://msdn.microsoft.com/en-us/library/cc220234.aspx diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index 7d2974ba3..d2400865e 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,4 +1,5 @@ title: Weak Encryption Enabled and Kerberoast +id: f6de9536-0441-4b3f-a646-f4e00f300ffd description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. references: - https://adsecurity.org/?p=2053 diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index 6f1380443..bcd7eae7a 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -1,4 +1,5 @@ title: LSASS Access Detected via Attack Surface Reduction +id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98 description: Detects Access to LSASS Process status: experimental references: diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index e0d4033be..f6ad95c8c 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,5 +1,7 @@ title: Mimikatz Use -description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) +id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 +description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different + threat groups) author: Florian Roth date: 2017/01/10 modified: 2019/10/11 diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/win_alert_ruler.yml index 16232fb35..21a85472a 100644 --- a/rules/windows/builtin/win_alert_ruler.yml +++ b/rules/windows/builtin/win_alert_ruler.yml @@ -1,4 +1,5 @@ title: Hacktool Ruler +id: 24549159-ac1b-479c-8175-d42aea947cae description: This events that are generated when using the hacktool Ruler by Sensepost author: Florian Roth date: 2017/05/31 diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index 390fa9449..f823e1680 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -1,4 +1,5 @@ title: Remote Task Creation via ATSVC named pipe +id: f6de6525-4509-495a-8a82-1f8b0ed73a00 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe author: Samir Bousseaden references: diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index 6187109d3..b7366ad60 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -1,4 +1,5 @@ title: Relevant Anti-Virus Event +id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 description: This detection method points out highly relevant Antivirus events author: Florian Roth logsource: diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index cef7a0794..f29e9a5fe 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -1,4 +1,5 @@ title: Mimikatz DC Sync +id: 611eab06-a145-4dfa-a295-3ccc5c20f59a description: Detects Mimikatz DC sync security events status: experimental date: 2018/06/03 diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 74ddd76a7..779dd1746 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -1,10 +1,10 @@ title: Disabling Windows Event Auditing -description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario - where an entity would want to bypass local logging to evade detection when windows event logging is enabled and - reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure - that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". - Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off - specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' +id: 69aeb277-f15f-4d2d-b32a-55e883609563 +description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass + local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" + via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, + that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform + these modifications in Active Directory anyways.' references: - https://bit.ly/WinLogsZero2Hero tags: diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index c9959e71a..bf335fbeb 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -1,4 +1,5 @@ title: smbexec.py Service Installation +id: 52a85084-6989-40c3-8f32-091e12e13f09 description: Detects the use of smbexec.py tool by detecting a specific service installation author: Omer Faruk Celik date: 2018/03/20 diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index 164078378..f6ef8104f 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -1,4 +1,5 @@ title: Possible Impacket SecretDump remote activity +id: 252902e3-5830-4cf6-bf21-c22083dfd5cf description: Detect AD credential dumping using impacket secretdump HKTL author: Samir Bousseaden references: diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index dddcc7412..451c6a4a9 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -1,5 +1,7 @@ title: First time seen remote named pipe -description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes +id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad +description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec + using named pipes author: Samir Bousseaden references: - https://twitter.com/menasec1/status/1104489274387451904 diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 01039d732..160724791 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -1,7 +1,7 @@ ---- action: global title: Malicious Service Install -description: This method detects well-known keywords of malicious services in the Windows System Eventlog +id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed +description: This method detects well-known keywords of malicious services in the Windows System Eventlog author: Florian Roth tags: - attack.credential_access diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index bd52c9f9c..17d6071ee 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,4 +1,5 @@ title: Malicious Service Installations +id: 5a105d34-05fc-401e-8553-272b45c1522d description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity author: Florian Roth tags: diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index 4a01bac56..4754dd5e8 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -1,4 +1,5 @@ title: WCE wceaux.dll Access +id: 1de68c67-af5c-4097-9c85-fe5578e09e67 status: experimental description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host author: Thomas Patzke diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 2eea5b614..8418f4ec1 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -1,8 +1,8 @@ ---- action: global title: NetNTLM Downgrade Attack +id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 description: Detects post exploitation using NetNTLM downgrade attacks -references: +references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth date: 2018/03/20 diff --git a/rules/windows/builtin/win_overpass_the_hash.yml b/rules/windows/builtin/win_overpass_the_hash.yml index f078193a8..f909666e5 100644 --- a/rules/windows/builtin/win_overpass_the_hash.yml +++ b/rules/windows/builtin/win_overpass_the_hash.yml @@ -1,7 +1,8 @@ title: Successful Overpass the Hash Attempt +id: 192a0330-c20b-4356-90b6-7b7049ae0b87 status: experimental description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. -references: +references: - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html author: Roberto Rodriguez (source), Dominik Schaudel (rule) date: 2018/02/12 diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index e83c723aa..6319edc79 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,6 +1,7 @@ title: Pass the Hash Activity +id: f8d98d6c-7a07-4d74-b064-dd4a3c244528 status: experimental -description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' +description: Detects the attack technique pass the hash which is used to move laterally inside the network references: - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) diff --git a/rules/windows/builtin/win_pass_the_hash_2.yml b/rules/windows/builtin/win_pass_the_hash_2.yml index 4ae5d9c3f..fddf65d40 100644 --- a/rules/windows/builtin/win_pass_the_hash_2.yml +++ b/rules/windows/builtin/win_pass_the_hash_2.yml @@ -1,6 +1,7 @@ title: Pass the Hash Activity +id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b status: production -description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' +description: Detects the attack technique pass the hash which is used to move laterally inside the network references: - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events - https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index ba622eeba..b5919e810 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -1,5 +1,7 @@ title: Rare Schtasks Creations -description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code +id: b0d77106-7bb0-41fe-bd94-d1752164d066 +description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types + of malicious code status: experimental author: Florian Roth tags: diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index 428f51708..9581c737a 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -1,5 +1,7 @@ title: Rare Service Installs -description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services +id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae +description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious + services status: experimental author: Florian Roth tags: diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml index 217e7b7ce..9a3266c06 100644 --- a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -1,4 +1,5 @@ title: Scanner PoC for CVE-2019-0708 RDP RCE vuln +id: 8400629e-79a9-4737-b387-5db940ab2367 description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep references: - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml index a5fd26e25..cdc99f440 100644 --- a/rules/windows/builtin/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -1,4 +1,5 @@ title: RDP Login from localhost +id: 51e33403-2a37-4d66-a574-1fda1782cc31 description: RDP login with localhost source address may be a tunnelled login references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html diff --git a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml index 7f2ce33b5..1e349f0ac 100644 --- a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml +++ b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml @@ -1,4 +1,5 @@ title: Potential RDP exploit CVE-2019-0708 +id: aaa5b30d-f418-420b-83a0-299cb6024885 description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 references: - https://github.com/zerosum0x0/CVE-2019-0708 diff --git a/rules/windows/builtin/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/win_rdp_reverse_tunnel.yml index e0c137ab4..e57d89e0d 100644 --- a/rules/windows/builtin/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/win_rdp_reverse_tunnel.yml @@ -1,4 +1,5 @@ title: RDP over Reverse SSH Tunnel WFP +id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41 status: experimental description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 references: diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 3452d6138..6c13f3196 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -1,11 +1,12 @@ title: Addition of SID History to Active Directory Object +id: 2632954e-db1c-49cb-9936-67d1ef1d17d2 status: stable description: An attacker can use the SID history attribute to gain additional privileges. references: - https://adsecurity.org/?p=1772 -author: "Thomas Patzke, @atc_project (improvements)" +author: Thomas Patzke, @atc_project (improvements) tags: - - attack.persistence # https://adsecurity.org/?p=1772 + - attack.persistence - attack.privilege_escalation - attack.t1178 logsource: diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index ffaab4c64..cbf38ab2f 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -1,10 +1,11 @@ title: Backup Catalog Deleted +id: 9703792d-fd9a-456d-a672-ff92efe4806a status: experimental description: Detects backup catalog deletions references: - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +author: Florian Roth (rule), Tom U. @c_APT_ure (collection) tags: - attack.defense_evasion - attack.t1107 diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml index 35fff93ae..564801d15 100644 --- a/rules/windows/builtin/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/win_susp_dhcp_config.yml @@ -1,4 +1,5 @@ title: DHCP Server Loaded the CallOut DLL +id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40 status: experimental description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded references: diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index e41f1fe84..f3c4f36ec 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -1,4 +1,5 @@ title: DHCP Server Error Failed Loading the CallOut DLL +id: 75edd3fd-7146-48e5-9848-3013d7f0282c description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded status: experimental references: diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index c3a4c3166..df7ffe3f9 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -1,4 +1,5 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL +id: cbe51394-cd93-4473-b555-edf0144952d9 description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded status: experimental date: 2017/05/08 diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/win_susp_dsrm_password_change.yml index c918848e1..f3a0a5270 100644 --- a/rules/windows/builtin/win_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/win_susp_dsrm_password_change.yml @@ -1,4 +1,5 @@ title: Password Change on Directory Service Restore Mode (DSRM) Account +id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51 status: stable description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. references: diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index e3427dc50..65d48c6bc 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,4 +1,5 @@ title: Eventlog Cleared +id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index 123a3cd51..1d295f805 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -1,5 +1,7 @@ title: Account Tampering - Suspicious Failed Logon Reasons -description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. +id: 9eb99343-d336-4020-a3cd-67f3819e68ee +description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow + restricted. author: Florian Roth modified: 2019/03/01 references: diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index 25c6253e0..a39d32260 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,5 +1,6 @@ title: Multiple Failed Logins with Different Accounts from Single Source System -description: Detects suspicious failed logins with different user accounts from a single source system +id: e98374a6-e2d9-4076-9b5c-11bdb2569995 +description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth tags: - attack.persistence diff --git a/rules/windows/builtin/win_susp_interactive_logons.yml b/rules/windows/builtin/win_susp_interactive_logons.yml index ee72129c2..10fd8ed6b 100644 --- a/rules/windows/builtin/win_susp_interactive_logons.yml +++ b/rules/windows/builtin/win_susp_interactive_logons.yml @@ -1,5 +1,6 @@ title: Interactive Logon to Server Systems -description: Detects interactive console logons to +id: 3ff152b2-1388-4984-9cd9-a323323fdadf +description: Detects interactive console logons to author: Florian Roth tags: - attack.lateral_movement diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index 8359a6182..78940cb18 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -1,4 +1,5 @@ title: Kerberos Manipulation +id: f7644214-0eb0-4ace-9455-331ec4c09253 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages author: Florian Roth tags: diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 68aaa0485..46527786e 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -1,4 +1,5 @@ title: Password Dumper Activity on LSASS +id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental references: diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml index 1c643abef..8458f791e 100644 --- a/rules/windows/builtin/win_susp_mshta_execution.yml +++ b/rules/windows/builtin/win_susp_mshta_execution.yml @@ -1,4 +1,5 @@ title: MSHTA Suspicious Execution 01 +id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3 status: experimental description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism date: 22/02/2019 diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 9f725c6d4..3e6f6fcba 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -1,4 +1,5 @@ title: Microsoft Malware Protection Engine Crash +id: 6c82cf5c-090d-4d57-9188-533577631108 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine tags: - attack.defense_evasion diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index 55c4cdee0..68cd02701 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -1,6 +1,7 @@ title: Reconnaissance Activity +id: 968eef52-9cff-4454-8992-1e74b9cbad6c status: experimental -description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' +description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method) diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml index 7d86400d8..f8ea778c0 100644 --- a/rules/windows/builtin/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/win_susp_ntlm_auth.yml @@ -1,4 +1,5 @@ title: NTLM Logon +id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b status: experimental description: Detects logons using NTLM, which could be caused by a legacy source or attackers references: diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index ab6db27e3..3530469c6 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -1,5 +1,7 @@ title: Suspicious PsExec execution -description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one +id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 +description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker + uses a different psexec client other than sysinternal one author: Samir Bousseaden references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml index 8801eee70..9faa3588f 100644 --- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml @@ -1,4 +1,5 @@ title: Suspicious access to sensitive file extensions +id: 91c945bc-2ad1-4799-a591-4d00198a1215 description: Detects known sensitive file extensions author: Samir Bousseaden tags: diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index edecf705d..7e54b1822 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -1,4 +1,5 @@ title: Suspicious Kerberos RC4 Ticket Encryption +id: 496a0e47-0a33-4dca-b009-9e6ca3591f39 status: experimental references: - https://adsecurity.org/?p=3458 diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index b8ed30dbe..d0a832625 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -1,4 +1,5 @@ title: SAM Dump to AppData +id: 839dd1e8-eda8-4834-8145-01beeee33acd status: experimental description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers tags: diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/win_susp_samr_pwset.yml index de5c74d09..c33a69078 100644 --- a/rules/windows/builtin/win_susp_samr_pwset.yml +++ b/rules/windows/builtin/win_susp_samr_pwset.yml @@ -1,5 +1,7 @@ -title: Possible Remote Password Change Through SAMR -description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. +title: Possible Remote Password Change Through SAMR +id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951 +description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced + Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. author: Dimitrios Slamaris tags: - attack.credential_access diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 980994f6d..0556c1a32 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -1,4 +1,5 @@ title: Secure Deletion with SDelete +id: 39a80702-d7ca-4a83-b776-525b1f86a36d status: experimental description: Detects renaming of file while deletion with SDelete tool author: Thomas Patzke diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index 063dfa981..01c05c9db 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -1,4 +1,5 @@ title: Security Eventlog Cleared +id: f2f01843-e7b8-4f95-a35a-d23584476423 description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities tags: - attack.defense_evasion diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index 5a209c2c5..e097791ba 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -1,4 +1,5 @@ title: Unauthorized System Time Modification +id: faa031b5-21ed-4e02-8881-2591f98d82ed status: experimental description: Detect scenarios where a potentially unauthorized application or user is modifying the system time. author: '@neu5ron' diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index 9dd59a0d8..aa1481c54 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -1,4 +1,5 @@ title: Remote Service Activity Detected via SVCCTL named pipe +id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 description: Detects remote remote service activity via remote access to the svcctl named pipe author: Samir Bousseaden references: diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/builtin/win_usb_device_plugged.yml index 3d8896c54..d64947202 100644 --- a/rules/windows/builtin/win_usb_device_plugged.yml +++ b/rules/windows/builtin/win_usb_device_plugged.yml @@ -1,4 +1,5 @@ title: USB Device Plugged +id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 description: Detects plugged USB devices references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/win_user_added_to_local_administrators.yml index ec221cf63..3cf70e705 100644 --- a/rules/windows/builtin/win_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/win_user_added_to_local_administrators.yml @@ -1,5 +1,7 @@ title: User Added to Local Administrators -description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity +id: c265cf08-3f99-46c1-8d59-328247057d57 +description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation + activity status: stable author: Florian Roth tags: diff --git a/rules/windows/builtin/win_user_creation.yml b/rules/windows/builtin/win_user_creation.yml index 67061262c..d2042cdf4 100644 --- a/rules/windows/builtin/win_user_creation.yml +++ b/rules/windows/builtin/win_user_creation.yml @@ -1,11 +1,13 @@ title: Detects local user creation -description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs. +id: 66b6be3d-55d0-4f47-9855-d69df21740ea +description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows + server logs and not on your DC logs. status: experimental tags: - attack.persistence - attack.t1136 references: - - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ + - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss logsource: product: windows diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index df5e8389b..3ec47e48d 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -1,4 +1,5 @@ title: Antivirus Exploitation Framework Detection +id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 description: Detects a highly relevant Antivirus alert that reports an exploitation framework date: 2018/09/09 modified: 2019/01/16 diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 5d350de54..528548545 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -1,4 +1,5 @@ title: Antivirus Password Dumper Detection +id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 description: Detects a highly relevant Antivirus alert that reports a password dumper date: 2018/09/09 modified: 2019/10/04 diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 56eb751a8..495525a81 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -1,4 +1,5 @@ title: Antivirus Relevant File Paths Alerts +id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name date: 2018/09/09 modified: 2019/10/04 diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 2f7e3a7ab..b041fda85 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -1,4 +1,5 @@ title: Antivirus Web Shell Detection +id: fdf135a2-9241-4f96-a114-bb404948f736 description: Detects a highly relevant Antivirus alert that reports a web shell date: 2018/09/09 modified: 2019/10/04 diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index 4a7ac250e..aa5977d23 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -1,4 +1,5 @@ title: Ryuk Ransomware +id: 0acaad27-9f02-4136-a243-c357202edd74 description: Detects Ryuk Ransomware command lines status: experimental references: diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml index 3b19d5120..902d85ae3 100644 --- a/rules/windows/malware/win_mal_ursnif.yml +++ b/rules/windows/malware/win_mal_ursnif.yml @@ -1,6 +1,7 @@ title: Ursnif +id: 21f17060-b282-4249-ade0-589ea3591558 status: experimental -description: Detects new registry key created by Ursnif malware. +description: Detects new registry key created by Ursnif malware. references: - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/win_rare_schtask_creation.yml index d7090855d..f0a58825b 100644 --- a/rules/windows/other/win_rare_schtask_creation.yml +++ b/rules/windows/other/win_rare_schtask_creation.yml @@ -1,6 +1,8 @@ title: Rare Scheduled Task Creations +id: b20f6158-9438-41be-83da-a5a16ac90c2b status: experimental -description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. +description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count + function selects tasks with rare names. tags: - attack.persistence - attack.t1053 diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 8069783c4..5fc09919e 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -1,6 +1,6 @@ ---- action: global title: PsExec Tool Execution +id: 42c575ea-e41e-41f1-b248-8093c3e82a28 status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 077f0aacb..7c81200d5 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -1,4 +1,5 @@ title: WMI Persistence +id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher) author: Florian Roth diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index 0828f7b5c..4d6ca237b 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -1,6 +1,8 @@ title: Data Compressed +id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount + of data sent over the network author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index c8a647dc7..746017ee8 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -1,4 +1,5 @@ title: PowerShell Downgrade Attack +id: 6331d09b-4785-4c13-980f-f96661356249 status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index bac67132c..a85fc0a76 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -1,4 +1,5 @@ title: PowerShell called from an Executable Version Mismatch +id: c70e019b-1479-4b65-b0cc-cd0c6093a599 status: experimental description: Detects PowerShell called from an executable by the version mismatch method references: diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index c01420607..6b3f4fd0c 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -1,4 +1,5 @@ title: Malicious PowerShell Commandlets +id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks modified: 2019/01/22 diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index d553efe23..997a44d36 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -1,4 +1,5 @@ title: Malicious PowerShell Keywords +id: f62176f3-8128-4faa-bf6c-83261322e5eb status: experimental description: Detects keywords from well-known PowerShell exploitation frameworks modified: 2019/01/22 diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index 965df78f7..126b95114 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -1,4 +1,5 @@ title: NTFS Alternate Data Stream +id: 8c521530-5169-495d-a199-0a3a881ad24e status: experimental description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. references: diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index ea97c4a5c..832480a2e 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -1,4 +1,5 @@ title: PowerShell Credential Prompt +id: ca8b77a9-d499-4095-b793-5d5f330d450e status: experimental description: Detects PowerShell calling a credential prompt references: diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index ca8639f48..c6fc8a2ad 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -1,4 +1,5 @@ -title: PowerShell PSAttack +title: PowerShell PSAttack +id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5 status: experimental description: Detects the use of PSAttack PowerShell hack tool references: diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index 9475554e1..f705329d0 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -1,4 +1,5 @@ title: PowerShell ShellCode +id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd status: experimental description: Detects Base64 encoded Shellcode references: diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index a56980438..d5cd90fdc 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -1,4 +1,5 @@ title: Suspicious PowerShell Download +id: 65531a81-a694-4e31-ae04-f8ba5bc33759 status: experimental description: Detects suspicious PowerShell download command tags: diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml index 28dcd75a1..c621ce4a0 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml @@ -1,4 +1,5 @@ title: Suspicious PowerShell Invocations - Generic +id: 3d304fda-78aa-43ed-975c-d740798a49c1 status: experimental description: Detects suspicious PowerShell invocation command parameters tags: diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 5e7aae6c3..849ff7386 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -1,4 +1,5 @@ title: Suspicious PowerShell Invocations - Specific +id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c status: experimental description: Detects suspicious PowerShell invocation command parameters tags: diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index bbfbe5a2c..58cbea2fa 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -1,4 +1,5 @@ title: Suspicious PowerShell Keywords +id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index a81aaf97e..fd1378f49 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -1,6 +1,10 @@ title: Winlogon Helper DLL +id: 851c506b-6b7c-4ce2-8802-c703009d03c0 status: experimental -description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. +description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. + Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are + used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load + and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index cbaccc097..231f2bb8b 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -1,8 +1,9 @@ title: BlueMashroom DLL Load +id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0 status: experimental description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report references: - - 'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software' + - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software tags: - attack.defense_evasion - attack.t1117 diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index 34a58ba53..57990579f 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -1,4 +1,5 @@ title: Mustang Panda Dropper +id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00 status: experimental description: Detects specific process parameters as used by Mustang Panda droppers author: Florian Roth diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index edd45bf99..52f584eff 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -1,4 +1,5 @@ title: Hiding files with attrib.exe +id: 4281cb20-2994-4580-aa63-c8b86d019934 status: experimental description: Detects usage of attrib.exe to hide files from users. author: Sami Ruohonen diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 9b47e50b0..c1ce08bc2 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -1,4 +1,5 @@ title: SquiblyTwo +id: 8d63dadf-b91b-4187-87b6-34a1114577ea status: experimental description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash references: diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index 38ab0cdc5..c01a933cc 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -1,6 +1,9 @@ title: Change Default File Association +id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 status: experimental -description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections + are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc + utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index c83ee58bb..ed6784abb 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -1,4 +1,5 @@ title: Cmdkey Cached Credentials Recon +id: 07f8bdc2-c9b3-472a-9817-5a670b872f53 status: experimental description: Detects usage of cmdkey to look for cached credentials references: diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 6bfeb1b2e..d3609b0a3 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -1,4 +1,5 @@ title: CMSTP UAC Bypass via COM Object Access +id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253 status: stable description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects tags: diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 254a4ae13..ead8d17ae 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -1,25 +1,26 @@ title: Control Panel Items +id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4 status: experimental description: Detects the use of a control panel item (.cpl) outside of the System32 folder -reference: - - https://attack.mitre.org/techniques/T1196/ -tags: - - attack.execution - - attack.t1196 - - attack.defense_evasion +reference: + - https://attack.mitre.org/techniques/T1196/ +tags: + - attack.execution + - attack.t1196 + - attack.defense_evasion author: Kyaw Min Thein date: 2019/08/27 level: critical logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection: - CommandLine: '*.cpl' - filter: - CommandLine: - - '*\System32\\*' - - '*%System%*' - condition: selection and not filter + selection: + CommandLine: '*.cpl' + filter: + CommandLine: + - '*\System32\\*' + - '*%System%*' + condition: selection and not filter falsepositives: - - Unknown + - Unknown diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index cfc1146c2..ede9a685c 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -1,6 +1,8 @@ title: Data Compressed +id: 6f3e2987-db24-4c78-a860-b4f4095a7095 status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount + of data sent over the network author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml index 68361d6e6..9a480ec0c 100644 --- a/rules/windows/process_creation/win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/win_encoded_frombase64string.yml @@ -1,4 +1,5 @@ title: Encoded FromBase64String +id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c status: experimental description: Detects a base64 encoded FromBase64String keyword in a process command line author: Florian Roth diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml index 224ea440c..61bff8ab3 100644 --- a/rules/windows/process_creation/win_encoded_iex.yml +++ b/rules/windows/process_creation/win_encoded_iex.yml @@ -1,4 +1,5 @@ title: Encoded IEX +id: 88f680b8-070e-402c-ae11-d2914f2257f1 status: experimental description: Detects a base64 encoded IEX command string in a process command line author: Florian Roth diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 634fd2812..a3f07bec0 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -1,4 +1,5 @@ title: Disable of ETW Trace +id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index 22a7953bc..ed4fa9873 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -1,4 +1,5 @@ title: Exploit for CVE-2015-1641 +id: 7993792c-5ce2-4475-a3db-a3a5539827ef status: experimental description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 references: diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index 9d7aba192..3595f1995 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -1,4 +1,5 @@ title: Exploit for CVE-2017-0261 +id: 864403a1-36c9-40a2-a982-4c9a45f7d833 status: experimental description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 references: diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index 83c2d6d3c..bcd419372 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -1,4 +1,5 @@ title: Droppers exploiting CVE-2017-11882 +id: 678eb5f4-8597-4be6-8be7-905e4234b53a status: experimental description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe references: diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index e5ed80a1c..edac9c273 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -1,4 +1,5 @@ title: Exploit for CVE-2017-8759 +id: fdd84c68-a1f6-47c9-9477-920584f94905 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 7043d3323..9c63c07dd 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -1,4 +1,5 @@ title: Rubeus Hack Tool +id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 description: Detects command line parameters used by Rubeus hack tool author: Florian Roth references: diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index ad4bf4f82..d9002353e 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -1,4 +1,5 @@ title: Suspicious HWP Sub Processes +id: 023394c4-29d5-46ab-92b8-6a534c6f447b description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation status: experimental references: diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index cc6806db1..52149935e 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -1,4 +1,5 @@ title: Impacket Lateralization Detection +id: 10c14723-61c7-4c75-92ca-9af245723ad2 status: experimental description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework references: diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index 5e0fcedbb..a8f69b3a7 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -1,7 +1,8 @@ title: Suspicious Debugger Registration Cmdline +id: ae215552-081e-44c7-805f-be16f975c8a2 status: experimental -description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). -references: +description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). +references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ tags: - attack.persistence diff --git a/rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index d13d05fd1..7af780f68 100644 --- a/rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -1,4 +1,5 @@ title: Windows Kernel and 3rd-party drivers exploits. Token stealing +id: 8065b1b4-1778-4427-877f-6bf948b26d38 description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level references: - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index c72bf6aa6..8c1f14011 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -1,4 +1,5 @@ title: MSHTA spwaned by SVCHOST as seen in LethalHTA +id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471 status: experimental description: Detects MSHTA.EXE spwaned by SVCHOST described in report references: diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index 66a7679f9..8cb560b22 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -1,6 +1,7 @@ title: Local accounts discovery +id: 502b42de-4306-40b4-9596-6f590c81f073 status: experimental -description: Local accounts, System Owner/User discovery using operating systems utilities +description: Local accounts, System Owner/User discovery using operating systems utilities author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 7d5d06ef5..d007e070e 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -1,5 +1,6 @@ action: global title: Adwind RAT / JRAT +id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml index fa77ad809..fb39f43a6 100644 --- a/rules/windows/process_creation/win_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -1,4 +1,5 @@ title: Dridex Process Pattern +id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e status: experimental description: Detects typical Dridex process patterns references: diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml index 75e4e3ed3..722a2781c 100644 --- a/rules/windows/process_creation/win_malware_dtrack.yml +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -1,4 +1,5 @@ title: DTRACK Process Creation +id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4 status: experimental description: Detects specific process parameters as seen in DTRACK infections author: Florian Roth diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml index 96736e743..f7a409adc 100644 --- a/rules/windows/process_creation/win_malware_emotet.yml +++ b/rules/windows/process_creation/win_malware_emotet.yml @@ -1,4 +1,5 @@ title: Emotet Process Creation +id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18 status: experimental description: Detects all Emotet like process executions that are not covered by the more generic rules author: Florian Roth diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index 99cd1e664..6f5e41b32 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -1,6 +1,8 @@ title: Formbook Process Creation +id: 032f5fb3-d959-41a5-9263-4173c802dc2b status: experimental -description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. +description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to + delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. author: Florian Roth date: 2019/09/30 modified: 2019/10/31 diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 8fde9f29c..3e9b73c2f 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -1,4 +1,5 @@ title: NotPetya Ransomware Activity +id: 79aeeb41-8156-4fac-a0cd-076495ab82a1 status: experimental description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil diff --git a/rules/windows/process_creation/win_malware_qbot.yml b/rules/windows/process_creation/win_malware_qbot.yml index d8d1d5d46..590035737 100644 --- a/rules/windows/process_creation/win_malware_qbot.yml +++ b/rules/windows/process_creation/win_malware_qbot.yml @@ -1,4 +1,5 @@ title: QBot Process Creation +id: 4fcac6eb-0287-4090-8eea-2602e4c20040 status: experimental description: Detects QBot like process executions author: Florian Roth diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 856e4a2ad..e0c054a4f 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -1,4 +1,5 @@ title: WScript or CScript Dropper +id: cea72823-df4d-4567-950c-0b579eaf0846 status: experimental description: Detects wscript/cscript executions of scripts located in user directories author: Margaritis Dimitrios (idea), Florian Roth (rule) diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 734af8a2b..3ad40d5f4 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -1,4 +1,5 @@ title: WannaCry Ransomware +id: 41d40bff-377a-43e2-8e1b-2e543069e079 status: experimental description: Detects WannaCry ransomware activity references: diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index 79ed43cf0..4a7d86a6b 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -1,4 +1,5 @@ title: MavInject Process Injection +id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 status: experimental description: Detects process injection using the signed Windows tool Mavinject32.exe references: diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index 800eace6d..44cf45358 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -1,4 +1,5 @@ title: MMC Spawning Windows Shell +id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d status: experimental description: Detects a Windows command line executable started from MMC. author: Karneades, Swisscom CSIRT diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index f825d0547..09c629cf9 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -1,4 +1,5 @@ title: MSHTA Spawning Windows Shell +id: 03cc0c25-389f-4bf8-b48d-11878079f1ca status: experimental description: Detects a Windows command line executable started from MSHTA. references: diff --git a/rules/windows/process_creation/win_multiple_suspicious_cli.yml b/rules/windows/process_creation/win_multiple_suspicious_cli.yml index b4b9e7951..07a134d85 100644 --- a/rules/windows/process_creation/win_multiple_suspicious_cli.yml +++ b/rules/windows/process_creation/win_multiple_suspicious_cli.yml @@ -1,4 +1,5 @@ title: Quick Execution of a Series of Suspicious Commands +id: 61ab5496-748e-4818-a92f-de78e20fe7f1 description: Detects multiple suspicious process in a limited timeframe status: experimental references: diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index f8dc18732..7657dd25f 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -1,4 +1,5 @@ -title: Netsh +title: Netsh +id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c description: Allow Incoming Connections by Port or Application on Windows Firewall references: - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) diff --git a/rules/windows/process_creation/win_netsh_packet_capture.yml b/rules/windows/process_creation/win_netsh_packet_capture.yml index d89c40c4a..f38f9effb 100644 --- a/rules/windows/process_creation/win_netsh_packet_capture.yml +++ b/rules/windows/process_creation/win_netsh_packet_capture.yml @@ -1,4 +1,5 @@ title: Capture a Network Trace with netsh.exe +id: d3c3861d-c504-4c77-ba55-224ba82d0118 status: experimental description: Detects capture a network trace via netsh.exe trace functionality references: diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml index 0fd726077..4b2458926 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -1,4 +1,5 @@ title: Netsh Port Forwarding +id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614 description: Detects netsh commands that configure a port forwarding references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml index 16ad6b6bc..b4f006e75 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml @@ -1,4 +1,5 @@ title: Netsh RDP Port Forwarding +id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html diff --git a/rules/windows/process_creation/win_network_sniffing.yml b/rules/windows/process_creation/win_network_sniffing.yml index d157cc454..94abda394 100644 --- a/rules/windows/process_creation/win_network_sniffing.yml +++ b/rules/windows/process_creation/win_network_sniffing.yml @@ -1,6 +1,8 @@ title: Network Sniffing +id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5 status: experimental -description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary + may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index c26a66574..aa29383e9 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -1,4 +1,5 @@ title: Microsoft Office Product Spawning Windows Shell +id: 438025f9-5856-4663-83f7-52f878a70a50 status: experimental description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. references: diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index 231da4713..0398fbadf 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -1,9 +1,10 @@ -title: MS Office Product Spawning Exe in User Dir +title: MS Office Product Spawning Exe in User Dir +id: aa3a6f94-890e-4e22-b634-ffdfd54792cc status: experimental description: Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio references: - sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c - - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign + - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index f4db78250..52b2847e3 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -1,4 +1,5 @@ title: Executable used by PlugX in Uncommon Location - Sysmon Version +id: aeab5ec5-be14-471a-80e8-e344418305c2 status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location references: diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index d620bf1cf..32949bb0b 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -1,4 +1,5 @@ title: Possible Applocker Bypass +id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719 description: Detects execution of executables that can be used to bypass Applocker whitelisting status: experimental references: diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 926a669bf..708f50ec2 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -1,4 +1,5 @@ title: Powershell AMSI Bypass via .NET Reflection +id: 30edb182-aa75-42c0-b0a9-e998bb29067c status: experimental description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning references: diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml index f23c8cbaa..ddd7efe88 100644 --- a/rules/windows/process_creation/win_powershell_b64_shellcode.yml +++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml @@ -1,4 +1,5 @@ title: PowerShell Base64 Encoded Shellcode +id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8 description: Detects Base64 encoded Shellcode status: experimental references: diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 21d44ac44..4cb036d60 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -1,4 +1,5 @@ title: Detection of PowerShell Execution via DLL +id: 6812a10b-60ea-420c-832f-dfcc33b646ba status: experimental description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll references: diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 5b6b88a59..8b33fab1e 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -1,4 +1,5 @@ title: PowerShell Download from URL +id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 status: experimental description: Detects a Powershell process that contains download commands in its command line string author: Florian Roth diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index 55493e411..6c86a60a0 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -1,4 +1,5 @@ title: Suspicious PowerShell Parameter Substring +id: 36210e0d-5b19-485d-a087-c096088885f0 status: experimental description: Detects suspicious PowerShell invocation with a parameter substring references: diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 03bc88a77..c7d39c952 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -1,4 +1,5 @@ title: Suspicious XOR Encoded PowerShell Command Line +id: bb780e0c-16cf-4383-8383-1e5471db6cf9 description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. status: experimental author: Sami Ruohonen diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index cf9a1d685..e6f689cac 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -1,4 +1,5 @@ title: Default PowerSploit and Empire Schtasks Persistence +id: 56c217c3-2de2-479b-990f-5c109ba8458f status: experimental description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration. references: diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index 06e403401..ee94fde67 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -1,7 +1,8 @@ title: Windows Processes Suspicious Parent Directory +id: 96036718-71cc-4027-a538-d1587e0006a7 status: experimental description: Detect suspicious parent processes of well-known Windows processes -author: 'vburov' +author: vburov references: - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml index 42b697d03..4990c8bc5 100644 --- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -1,28 +1,29 @@ title: Bitsadmin Download +id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede status: experimental description: Detects usage of bitsadmin downloading a file references: - - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - - https://isc.sans.edu/diary/22264 + - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin + - https://isc.sans.edu/diary/22264 tags: - - attack.defense_evasion - - attack.persistence - - attack.t1197 - - attack.s0190 + - attack.defense_evasion + - attack.persistence + - attack.t1197 + - attack.s0190 author: Michael Haag logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\bitsadmin.exe' - CommandLine: - - '/transfer' - condition: selection + selection: + Image: + - '*\bitsadmin.exe' + CommandLine: + - /transfer + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Some legitimate apps use this, but limited. + - Some legitimate apps use this, but limited. level: medium diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index d71fa288a..9eca4861d 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -1,4 +1,5 @@ title: PsExec Service Start +id: 3ede524d-21cc-472d-a3ce-d21b568d8db7 description: Detects a PsExec service start author: Florian Roth date: 2018/03/13 diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml index 02b87075f..6e91a7634 100644 --- a/rules/windows/process_creation/win_query_registry.yml +++ b/rules/windows/process_creation/win_query_registry.yml @@ -1,4 +1,5 @@ title: Query Registry +id: 970007b7-ce32-49d0-a4a4-fbef016950bd status: experimental description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. author: Timur Zinniatullin, oscd.community diff --git a/rules/windows/process_creation/win_ransomware_shadowcopy.yml b/rules/windows/process_creation/win_ransomware_shadowcopy.yml index 966c3a139..bff600717 100644 --- a/rules/windows/process_creation/win_ransomware_shadowcopy.yml +++ b/rules/windows/process_creation/win_ransomware_shadowcopy.yml @@ -1,4 +1,5 @@ title: Ransomware Deletes Volume Shadow Copies +id: 4eebe114-4b24-4a9d-9a6c-c7bd7c8eaa61 status: experimental description: Detects commands that delete all local volume shadow copies as used by different Ransomware families references: diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 864ed1504..e1400c5be 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -1,7 +1,8 @@ title: Renamed Binary +id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 status: experimental description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -author: Matthew Green - @mgreen27 +author: Matthew Green - @mgreen27 date: 2019/06/15 references: - https://attack.mitre.org/techniques/T1036/ diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index ccbd055e2..f1ea132a9 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -1,8 +1,9 @@ -title: Execution of Renamed PaExec +title: Execution of Renamed PaExec +id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b status: experimental -description: Detects execution of renamed paexec via imphash and executable product string +description: Detects execution of renamed paexec via imphash and executable product string references: - - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc + - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index 043cb5831..fa3c44ae4 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -1,4 +1,5 @@ title: Possible Shim Database Persistence via sdbinst.exe +id: 517490a7-115a-48c6-8862-1a481504d5a8 status: experimental description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. references: diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 86e2329f7..b9feeb324 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -1,4 +1,5 @@ title: Service Execution +id: 2a072a96-a086-49fa-bcb5-15cc5a619093 status: experimental description: Detects manual service execution (start) via system utilities author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 66f89ad0a..1a77be480 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -1,4 +1,5 @@ title: Windows Shell Spawning Suspicious Program +id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde status: experimental description: Detects a suspicious child process of a Windows shell references: diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index a99a63b32..d81bcd385 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -1,6 +1,6 @@ ---- action: global title: SILENTTRINITY stager execution +id: 03552375-cc2c-4883-bbe4-7958d5a980be status: experimental description: Detects SILENTTRINITY stager use references: diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index e00eacf52..21638ae35 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -1,4 +1,5 @@ title: Possible SPN Enumeration +id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599 description: Detects Service Principal Name Enumeration used for Kerberoasting status: experimental references: diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index 4be7eead0..f3fa6810f 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -1,4 +1,5 @@ title: Possible Ransomware or unauthorized MBR modifications +id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429 status: experimental description: Detects, possibly, malicious unauthorized usage of bcdedit.exe references: diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml index 4038182a4..34f34a3db 100644 --- a/rules/windows/process_creation/win_susp_bginfo.yml +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -1,4 +1,5 @@ title: Application whitelisting bypass via bginfo +id: aaf46cdc-934e-4284-b329-34aa701e3771 status: experimental description: Execute VBscript code that is referenced within the *.bgi file. references: diff --git a/rules/windows/process_creation/win_susp_calc.yml b/rules/windows/process_creation/win_susp_calc.yml index f54f11d1a..01bc71137 100644 --- a/rules/windows/process_creation/win_susp_calc.yml +++ b/rules/windows/process_creation/win_susp_calc.yml @@ -1,24 +1,25 @@ title: Suspicious Calculator Usage +id: 737e618a-a410-49b5-bec3-9e55ff7fbc15 description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion status: experimental references: - - https://twitter.com/ItsReallyNick/status/1094080242686312448 + - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth date: 2019/02/09 tags: - attack.defense_evasion - attack.t1036 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine: '*\calc.exe *' - selection2: - Image: '*\calc.exe' - filter2: - Image: '*\Windows\Sys*' - condition: selection1 or ( selection2 and not filter2 ) -falsepositives: - - Unknown + selection1: + CommandLine: '*\calc.exe *' + selection2: + Image: '*\calc.exe' + filter2: + Image: '*\Windows\Sys*' + condition: selection1 or ( selection2 and not filter2 ) +falsepositives: + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml index 34e21dff2..4e61d1445 100644 --- a/rules/windows/process_creation/win_susp_cdb.yml +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -1,4 +1,5 @@ title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner +id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 status: experimental description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. references: diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 9dc779d41..02e99ab96 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -1,4 +1,5 @@ title: Suspicious Certutil Command +id: e011a729-98a6-4139-b5c4-bf6f6dd8239a status: experimental description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml index 1b4bfbe0c..32c3c9201 100644 --- a/rules/windows/process_creation/win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/win_susp_certutil_encode.yml @@ -1,4 +1,5 @@ title: Certutil Encode +id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a status: experimental description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration references: diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml index feeb333c8..b76cf2779 100644 --- a/rules/windows/process_creation/win_susp_cli_escape.yml +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -1,4 +1,5 @@ title: Suspicious Commandline Escape +id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd description: Detects suspicious process that use escape characters status: experimental references: diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index 9f75d3509..cd30ec714 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -1,6 +1,8 @@ title: Command Line Execution with suspicious URL and AppData Strings +id: 1ac8666b-046f-4201-8aba-1951aaec03a3 status: experimental -description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) +description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs + > powershell) references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 diff --git a/rules/windows/process_creation/win_susp_codepage_switch.yml b/rules/windows/process_creation/win_susp_codepage_switch.yml index ea0a438f8..6b68d66dc 100644 --- a/rules/windows/process_creation/win_susp_codepage_switch.yml +++ b/rules/windows/process_creation/win_susp_codepage_switch.yml @@ -1,4 +1,5 @@ title: Suspicious Code Page Switch +id: c7942406-33dd-4377-a564-0f62db0593a3 status: experimental description: Detects a code page switch in command line or batch scripts to a rare language author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml index 094958a33..8810516ab 100644 --- a/rules/windows/process_creation/win_susp_commands_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -1,4 +1,5 @@ title: Reconnaissance Activity with Net Command +id: 2887e914-ce96-435f-8105-593937e90757 status: experimental description: Detects a set of commands often used in recon stages by different attack groups references: diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index 5c840069f..e3e5c9809 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -1,4 +1,5 @@ title: Suspicious Compression Tool Parameters +id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd status: experimental description: Detects suspicious command line arguments of common data compression tools references: diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index 1da7c3739..29cb98008 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -1,4 +1,5 @@ title: Process dump via comsvcs DLL +id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c status: experimental description: Detects process memory dump via comsvcs.dll and rundll32 references: diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index 2e2fba61d..00eaf7a64 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -1,4 +1,5 @@ title: Suspicious Control Panel DLL Load +id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 status: experimental description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 715ed3cab..808df1187 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -1,4 +1,5 @@ title: Suspicious Parent of Csc.exe +id: b730a276-6b63-41b8-bcf8-55930c8fc6ee description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery status: experimental references: diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index c58dd9931..50679d8d2 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -1,4 +1,5 @@ -title: Suspicious Csc.exe Source File Folder +title: Suspicious Csc.exe Source File Folder +id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) status: experimental references: diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml index 65bcb7021..63e0d0db7 100644 --- a/rules/windows/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/windows/process_creation/win_susp_devtoolslauncher.yml @@ -1,4 +1,5 @@ title: Devtoolslauncher.exe executes specified binary +id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 status: experimental description: The Devtoolslauncher.exe executes other binary references: diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index 707ef7838..ce4a9c751 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -1,4 +1,5 @@ title: Application Whitelisting bypass via dnx.exe +id: 81ebd28b-9607-4478-bf06-974ed9d53ed7 status: experimental description: Execute C# code located in the consoleapp folder references: diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index 8741be9aa..95a5a0e3c 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -1,5 +1,7 @@ title: Suspicious Double Extension -description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns +id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 +description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable + file in spear phishing campaigns references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index ce9a91ad4..db1d01df6 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -1,4 +1,5 @@ title: Application Whitelisting bypass via dxcap.exe +id: 60f16a96-db70-42eb-8f76-16763e333590 status: experimental description: Detects execution of of Dxcap.exe references: diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 0030bd8de..72382b5af 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,11 +1,12 @@ title: Suspicious eventlog clear or configuration using wevtutil +id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 description: Detects clearing or configuration of eventlogs uwing wevtutil. Might be used by ransomwares during the attack (seen by NotPetya and others) author: Ecco date: 2019/09/26 tags: - attack.execution - - attack.t1070 - - car.2016-04-002 + - attack.t1070 + - car.2016-04-002 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml index 5ce306f63..9ec58361e 100644 --- a/rules/windows/process_creation/win_susp_exec_folder.yml +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -1,4 +1,5 @@ title: Executables Started in Suspicious Folder +id: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254 status: experimental description: Detects process starts of binaries from a suspicious folder author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index 5f870f4a0..b694706f6 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -1,4 +1,5 @@ title: Execution in Non-Executable Folder +id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 status: experimental description: Detects a suspicious exection from an uncommon folder author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index def8d4965..5f6cc31a1 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -1,4 +1,5 @@ title: Execution in Webserver Root Folder +id: 35efb964-e6a5-47ad-bbcd-19661854018d status: experimental description: Detects a suspicious program execution in a web service root folder (filter out false positives) author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_firewall_disable.yml b/rules/windows/process_creation/win_susp_firewall_disable.yml index e1d7b1ba0..86282674d 100644 --- a/rules/windows/process_creation/win_susp_firewall_disable.yml +++ b/rules/windows/process_creation/win_susp_firewall_disable.yml @@ -1,22 +1,23 @@ title: Firewall Disabled via Netsh +id: 57c4bf16-227f-4394-8ec7-1b745ee061c3 description: Detects netsh commands that turns off the Windows firewall references: - - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ - - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ + - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ + - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ date: 2019/11/01 status: experimental author: Fatih Sirin tags: - - attack.defense_evasion + - attack.defense_evasion logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - netsh firewall set opmode mode=disable - - netsh advfirewall set * state off - condition: selection + selection: + CommandLine: + - netsh firewall set opmode mode=disable + - netsh advfirewall set * state off + condition: selection falsepositives: - - Legitimate administration + - Legitimate administration level: medium diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index d006b2f89..3312175fa 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,5 +1,7 @@ title: Fsutil suspicious invocation -description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) +id: add64136-62e5-48ea-807e-88638d02df1e +description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen + by NotPetya and others) author: Ecco date: 2019/09/26 level: high diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 8517f277f..e9fbbc954 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -1,11 +1,12 @@ title: Suspicious GUP Usage +id: 0a4f6091-223b-41f6-8743-f322ec84930b description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks status: experimental references: - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html tags: - - attack.defense_evasion - - attack.t1073 + - attack.defense_evasion + - attack.t1073 author: Florian Roth date: 2019/02/06 logsource: diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 3bcbcbb79..2047cc8ba 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -1,4 +1,5 @@ title: IIS Native-Code Module Command Line Installation +id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239 description: Detects suspicious IIS native-code module installations via command line status: experimental references: diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml index c1d8167bf..8a35f6da9 100644 --- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -1,10 +1,11 @@ title: MsiExec Web Install +id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f status: experimental description: Detects suspicious msiexec process starts with web addreses as parameter references: - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ tags: - - attack.defense_evasion + - attack.defense_evasion author: Florian Roth date: 2018/02/09 modified: 2012/12/11 diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index 25fa7669a..a830ada81 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -1,4 +1,5 @@ title: Malicious payload download via Office binaries +id: 0c79148b-118e-472b-bdb7-9b57b444cc19 status: experimental description: Downloads payload from remote server references: diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index 8f3ef0a65..e33184b6a 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -1,4 +1,5 @@ title: Net.exe Execution +id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac status: experimental description: Detects execution of Net.exe, whether suspicious or benign. references: diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index 72f33a934..73204eff2 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -1,4 +1,5 @@ title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) +id: 2afafd61-6aae-4df4-baed-139fa1f4c345 description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) status: experimental references: diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index 585b63422..df649d2c4 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -1,4 +1,5 @@ title: Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe +id: 65d2be45-8600-4042-b4c0-577a1ff8a60e description: Detects defence evasion attempt via odbcconf.exe execution to load DLL status: experimental references: diff --git a/rules/windows/process_creation/win_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml index 47bb57120..9598b80dd 100644 --- a/rules/windows/process_creation/win_susp_openwith.yml +++ b/rules/windows/process_creation/win_susp_openwith.yml @@ -1,10 +1,11 @@ title: OpenWith.exe executes specified binary +id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f status: experimental description: The OpenWith.exe executes other binary references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml - https://twitter.com/harr0ey/status/991670870384021504 -author: 'Beyu Denis, oscd.community (rule), @harr0ey (idea)' +author: Beyu Denis, oscd.community (rule), @harr0ey (idea) date: 2019/10/12 modified: 2019/11/04 tags: diff --git a/rules/windows/process_creation/win_susp_outlook.yml b/rules/windows/process_creation/win_susp_outlook.yml index 619ce7ab9..c45220166 100644 --- a/rules/windows/process_creation/win_susp_outlook.yml +++ b/rules/windows/process_creation/win_susp_outlook.yml @@ -1,4 +1,5 @@ title: Suspicious Execution from Outlook +id: e212d415-0e93-435f-9e1a-f29005bb4723 status: experimental description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook references: diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml index 80ed850aa..b841940b7 100644 --- a/rules/windows/process_creation/win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/win_susp_outlook_temp.yml @@ -1,8 +1,9 @@ title: Execution in Outlook Temp Folder +id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 status: experimental description: Detects a suspicious program execution in Outlook temp folder author: Florian Roth -date: 2019/10/01 +date: 2019/10/01 tags: - attack.initial_access - attack.t1193 diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index 2aca486ea..966ccfbfd 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -1,4 +1,5 @@ title: Ping Hex IP +id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd description: Detects a ping command that uses a hex encoded IP address references: - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index fb9a17e53..a45c48015 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -1,4 +1,5 @@ title: Empire PowerShell Launch Parameters +id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581 description: Detects suspicious powershell command line parameters used in Empire status: experimental references: diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index 68c674479..0d662e28c 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -1,4 +1,5 @@ title: Empire PowerShell UAC Bypass +id: 3268b746-88d8-4cd3-bffc-30077d02c787 status: experimental description: Detects some Empire PowerShell UAC bypass methods references: diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index ca539eb48..3823d6fd3 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -1,4 +1,5 @@ title: Suspicious Encoded PowerShell Command Line +id: ca2092a1-c273-4878-9b4b-0d60115bf5ea description: Detects suspicious powershell process starts with base64 encoded commands status: experimental references: diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index a2e93a389..eeed06ee1 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -1,4 +1,5 @@ title: Malicious Base64 encoded PowerShell Keywords in command lines +id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0 status: experimental description: Detects base64 encoded strings used in hidden malicious PowerShell command lines references: diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 26cdf23c2..005103626 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -1,4 +1,5 @@ title: Suspicious PowerShell Invocation based on Parent Process +id: 95eadcb2-92e4-4ed1-9031-92547773a6db status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index 089f16145..8564c7ec0 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -1,4 +1,5 @@ title: Suspicious Use of Procdump +id: 5afee48e-67dd-4e03-a783-f74259dcf998 description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. status: experimental diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml index 2f54793d6..e3a04345e 100644 --- a/rules/windows/process_creation/win_susp_process_creations.yml +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -1,5 +1,5 @@ -# Sigma rule: rules/windows/builtin/win_susp_process_creations.yml title: Suspicious Process Creation +id: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3 description: Detects suspicious process starts on Windows systems based on keywords status: experimental references: diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml index dd090a7c7..fef504ffc 100644 --- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml +++ b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml @@ -1,4 +1,5 @@ title: Suspicious Program Location Process Starts +id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5 status: experimental description: Detects programs running in suspicious files system locations references: diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index 4a7976ff6..b4663c8f7 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -1,4 +1,5 @@ title: PowerShell Script Run in AppData +id: ac175779-025a-4f12-98b0-acdaeb77ea85 status: experimental description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder references: diff --git a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml index 46e830850..dd0801cf5 100644 --- a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml +++ b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml @@ -1,4 +1,5 @@ title: psr.exe capture screenshots +id: 2158f96f-43c2-43cb-952a-ab4580f32382 status: experimental description: The psr.exe captures desktop screenshots and saves them on the local machine references: diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index 1a0a15529..b6b0645ef 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -1,4 +1,5 @@ title: Suspicious RASdial Activity +id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e description: Detects suspicious process related to rasdial.exe status: experimental references: diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml index 9c4a9ef72..416df94e1 100644 --- a/rules/windows/process_creation/win_susp_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -1,4 +1,5 @@ title: Suspicious Reconnaissance Activity +id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 status: experimental description: Detects suspicious command line activity on Windows systems author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index e7a56ad8a..3add4391d 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -1,4 +1,5 @@ title: Regsvr32 Anomaly +id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml index e325b6c86..d98d1a934 100644 --- a/rules/windows/process_creation/win_susp_run_locations.yml +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -1,4 +1,5 @@ title: Suspicious Process Start Locations +id: 15b75071-74cc-47e0-b4c6-b43744a62a2b description: Detects suspicious process run from unusual locations status: experimental references: diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index 573ef823e..5f6ce9221 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -1,4 +1,5 @@ title: Suspicious Rundll32 Activity +id: e593cf51-88db-4ee1-b920-37e89012a3c9 description: Detects suspicious process related to rundll32 based on arguments status: experimental references: diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index ae1a6b6e6..44f830c92 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -1,4 +1,5 @@ title: Suspicious Call by Ordinal +id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal status: experimental references: diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 514db7fc7..56bd486c3 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -1,4 +1,5 @@ title: Scheduled Task Creation +id: 92626ddd-662c-49e3-ac59-f6535f12d189 status: experimental description: Detects the creation of scheduled tasks in user session author: Florian Roth diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index d3bebc887..49a8b5d85 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -1,4 +1,5 @@ title: WSF/JSE/JS/VBA/VBE File Execution +id: 1e33157c-53b1-41ad-bbcc-780b80b58288 status: experimental description: Detects suspicious file execution by wscript and cscript author: Michael Haag diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index 0c3674cf6..7e0152106 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -1,11 +1,12 @@ title: Squirrel Lolbin +id: fa4b21c9-0057-4493-b289-2556416ae4d7 status: experimental -description: Detects Possible Squirrel Packages Manager as Lolbin +description: Detects Possible Squirrel Packages Manager as Lolbin references: - - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ + - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ tags: - - attack.execution + - attack.execution author: Karneades / Markus Neis falsepositives: - 1Clipboard diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 8b51338a7..21784bf2c 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -1,4 +1,5 @@ title: Suspicious Svchost Process +id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d status: experimental description: Detects a suspicious svchost process start tags: diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index 7cef0e0b0..68c4260f4 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -1,4 +1,5 @@ title: Sysprep on AppData Folder +id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e status: experimental description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) references: diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 97c51d2ca..0e6fb1a91 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -1,4 +1,5 @@ title: Suspicious SYSVOL Domain Group Policy Access +id: 05f3c945-dcc8-4393-9f3d-af65077a8f86 status: experimental description: Detects Access to Domain Group Policies stored in SYSVOL references: diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index b5d18fdfa..5e4b331bb 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -1,4 +1,5 @@ title: Taskmgr as LOCAL_SYSTEM +id: 9fff585c-c33e-4a86-b3cd-39312079a65f status: experimental description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM tags: diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml index b02e04fbe..70d852123 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_parent.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml @@ -1,4 +1,5 @@ title: Taskmgr as Parent +id: 3d7679bd-0c00-440c-97b0-3f204273e6c7 status: experimental description: Detects the creation of a process from Windows task manager tags: diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml index 25d9b859c..6691257e4 100644 --- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -1,4 +1,5 @@ title: Suspicious TSCON Start +id: 9847f263-4a81-424f-970c-875dab15b79b status: experimental description: Detects a tscon.exe start as LOCAL SYSTEM references: diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index ac6e7d43e..dceac89d8 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -1,4 +1,5 @@ title: Suspicious RDP Redirect Using TSCON +id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb status: experimental description: Detects a suspicious RDP session redirect using tscon.exe references: diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml index 5a255ad87..c07a989c6 100644 --- a/rules/windows/process_creation/win_susp_userinit_child.yml +++ b/rules/windows/process_creation/win_susp_userinit_child.yml @@ -1,7 +1,8 @@ title: Suspicious Userinit Child Process +id: b655a06a-31c0-477a-95c2-3726b83d649d status: experimental description: Detects a suspicious child process of userinit -references: +references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml index 27105cafe..2fa53df60 100644 --- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -1,4 +1,5 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval +id: b932b60f-fdda-4d53-8eda-a170c1d97bbd status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index c2e3a40c3..1d3ec9ced 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -1,4 +1,5 @@ title: Whoami Execution +id: e28a5a99-da44-436d-b7a0-2afc20a5f413 status: experimental description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators references: diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index 2811b663d..cb433e1f5 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -1,4 +1,5 @@ title: Suspicious WMI execution +id: 526be59f-a573-4eea-b5f7-f0973207634d status: experimental description: Detects WMI executing suspicious commands references: diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml index 422daa3b4..664a611bb 100644 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -1,7 +1,8 @@ title: Sysmon driver unload +id: 4d7cda18-1b12-4e52-b45c-d28653210df8 status: experimental author: Kirill Kiryanov, oscd.community -description: Detect possible Sysmon driver unload +description: Detect possible Sysmon driver unload date: 2019/10/23 modified: 2019/11/07 references: diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml index 62477e05d..8dbfd06d7 100644 --- a/rules/windows/process_creation/win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -1,4 +1,5 @@ title: System File Execution Location Anomaly +id: e4a6b256-3e47-40fc-89d2-7a477edd6915 status: experimental description: Detects a Windows program executable started in a suspicious folder references: diff --git a/rules/windows/process_creation/win_termserv_proc_spawn.yml b/rules/windows/process_creation/win_termserv_proc_spawn.yml index b031204a5..01e05f7f4 100644 --- a/rules/windows/process_creation/win_termserv_proc_spawn.yml +++ b/rules/windows/process_creation/win_termserv_proc_spawn.yml @@ -1,4 +1,5 @@ title: Terminal Service Process Spawn +id: 1012f107-b8f1-4271-af30-5aed2de89b39 status: experimental description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) references: diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index 5e2735a11..7734060b3 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -1,4 +1,5 @@ title: Java Running with Remote Debugging +id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth tags: diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index b886cccf5..fc41f0f55 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -1,7 +1,8 @@ title: Webshell Detection With Command Line Keywords +id: bed2a484-9348-4143-8a8a-b801c979301c description: Detects certain command line parameters often used during reconnaissance activity via web shells author: Florian Roth -reference: +reference: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html date: 2017/01/01 modified: 2019/10/26 diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 9cc4ca33c..60194d327 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -1,4 +1,5 @@ title: Shells Spawned by Web Servers +id: 8202070f-edeb-4d31-a010-a26c72ac5600 status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack author: Thomas Patzke diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index b0d630cc5..4b5ce21c6 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -1,20 +1,21 @@ -title: Windows 10 scheduled task SandboxEscaper 0-day +title: Windows 10 scheduled task SandboxEscaper 0-day +id: 931b6802-d6a6-4267-9ffa-526f57f22aaf status: experimental description: Detects Task Scheduler .job import arbitrary DACL write\par references: - - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe + - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe author: Olaf Hartong date: 2019/05/22 logsource: category: process_creation product: windows detection: - selection: - Image: 'schtasks.exe' - CommandLine: '*/change*/TN*/RU*/RP*' - condition: selection + selection: + Image: schtasks.exe + CommandLine: '*/change*/TN*/RU*/RP*' + condition: selection falsepositives: - - Unknown + - Unknown tags: - attack.privilege_escalation - attack.execution diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index 4fd8b459a..0d5761e9c 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -1,4 +1,5 @@ title: WMI Backdoor Exchange Transport Agent +id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b status: experimental description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters author: Florian Roth diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml index 4d484bf28..2b1aab153 100644 --- a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -1,4 +1,5 @@ title: WMI Persistence - Script Event Consumer +id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e status: experimental description: Detects WMI script event consumers references: diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index e49de6f0a..abe55079f 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -1,6 +1,7 @@ title: WMI Spawning Windows PowerShell +id: 692f0bec-83ba-4d04-af7e-e884a96059b6 status: experimental -description: Detects WMI spawning PowerShell +description: Detects WMI spawning PowerShell references: - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml index 21f86f5e2..7c5549c84 100644 --- a/rules/windows/process_creation/win_workflow_compiler.yml +++ b/rules/windows/process_creation/win_workflow_compiler.yml @@ -1,4 +1,5 @@ title: Microsoft Workflow Compiler +id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d status: experimental description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. tags: diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index 2812299f4..5bcc4bda4 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -1,6 +1,8 @@ title: XSL Script Processing +id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d status: experimental -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses +description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries + abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml index 94b86c382..2231ee99b 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/sysmon/sysmon_ads_executable.yml @@ -1,4 +1,5 @@ title: Executable in ADS +id: b69888d4-380c-45ce-9cf9-d9ce46e67821 status: experimental description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash) references: diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml index b972de848..8c2dde9f5 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -1,10 +1,11 @@ title: CACTUSTORCH Remote Thread Creation +id: 2e4e488a-6164-4811-9ea1-f960c7359c40 description: Detects remote thread creation from CACTUSTORCH as described in references. references: - https://twitter.com/SBousseaden/status/1090588499517079552 - https://github.com/mdsecactivebreach/CACTUSTORCH status: experimental -author: "@SBousseaden (detection), Thomas Patzke (rule)" +author: '@SBousseaden (detection), Thomas Patzke (rule)' logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml index e4baea9d4..e2024ce79 100644 --- a/rules/windows/sysmon/sysmon_cmstp_execution.yml +++ b/rules/windows/sysmon/sysmon_cmstp_execution.yml @@ -1,6 +1,6 @@ ---- action: global title: CMSTP Execution +id: 9d26fede-b526-4413-b069-6e24b6d07167 status: stable description: Detects various indicators of Microsoft Connection Manager Profile Installer execution tags: diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml index 75d192cce..ab600b30e 100644 --- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml @@ -1,5 +1,6 @@ -title: CobaltStrike Process Injection -description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons +title: CobaltStrike Process Injection +id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 +description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index 40fc6ddd5..5e00f11f0 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -1,6 +1,8 @@ title: DHCP Callout DLL installation +id: 9d3436ef-9476-4c43-acca-90ce06bdf33a status: experimental -description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) +description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the + DHCP server (restart required) references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml index f23903654..7abb9ced4 100644 --- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml @@ -1,8 +1,9 @@ ---- action: global title: DNS ServerLevelPluginDll Install +id: e61e8a88-59a9-451c-874e-70fcc9740d67 status: experimental -description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) +description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server + (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml index 41d0c6426..cfa37cb81 100644 --- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml @@ -1,4 +1,5 @@ title: Detection of SafetyKatz +id: e074832a-eada-4fd7-94a1-10642b130e16 status: experimental description: Detects possible SafetyKatz Behaviour references: diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml index 93c267003..aab980bc4 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -1,5 +1,6 @@ action: global title: Logon Scripts (UserInitMprLogonScript) +id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 status: experimental description: Detects creation or execution of UserInitMprLogonScript persistence method references: diff --git a/rules/windows/sysmon/sysmon_lsass_memdump.yml b/rules/windows/sysmon/sysmon_lsass_memdump.yml index 15a2fb512..1e7177f3b 100644 --- a/rules/windows/sysmon/sysmon_lsass_memdump.yml +++ b/rules/windows/sysmon/sysmon_lsass_memdump.yml @@ -1,4 +1,5 @@ title: LSASS Memory Dump +id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da status: experimental description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 author: Samir Bousseaden diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml index 98888f29a..d708d1ca7 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml @@ -1,4 +1,5 @@ title: Malicious Named Pipe +id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a status: experimental description: Detects the creation of a named pipe used by known APT malware references: diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index e35fc0170..953c86104 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -1,4 +1,5 @@ title: Suspicious Typical Malware Back Connect Ports +id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 status: experimental description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases references: diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index da8bf0878..0e4c42826 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -1,4 +1,5 @@ title: Malware Shellcode in Verclsid Target Process +id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1 status: experimental description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro references: diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 841645755..3d071cf93 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -1,6 +1,8 @@ title: Mimikatz Detection LSASS Access +id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9 status: experimental -description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) +description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old + versions", 0x0010 PROCESS_VM_READ) references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 5658542b6..881f90581 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -1,4 +1,5 @@ title: Mimikatz In-Memory +id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e status: experimental description: Detects certain DLL loads when Mimikatz gets executed references: diff --git a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml index e1552b1d2..6da688007 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml @@ -1,4 +1,5 @@ -title: Mimikatz through Windows Remote Management +title: Mimikatz through Windows Remote Management +id: aa35a627-33fb-4d04-a165-d33b4afca3e8 description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. references: - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index 8cea6764f..bb2597a46 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -1,5 +1,7 @@ -title: Password Dumper Remote Thread in LSASS -description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. +title: Password Dumper Remote Thread in LSASS +id: f239b326-2f41-4d6b-9dfa-c846a60ef505 +description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process + in field Process is the malicious program. A single execution can lead to hundreds of events. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm status: stable diff --git a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml index 76d6d850e..d7a6df7a6 100644 --- a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml @@ -1,4 +1,5 @@ title: Malicious PowerShell Commandlet Names +id: f331aa1f-8c53-4fc3-b083-cc159bc971cb status: experimental description: Detects the creation of known powershell scripts for exploitation references: diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index c9a362baf..95ee587fc 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -1,6 +1,8 @@ title: PowerShell Network Connections +id: 1f21ec3f-810d-4b0e-8045-322202e22b4b status: experimental -description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')" +description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. + extend filters with company's ip range') author: Florian Roth references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o diff --git a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml b/rules/windows/sysmon/sysmon_quarkspw_filedump.yml index 49e5943db..5b712d9ce 100644 --- a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml +++ b/rules/windows/sysmon/sysmon_quarkspw_filedump.yml @@ -1,4 +1,5 @@ title: QuarksPwDump Dump File +id: 847def9e-924d-4e90-b7c4-5f581395a2b4 status: experimental description: Detects a dump file written by QuarksPwDump password dumper references: diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml index 03d1aa36a..c93237652 100644 --- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml @@ -1,4 +1,5 @@ title: RDP over Reverse SSH Tunnel +id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 status: experimental description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 references: diff --git a/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml b/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml index 1f02ec856..4d8f534c0 100644 --- a/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml +++ b/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml @@ -1,16 +1,17 @@ title: RDP Sensitive Settings Changed +id: 171b67e1-74b4-460e-8d55-b331f3e32d67 description: Detects changes to RDP terminal service sensitive settings references: - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html date: 2019/04/03 author: Samir Bousseaden logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: selection_reg: - EventID: 13 - TargetObject: + EventID: 13 + TargetObject: - '*\services\TermService\Parameters\ServiceDll*' - '*\Control\Terminal Server\fSingleSessionPerUser*' - '*\Control\Terminal Server\fDenyTSConnections*' diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml index 71455dabe..bb32eae49 100644 --- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml @@ -1,4 +1,5 @@ title: Windows Registry Persistence - COM key linking +id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 status: experimental description: Detects COM object hijacking via TreatAs subkey references: diff --git a/rules/windows/sysmon/sysmon_renamed_powershell.yml b/rules/windows/sysmon/sysmon_renamed_powershell.yml index 1b2b2622d..157f5876f 100644 --- a/rules/windows/sysmon/sysmon_renamed_powershell.yml +++ b/rules/windows/sysmon/sysmon_renamed_powershell.yml @@ -1,6 +1,7 @@ title: Renamed PowerShell +id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 status: experimental -description: Detects the execution of a renamed PowerShell often used by attackers or malware +description: Detects the execution of a renamed PowerShell often used by attackers or malware references: - https://twitter.com/christophetd/status/1164506034720952320 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_renamed_psexec.yml b/rules/windows/sysmon/sysmon_renamed_psexec.yml index f88fb54c8..75d5838ad 100644 --- a/rules/windows/sysmon/sysmon_renamed_psexec.yml +++ b/rules/windows/sysmon/sysmon_renamed_psexec.yml @@ -1,6 +1,7 @@ title: Renamed PsExec +id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 status: experimental -description: Detects the execution of a renamed PsExec often used by attackers or malware +description: Detects the execution of a renamed PsExec often used by attackers or malware references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index 63df8dcea..c02164f31 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -1,4 +1,5 @@ title: Rundll32 Internet Connection +id: cdc8da7d-c303-42f8-b08c-b4ab47230263 status: experimental description: Detects a rundll32 that communicates with public IP addresses references: diff --git a/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml b/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml index 4914ef986..191a95728 100644 --- a/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml +++ b/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml @@ -1,6 +1,7 @@ title: Security Support Provider (SSP) added to LSA configuration +id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc status: experimental -description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. +description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. references: - https://attack.mitre.org/techniques/T1101/ - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ diff --git a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml index 352468272..23ac4ef0f 100644 --- a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml @@ -1,7 +1,8 @@ ---- action: global title: Sticky Key Like Backdoor Usage -description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +id: baca5663-583c-45f9-b5dc-ea96a22ce542 +description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login + screen references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ tags: diff --git a/rules/windows/sysmon/sysmon_susp_download_run_key.yml b/rules/windows/sysmon/sysmon_susp_download_run_key.yml index ba918bb56..5f1bad949 100644 --- a/rules/windows/sysmon/sysmon_susp_download_run_key.yml +++ b/rules/windows/sysmon/sysmon_susp_download_run_key.yml @@ -1,4 +1,5 @@ title: Suspicious RUN Key from Download +id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be status: experimental description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories references: diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 9d9c641c9..5ffb6c7e3 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -1,9 +1,10 @@ title: Suspicious Driver Load from Temp +id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 description: Detects a driver load from a temporary directory author: Florian Roth -tags: - - attack.persistence - - attack.t1050 +tags: + - attack.persistence + - attack.t1050 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml b/rules/windows/sysmon/sysmon_susp_file_characteristics.yml index d55dac169..277994a1b 100644 --- a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml +++ b/rules/windows/sysmon/sysmon_susp_file_characteristics.yml @@ -1,4 +1,5 @@ title: Suspicious File Characteristics due to Missing Fields +id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43 description: Detects Executables without FileVersion,Description,Product,Company likely created with py2exe status: experimental references: diff --git a/rules/windows/sysmon/sysmon_susp_image_load.yml b/rules/windows/sysmon/sysmon_susp_image_load.yml index 0d1ff5ebf..577f96108 100644 --- a/rules/windows/sysmon/sysmon_susp_image_load.yml +++ b/rules/windows/sysmon/sysmon_susp_image_load.yml @@ -1,4 +1,5 @@ -title: Possible Process Hollowing Image Loading +title: Possible Process Hollowing Image Loading +id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7 status: experimental description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz references: diff --git a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml b/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml index 815643fdf..78cf4bf7c 100644 --- a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml @@ -1,4 +1,5 @@ title: DLL Load via LSASS +id: b3503044-60ce-4bf4-bbcb-e3db98788823 status: experimental description: Detects a method to load DLL via LSASS process using an undocumented Registry key author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml index 1b0b5953f..58ec943cf 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml @@ -1,6 +1,7 @@ title: PowerShell Rundll32 Remote Thread Creation +id: 99b97608-3e21-4bfe-8217-2a127c396a0e status: experimental -description: Detects PowerShell remote thread creation in Rundll32.exe +description: Detects PowerShell remote thread creation in Rundll32.exe author: Florian Roth references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index 47845edcf..c80ca7cb7 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -1,4 +1,5 @@ title: Suspicious Program Location with Network Connections +id: 7b434893-c57d-4f41-908d-6a17bf1ae98f status: experimental description: Detects programs with network connections running in suspicious files system locations references: diff --git a/rules/windows/sysmon/sysmon_susp_rdp.yml b/rules/windows/sysmon/sysmon_susp_rdp.yml index b2b8bd933..327b84461 100644 --- a/rules/windows/sysmon/sysmon_susp_rdp.yml +++ b/rules/windows/sysmon/sysmon_susp_rdp.yml @@ -1,9 +1,10 @@ -title: Suspicious Outbound RDP Connections +title: Suspicious Outbound RDP Connections +id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 status: experimental description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 -author: Markus Neis - Swisscom +author: Markus Neis - Swisscom date: 2019/05/15 tags: - attack.lateral_movement diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml index 7de64276f..cc2d5fed4 100644 --- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml @@ -1,4 +1,5 @@ title: Registry Persistence via Explorer Run Key +id: b7916c2a-fa2f-4795-9477-32b731f70f11 status: experimental description: Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml index 34d08b8db..5d5dbd17a 100644 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml @@ -1,4 +1,5 @@ title: New RUN Key Pointing to Suspicious Folder +id: 02ee49e2-e294-4d0f-9278-f5b3212fc588 status: experimental description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder references: diff --git a/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml index 808ff82f5..a12d8e223 100644 --- a/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml @@ -1,5 +1,7 @@ title: Suspicious Keyboard Layout Load -description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only +id: 34aa0252-6039-40ff-951f-939fd6ce47d8 +description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems + maintained by US staff only references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files diff --git a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml index 19bdb1474..ef3fc978e 100644 --- a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml @@ -1,6 +1,9 @@ title: Svchost DLL Search Order Hijack +id: 602a1f13-c640-4d73-b053-be9a2fa58b77 status: experimental -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. +description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their + malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a + remote machine. references: - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 author: SBousseaden diff --git a/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml b/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml index 7eae9fda7..9b6013727 100644 --- a/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml +++ b/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml @@ -1,8 +1,8 @@ ---- action: global -title: Usage of Sysinternals Tools +title: Usage of Sysinternals Tools +id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: experimental -description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry +description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry references: - https://twitter.com/Moti_B/status/1008587936735035392 date: 2017/08/28 diff --git a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml b/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml index 404ad6ae3..419380dd6 100644 --- a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml +++ b/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml @@ -1,4 +1,5 @@ -title: Hijack legit RDP session to move laterally +title: Hijack legit RDP session to move laterally +id: 52753ea4-b3a0-4365-910d-36cff487b789 status: experimental description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder date: 2019/02/21 diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index e535de2b3..dc341febe 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -1,4 +1,5 @@ title: UAC Bypass via Event Viewer +id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 status: experimental description: Detects UAC bypass method using Windows event viewer references: diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 501e50c99..9a612b739 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -1,4 +1,5 @@ title: UAC Bypass via sdclt +id: 5b872a46-3b90-45c1-8419-f675db8053aa status: experimental description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand references: diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index 1af4f31f8..67fc600d9 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -1,4 +1,5 @@ title: Windows webshell creation +id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 status: experimental description: Posible webshell file creation on a static web site references: diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 16e18b78e..808b3e193 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -1,4 +1,5 @@ title: Microsoft Binary Github Communication +id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 status: experimental description: Detects an executable in the Windows folder accessing github.com references: diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml index e83bf58a2..3bcf47042 100644 --- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml @@ -1,4 +1,5 @@ title: Microsoft Binary Suspicious Communication Endpoint +id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 status: experimental description: Detects an executable in the Windows folder accessing suspicious domains references: diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml index 656f38ef2..06a18db8b 100644 --- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml +++ b/rules/windows/sysmon/sysmon_win_reg_persistence.yml @@ -1,20 +1,21 @@ title: Registry Persistence Mechanisms -description: Detects persistence registry keys +id: 36803969-5421-41ec-b92f-8500f79c23b0 +description: Detects persistence registry keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 author: Karneades logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: selection_reg1: - EventID: 13 - TargetObject: + EventID: 13 + TargetObject: - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' - EventType: 'SetValue' + EventType: SetValue condition: selection_reg1 tags: - attack.privilege_escalation diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml index 7fc7cd401..34db9562c 100644 --- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml +++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml @@ -1,4 +1,5 @@ title: WMI Event Subscription +id: 0f06a3a5-6a09-413f-8743-e6cf35561297 status: experimental description: Detects creation of WMI event subscription persistence method references: diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml index ab7f020cf..9349ff725 100644 --- a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -1,4 +1,5 @@ title: WMI Persistence - Command Line Event Consumer +id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 status: experimental description: Detects WMI command line event consumers references: diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml index 2d709de07..907a28738 100644 --- a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -1,4 +1,5 @@ title: WMI Persistence - Script Event Consumer File Write +id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 status: experimental description: Detects file writes of WMI script event consumer references: diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml index 4e9c77744..d6d059861 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml @@ -1,6 +1,7 @@ title: Suspicious Scripting in a WMI Consumer +id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 status: experimental -description: Detects suspicious scripting in WMI Event Consumers +description: Detects suspicious scripting in WMI Event Consumers author: Florian Roth references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/