diff --git a/rules/application/app_python_sql_exceptions.yml b/rules/application/app_python_sql_exceptions.yml index 220471d64..fe5169085 100644 --- a/rules/application/app_python_sql_exceptions.yml +++ b/rules/application/app_python_sql_exceptions.yml @@ -1,7 +1,7 @@ title: Python SQL Exceptions description: Generic rule for SQL exceptions in Python according to PEP 249 author: Thomas Patzke -reference: +references: - https://www.python.org/dev/peps/pep-0249/#exceptions logsource: category: application diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index 46e2d648e..f16f47cc5 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -2,7 +2,7 @@ title: Suspicious SQL Error Messages status: experimental description: Detects SQL error messages that indicate probing for an injection attack author: Bjoern Kimminich -reference: http://www.sqlinjection.net/errors +references: http://www.sqlinjection.net/errors logsource: category: application product: sql diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/appframework_django_exceptions.yml index cb974de8c..fd5302b4b 100644 --- a/rules/application/appframework_django_exceptions.yml +++ b/rules/application/appframework_django_exceptions.yml @@ -1,7 +1,7 @@ title: Django framework exceptions description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts author: Thomas Patzke -reference: +references: - https://docs.djangoproject.com/en/1.11/ref/exceptions/ - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security logsource: diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/appframework_ruby_on_rails_exceptions.yml index c827fa186..06513dfef 100644 --- a/rules/application/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/appframework_ruby_on_rails_exceptions.yml @@ -1,7 +1,7 @@ title: Ruby on Rails framework exceptions description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts author: Thomas Patzke -reference: +references: - http://edgeguides.rubyonrails.org/security.html - http://guides.rubyonrails.org/action_controller_overview.html - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/appframework_spring_exceptions.yml index 0a2adfdf9..c3931636d 100644 --- a/rules/application/appframework_spring_exceptions.yml +++ b/rules/application/appframework_spring_exceptions.yml @@ -1,7 +1,7 @@ title: Spring framework exceptions description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts author: Thomas Patzke -reference: +references: - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html logsource: category: application diff --git a/rules/apt/apt_apt29_tor.yml b/rules/apt/apt_apt29_tor.yml index a5e9aae00..b8640948d 100644 --- a/rules/apt/apt_apt29_tor.yml +++ b/rules/apt/apt_apt29_tor.yml @@ -1,7 +1,7 @@ action: global title: APT29 Google Update Service Install description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' -reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html +references: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html logsource: product: windows detection: diff --git a/rules/apt/apt_carbonpaper_turla.yml b/rules/apt/apt_carbonpaper_turla.yml index 458b151b8..df615aa32 100644 --- a/rules/apt/apt_carbonpaper_turla.yml +++ b/rules/apt/apt_carbonpaper_turla.yml @@ -1,6 +1,6 @@ title: Turla Service Install description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' -reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ +references: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ logsource: product: windows service: system diff --git a/rules/apt/apt_cloudhopper.yml b/rules/apt/apt_cloudhopper.yml index ca077f4c2..0d63e4c70 100644 --- a/rules/apt/apt_cloudhopper.yml +++ b/rules/apt/apt_cloudhopper.yml @@ -1,7 +1,7 @@ title: WMIExec VBS Script description: Detects suspicious file execution by wscript and cscript author: Florian Roth -reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf +references: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf logsource: product: windows service: sysmon diff --git a/rules/apt/apt_equationgroup_c2.yml b/rules/apt/apt_equationgroup_c2.yml index 25a36f3bf..6d54778f5 100644 --- a/rules/apt/apt_equationgroup_c2.yml +++ b/rules/apt/apt_equationgroup_c2.yml @@ -1,6 +1,6 @@ title: Equation Group C2 Communication description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools -reference: +references: - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation' - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195' author: Florian Roth diff --git a/rules/apt/apt_equationgroup_lnx.yml b/rules/apt/apt_equationgroup_lnx.yml index 3d35ba167..808747ceb 100644 --- a/rules/apt/apt_equationgroup_lnx.yml +++ b/rules/apt/apt_equationgroup_lnx.yml @@ -1,6 +1,6 @@ title: Equation Group Indicators description: Detects suspicious shell commands used in various Equation Group scripts and tools -reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 +references: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 author: Florian Roth logsource: product: linux diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml index 49cfe61df..8643d0cb5 100644 --- a/rules/apt/apt_pandemic.yml +++ b/rules/apt/apt_pandemic.yml @@ -1,7 +1,7 @@ title: Pandemic Registry Key status: experimental description: Detects Pandemic Windows Implant -reference: +references: - https://wikileaks.org/vault7/#Pandemic - https://twitter.com/MalwareJake/status/870349480356454401 author: Florian Roth diff --git a/rules/apt/apt_stonedrill.yml b/rules/apt/apt_stonedrill.yml index 7b5111491..650c04f5d 100644 --- a/rules/apt/apt_stonedrill.yml +++ b/rules/apt/apt_stonedrill.yml @@ -1,7 +1,7 @@ title: StoneDrill Service Install description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky' author: Florian Roth -reference: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ +references: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ logsource: product: windows service: system diff --git a/rules/apt/apt_ta17_293a_ps.yml b/rules/apt/apt_ta17_293a_ps.yml index 1b2f8852e..38b511507 100644 --- a/rules/apt/apt_ta17_293a_ps.yml +++ b/rules/apt/apt_ta17_293a_ps.yml @@ -1,6 +1,6 @@ title: Ps.exe Renamed SysInternals Tool description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report -reference: https://www.us-cert.gov/ncas/alerts/TA17-293A +references: https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth date: 2017/10/22 logsource: diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index c2411bda7..d6be983b2 100644 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -3,7 +3,7 @@ action: global title: Turla Group Lateral Movement status: experimental description: Detects automated lateral movement by Turla group -reference: https://securelist.com/the-epic-turla-operation/65545/ +references: https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis date: 2017/11/07 logsource: diff --git a/rules/apt/apt_turla_namedpipes.yml b/rules/apt/apt_turla_namedpipes.yml index a82a09648..dea97cfcb 100644 --- a/rules/apt/apt_turla_namedpipes.yml +++ b/rules/apt/apt_turla_namedpipes.yml @@ -1,7 +1,7 @@ title: Turla Group Named Pipes status: experimental description: Detects a named pipe used by Turla group samples -reference: Internal Research +references: Internal Research date: 2017/11/06 author: Markus Neis logsource: diff --git a/rules/apt/apt_zxshell.yml b/rules/apt/apt_zxshell.yml index ae3f0b971..e6b4e63ba 100644 --- a/rules/apt/apt_zxshell.yml +++ b/rules/apt/apt_zxshell.yml @@ -1,7 +1,7 @@ title: ZxShell Malware description: Detects a ZxShell start by the called and well-known function name author: Florian Roth -reference: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 +references: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 logsource: product: windows service: sysmon diff --git a/rules/apt/crime_fireball.yml b/rules/apt/crime_fireball.yml index 0b8e9f017..84cc02070 100644 --- a/rules/apt/crime_fireball.yml +++ b/rules/apt/crime_fireball.yml @@ -3,7 +3,7 @@ status: experimental description: Detects Archer malware invocation via rundll32 author: Florian Roth date: 2017/06/03 -reference: +references: - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 231f06744..1f27e2ffe 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -1,7 +1,7 @@ title: Detects Suspicious Commands on Linux systems status: experimental description: Detects relevant commands often related to malware or hacking activity -reference: 'Internal Research - mostly derived from exploit code including code in MSF' +references: 'Internal Research - mostly derived from exploit code including code in MSF' date: 2017/12/12 author: Florian Roth logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 50fef0dfb..80c35cad6 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -1,7 +1,7 @@ title: Program Executions in Suspicious Folders status: experimental description: Detects program executions in suspicious non-program folders related to malware or hacking activity -reference: 'Internal Research' +references: 'Internal Research' date: 2018/01/23 author: Florian Roth logsource: diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index dc615277f..ef92ee2fc 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -1,6 +1,6 @@ title: Buffer Overflow Attempts description: Detects buffer overflow attempts in Linux system log files -reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml +references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml logsource: product: linux detection: diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index 0c8855b81..a4729d56e 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -1,6 +1,6 @@ title: Relevant ClamAV Message description: Detects relevant ClamAV messages -reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml +references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml logsource: product: linux service: clamav diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index a99106aa0..c37310d87 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -1,6 +1,6 @@ title: Suspicious Activity in Shell Commands description: Detects suspicious shell commands used in various exploit codes (see references) -reference: +references: - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 - http://pastebin.com/FtygZ1cg diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index f1fe1fa2f..38e11bbaa 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -1,6 +1,6 @@ title: Shellshock Expression description: Detects shellshock expressions in log files -reference: http://rubular.com/r/zxBfjWfFYs +references: http://rubular.com/r/zxBfjWfFYs logsource: product: linux detection: diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index 9d37cef2a..44ce6552f 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -1,6 +1,6 @@ title: Suspicious SSHD Error description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -reference: https://github.com/openssh/openssh-portable/blob/master/ssherr.c +references: https://github.com/openssh/openssh-portable/blob/master/ssherr.c author: Florian Roth date: 2017/06/30 logsource: diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index 2d03b563b..fc92017a1 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -1,6 +1,6 @@ title: Suspicious VSFTPD Error Messages description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -reference: https://github.com/dagwieers/vsftpd/ +references: https://github.com/dagwieers/vsftpd/ author: Florian Roth date: 2017/07/05 logsource: diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index 0c98385ab..d4432b628 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -1,7 +1,7 @@ title: Download from Suspicious Dyndns Hosts status: experimental description: Detects download of certain file types from hosts with dynamic DNS names (selected list) -reference: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats +references: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats author: Florian Roth date: 2017/11/08 logsource: diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index ef57c0b00..d05f8309f 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -1,7 +1,7 @@ title: Download from Suspicious TLD status: experimental description: Detects download of certain file types from hosts in suspicious TLDs -reference: +references: - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf - https://www.spamhaus.org/statistics/tlds/ diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index 4ffd58f4b..faac0f93b 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -1,7 +1,7 @@ title: Empty User Agent status: experimental description: Detects suspicious empty user agent strings in proxy logs -reference: +references: - https://twitter.com/Carlos_Perez/status/883455096645931008 author: Florian Roth logsource: diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index 7ce34000e..effff040c 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -1,7 +1,7 @@ title: Windows PowerShell User Agent status: experimental description: Detects Windows PowerShell Web Access -reference: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest +references: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index f9654f7ef..80f87f141 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -1,7 +1,7 @@ title: Flash Player Update from Suspicious Location status: experimental description: Detects a flashplayer update from an unofficial location -reference: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb +references: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 3a33f0af8..155871eba 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -1,7 +1,7 @@ title: APT User Agent status: experimental description: Detects suspicious user agent strings used in APT malware in proxy logs -reference: Internal Research +references: Internal Research author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 9beda694a..7a6d4fd6a 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -1,7 +1,7 @@ title: Exploit Framework User Agent status: experimental description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs -reference: +references: - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ author: Florian Roth logsource: diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index 122a7fb75..2c9e4f779 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -1,7 +1,7 @@ title: Hack Tool User Agent status: experimental description: Detects suspicious user agent strings user by hack tools in proxy logs -reference: +references: - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules author: Florian Roth diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index e23da1e79..b67c9e0a9 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -1,7 +1,7 @@ title: Malware User Agent status: experimental description: Detects suspicious user agent strings used by malware in proxy logs -reference: +references: - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules - http://www.botopedia.org/search?searchword=scan&searchphrase=all - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index 89b0aae10..27cfecb0c 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -1,7 +1,7 @@ title: Suspicious User Agent status: experimental description: Detects suspicious malformed user agent strings in proxy logs -reference: +references: - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb author: Florian Roth logsource: diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index b1aff6153..d51faf2bd 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -1,7 +1,7 @@ title: Apache Segmentation Fault description: Detects a segmentation fault error message caused by a creashing apacke worker process author: Florian Roth -reference: http://www.securityfocus.com/infocus/1633 +references: http://www.securityfocus.com/infocus/1633 logsource: product: apache detection: diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml index ffd040988..699816893 100644 --- a/rules/windows/builtin/win_admin_rdp_login.yml +++ b/rules/windows/builtin/win_admin_rdp_login.yml @@ -1,6 +1,6 @@ title: Admin User Remote Logon description: Detect remote login by Administrator user depending on internal pattern -reference: +references: - https://car.mitre.org/wiki/CAR-2016-04-005 status: experimental author: juju4 diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 72484fb2d..89da9b0de 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,6 +1,6 @@ title: Enabled User Right in AD to Control User Objects description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. -reference: +references: - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' logsource: diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index 5aa66b963..444674594 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -1,6 +1,6 @@ title: Active Directory User Backdoors description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN). -reference: +references: - https://msdn.microsoft.com/en-us/library/cc220234.aspx - https://adsecurity.org/?p=3466 author: '@neu5ron' diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index e47e92413..f34bbfd64 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,6 +1,6 @@ title: Weak Encryption Enabled and Kerberoast description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. -reference: +references: - https://adsecurity.org/?p=2053 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 955ff0fa1..13ee54d17 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -6,7 +6,7 @@ description: > that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. -reference: +references: - https://bit.ly/WinLogsZero2Hero author: '@neu5ron' logsource: diff --git a/rules/windows/builtin/win_eventlog_cleared.yml b/rules/windows/builtin/win_eventlog_cleared.yml index ddb9bd0d7..c45f3c2b9 100644 --- a/rules/windows/builtin/win_eventlog_cleared.yml +++ b/rules/windows/builtin/win_eventlog_cleared.yml @@ -3,7 +3,7 @@ status: experimental description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution author: Florian Roth date: 2017/06/27 -reference: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 +references: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index b0854fc7b..73cf9838c 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -2,7 +2,7 @@ title: WCE wceaux.dll Access status: experimental description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host author: Thomas Patzke -reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html +references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html logsource: product: windows service: security diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index 9820ae139..a4db02335 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -2,7 +2,7 @@ action: global title: Quick Execution of a Series of Suspicious Commands description: Detects multiple suspicious process in a limited timeframe status: experimental -reference: +references: - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index b5d5d1be2..c79ce2bad 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,7 +1,7 @@ title: Pass the Hash Activity status: experimental description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' -reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events +references: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) logsource: product: windows diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index b6b368443..77dbd377d 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -1,7 +1,7 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -reference: +references: - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/builtin/win_possible_applocker_bypass.yml b/rules/windows/builtin/win_possible_applocker_bypass.yml index 48b2ed72f..f62151bdc 100644 --- a/rules/windows/builtin/win_possible_applocker_bypass.yml +++ b/rules/windows/builtin/win_possible_applocker_bypass.yml @@ -2,7 +2,7 @@ action: global title: Possible Applocker Bypass description: Detects execution of executables that can be used to bypass Applocker whitelisting status: experimental -reference: +references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ author: juju4 diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 42169e992..9d7a68a55 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -1,7 +1,7 @@ title: Addition of SID History to Active Directory Object status: stable description: An attacker can use the SID history attribute to gain additional privileges. -reference: https://adsecurity.org/?p=1772 +references: https://adsecurity.org/?p=1772 author: Thomas Patzke logsource: product: windows diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 7c4aa5403..a178db8e2 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -1,7 +1,7 @@ title: Backup Catalog Deleted status: experimental description: Detects backup catalog deletions -reference: +references: - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml index 4c71bdf2e..39bae210a 100644 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ b/rules/windows/builtin/win_susp_cli_escape.yml @@ -2,7 +2,7 @@ action: global title: Suspicious Commandline Escape description: Detects suspicious process that use escape characters status: experimental -reference: +references: - https://twitter.com/vysecurity/status/885545634958385153 - https://twitter.com/Hexacorn/status/885553465417756673 - https://twitter.com/Hexacorn/status/885570278637678592 diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index 2dd5c855a..5858471bd 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -3,7 +3,7 @@ action: global title: Reconnaissance Activity with Net Command status: experimental description: 'Detects a set of commands often used in recon stages by different attack groups' -reference: +references: - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml index 080a19964..e7f3fb9b5 100644 --- a/rules/windows/builtin/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/win_susp_dhcp_config.yml @@ -1,7 +1,7 @@ title: DHCP Server Loaded the CallOut DLL status: experimental description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded -reference: +references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index 67dda88e2..a92d354d7 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -1,7 +1,7 @@ title: DHCP Server Error Failed Loading the CallOut DLL description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded status: experimental -reference: +references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index 874598f12..68679e081 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -2,7 +2,7 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded status: experimental date: 2017/05/08 -reference: +references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - https://twitter.com/gentilkiwi/status/861641945944391680 diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/win_susp_dsrm_password_change.yml index 2390881b5..c4798def2 100644 --- a/rules/windows/builtin/win_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/win_susp_dsrm_password_change.yml @@ -1,7 +1,7 @@ title: Password Change on Directory Service Restore Mode (DSRM) Account status: stable description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. -reference: https://adsecurity.org/?p=1714 +references: https://adsecurity.org/?p=1714 author: Thomas Patzke logsource: product: windows diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 676235687..0d10b3db9 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,6 +1,6 @@ title: Eventlog Cleared description: One of the Windows Eventlogs has been cleared -reference: https://twitter.com/deviouspolack/status/832535435960209408 +references: https://twitter.com/deviouspolack/status/832535435960209408 author: Florian Roth logsource: product: windows diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml index 7a8cb895d..3563095e9 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/builtin/win_susp_iss_module_install.yml @@ -3,7 +3,7 @@ action: global title: IIS Native-Code Module Command Line Installation description: Detects suspicious IIS native-code module installations via command line status: experimental -reference: +references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth detection: diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 0cb86bcd7..38f6670a2 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -1,7 +1,7 @@ title: Password Dumper Activity on LSASS description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental -reference: https://twitter.com/jackcr/status/807385668833968128 +references: https://twitter.com/jackcr/status/807385668833968128 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 705d66002..937ee121d 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -2,7 +2,7 @@ title: Microsoft Malware Protection Engine Crash description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine status: experimental date: 2017/05/09 -reference: +references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index 07f527f5b..3761dfafa 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -1,7 +1,7 @@ title: Reconnaissance Activity status: experimental description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' -reference: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html +references: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method) logsource: product: windows diff --git a/rules/windows/builtin/win_susp_phantom_dll.yml b/rules/windows/builtin/win_susp_phantom_dll.yml index 3b05d9383..8ec72786a 100644 --- a/rules/windows/builtin/win_susp_phantom_dll.yml +++ b/rules/windows/builtin/win_susp_phantom_dll.yml @@ -2,7 +2,7 @@ action: global title: Phantom DLLs Usage description: Detects Phantom DLLs usage and matching executable status: experimental -reference: +references: - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ author: juju4 diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index 7837e19bc..f1fcbc36d 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -3,7 +3,7 @@ action: global title: Suspicious Process Creation description: Detects suspicious process starts on Windows systems bsed on keywords status: experimental -reference: +references: - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml index c5d24f40c..334767d12 100644 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ b/rules/windows/builtin/win_susp_rasdial_activity.yml @@ -2,7 +2,7 @@ action: global title: Suspicious RASdial Activity description: Detects suspicious process related to rasdial.exe status: experimental -reference: +references: - https://twitter.com/subTee/status/891298217907830785 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 3fa722b5b..44862ee05 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -1,6 +1,6 @@ title: Suspicious Kerberos RC4 Ticket Encryption status: experimental -reference: https://adsecurity.org/?p=3458 +references: https://adsecurity.org/?p=3458 description: Detects logons using RC4 encryption type logsource: product: windows diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index c4ab6d14f..65e1f1475 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -2,7 +2,7 @@ action: global title: Suspicious Process Start Locations description: Detects suspicious process run from unusual locations status: experimental -reference: +references: - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml index fe41e0a36..b64230457 100644 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ b/rules/windows/builtin/win_susp_rundll32_activity.yml @@ -2,7 +2,7 @@ action: global title: Suspicious Rundll32 Activity description: Detects suspicious process related to rundll32 based on arguments status: experimental -reference: +references: - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 6859396bd..06e551953 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -2,7 +2,7 @@ title: Secure Deletion with SDelete status: experimental description: Detects renaming of file while deletion with SDelete tool author: Thomas Patzke -reference: +references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx logsource: diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/builtin/win_usb_device_plugged.yml index 8cc3df993..00acec4ff 100644 --- a/rules/windows/builtin/win_usb_device_plugged.yml +++ b/rules/windows/builtin/win_usb_device_plugged.yml @@ -1,6 +1,6 @@ title: USB Device Plugged description: Detects plugged USB devices -reference: +references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ status: experimental diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index ecb66fb5c..15f45ac44 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -2,7 +2,7 @@ title: NotPetya Ransomware Activity status: experimental description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi -reference: +references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 logsource: diff --git a/rules/windows/malware/sysmon_malware_wannacry.yml b/rules/windows/malware/sysmon_malware_wannacry.yml index 2f3cded0b..65c74aab1 100644 --- a/rules/windows/malware/sysmon_malware_wannacry.yml +++ b/rules/windows/malware/sysmon_malware_wannacry.yml @@ -1,7 +1,7 @@ title: WannaCry Ransomware via Sysmon status: experimental description: Detects WannaCry ransomware activity via Sysmon -reference: https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +references: https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) logsource: product: windows diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml index 381264cd3..2d01d0bca 100644 --- a/rules/windows/malware/win_mal_adwind.yml +++ b/rules/windows/malware/win_mal_adwind.yml @@ -3,7 +3,7 @@ action: global title: Adwind RAT / JRAT status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT -reference: +references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml index 15caec121..a998e3e09 100644 --- a/rules/windows/malware/win_mal_wannacry.yml +++ b/rules/windows/malware/win_mal_wannacry.yml @@ -2,7 +2,7 @@ action: global title: WannaCry Ransomware description: Detects WannaCry Ransomware Activity status: experimental -reference: +references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa author: Florian Roth detection: diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 0172e09da..0605f8ebf 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -2,7 +2,7 @@ title: PsExec Tool Execution status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke -reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html +references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html logsource: product: windows detection: diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 1dc3ef984..b359622e6 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -2,7 +2,7 @@ title: WMI Persistence status: experimental description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher) author: Florian Roth -reference: https://twitter.com/mattifestation/status/899646620148539397 +references: https://twitter.com/mattifestation/status/899646620148539397 logsource: product: windows service: wmi diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 27484be91..6342d5ce9 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -1,7 +1,7 @@ title: PowerShell Downgrade Attack status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -reference: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ +references: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (rule), Lee Holmes (idea) logsource: product: windows diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index b5836b00a..e7584aef2 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -1,7 +1,7 @@ title: PowerShell called from an Executable Version Mismatch status: experimental description: Detects PowerShell called from an executable by the version mismatch method -reference: https://adsecurity.org/?p=2921 +references: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 743c84e20..0d798b0b0 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -1,7 +1,7 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -reference: https://adsecurity.org/?p=2921 +references: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 7a8399952..d4b81a5d8 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -1,7 +1,7 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -reference: https://adsecurity.org/?p=2921 +references: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 4930e515c..fbd3b38bc 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -1,7 +1,7 @@ title: PowerShell Credential Prompt status: experimental description: Detects PowerShell calling a credential prompt -reference: +references: - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G author: John Lambert (idea), Florian Roth (rule) diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index ddc18cbc3..11c36dcc2 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -1,7 +1,7 @@ title: PowerShell PSAttack status: experimental description: Detects the use of PSAttack PowerShell hack tool -reference: https://adsecurity.org/?p=2921 +references: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_bitsadmin_download.yml b/rules/windows/sysmon/sysmon_bitsadmin_download.yml index b5529e347..65aca7f1d 100644 --- a/rules/windows/sysmon/sysmon_bitsadmin_download.yml +++ b/rules/windows/sysmon/sysmon_bitsadmin_download.yml @@ -1,7 +1,7 @@ title: Bitsadmin Download status: experimental description: Detects usage of bitsadmin downloading a file -reference: +references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 author: Michael Haag diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index 94387f537..a0c16526a 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -1,7 +1,7 @@ title: DHCP Callout DLL installation status: experimental description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -reference: +references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml index e80e98459..2b0202d9b 100644 --- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml @@ -1,7 +1,7 @@ title: DNS ServerLevelPluginDll Install status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) -reference: +references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml index 16e17108d..a54eae4b0 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml +++ b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml @@ -1,7 +1,7 @@ title: Droppers exploiting CVE-2017-11882 status: experimental description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -reference: +references: - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml index f85e734a4..9b50b2235 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml @@ -1,7 +1,7 @@ title: Malicious Named Pipe status: experimental description: Detects the creation of a named pipe used by known APT malware -reference: Various sources +references: Various sources date: 2017/11/06 author: Florian Roth logsource: diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index dc100dbe9..70972032e 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -1,7 +1,7 @@ title: Suspicious Typical Malware Back Connect Ports status: experimental description: Detects programs that connect to typical malware back connetc ports based on statistical analysis from two different sandbox system databases -reference: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +references: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index ce5ef718c..c63ae611f 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -1,7 +1,7 @@ title: Malware Shellcode in Verclsid Target Process status: experimental description: Detetcs a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro -reference: https://twitter.com/JohnLaTwC/status/837743453039534080 +references: https://twitter.com/JohnLaTwC/status/837743453039534080 author: John Lambert (tech), Florian Roth (rule) date: 2017/03/04 logsource: diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 21637d880..92108dc86 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -1,7 +1,7 @@ title: Mimikatz Detection LSASS Access status: experimental description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) -reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow +references: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index aa51de6b2..10443ce11 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -1,7 +1,7 @@ title: Mimikatz In-Memory status: experimental description: Detects certain DLL loads when Mimikatz gets executed -reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ +references: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml index 2cdefc3d0..9e64fbdb4 100644 --- a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml +++ b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml @@ -1,7 +1,7 @@ title: MSHTA Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from MSHTA. -reference: https://www.trustedsec.com/july-2015/malicious-htas/ +references: https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_office_macro_cmd.yml b/rules/windows/sysmon/sysmon_office_macro_cmd.yml index c99d9737c..053e2efb5 100644 --- a/rules/windows/sysmon/sysmon_office_macro_cmd.yml +++ b/rules/windows/sysmon/sysmon_office_macro_cmd.yml @@ -1,7 +1,7 @@ title: Office Macro Starts Cmd status: experimental description: Detects a Windows command line executable started from Microsoft Word or Excel -reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +references: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Florian Roth logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index cea01f576..bff44d0f6 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -1,7 +1,7 @@ title: Microsoft Office Product Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. -reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +references: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Michael Haag logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index fee494a62..82c84b7e7 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -1,7 +1,7 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -reference: +references: - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index f93bd1be5..36023fd93 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -2,7 +2,7 @@ title: PowerShell Network Connections status: experimental description: "Detetcs a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')" author: Florian Roth -reference: https://www.youtube.com/watch?v=DLtJTxMWZ2o +references: https://www.youtube.com/watch?v=DLtJTxMWZ2o logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml index 920bd18ac..818c90e10 100644 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml @@ -1,7 +1,7 @@ title: Suspicious PowerShell Parameter Substring status: experimental description: Detects suspicious PowerShell invocation with a parameter substring -reference: http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier +references: http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier author: Florian Roth (rule), Daniel Bohannon (idea) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index cc41ae14a..e928fdf51 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -1,7 +1,7 @@ title: Rundll32 Internet Connection status: experimental description: Detects a rundll32 that communicates with piblic IP addresses -reference: https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 +references: https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 author: Florian Roth date: 2017/11/04 logsource: diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index 0576e250b..a58838d23 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -4,7 +4,7 @@ description: Detetcs a suspicious Microsoft certutil execution with sub commands author: - Florian Roth - juju4 -reference: +references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 diff --git a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml index 07880455f..f8ef570a7 100644 --- a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml +++ b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml @@ -1,7 +1,7 @@ title: Command Line Execution with suspicious URL and AppData Strings status: experimental description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -reference: +references: - 'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100' - 'https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100' author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml index d53839fc6..0bc8f699f 100644 --- a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml @@ -3,7 +3,7 @@ status: experimental description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits author: Florian Roth date: 2017/04/15 -reference: https://twitter.com/rikvduijn/status/853251879320662017 +references: https://twitter.com/rikvduijn/status/853251879320662017 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml index f71a300c7..6f5c889b3 100644 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_exec_folder.yml @@ -3,7 +3,7 @@ status: experimental description: Detects process starts of binaries from a suspicious folder author: Florian Roth date: 2017/10/14 -reference: +references: - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses logsource: diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index 826133637..b0e73b565 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -1,7 +1,7 @@ title: Processes created by MMC status: experimental description: Processes started by MMC could by a sign of lateral movement using MMC application COM object -reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +references: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/sysmon/sysmon_susp_net_execution.yml index 1cd98ebe7..31ac43127 100644 --- a/rules/windows/sysmon/sysmon_susp_net_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_net_execution.yml @@ -1,7 +1,7 @@ title: Net.exe Execution status: experimental description: Detects execution of Net.exe, whether suspicious or benign. -reference: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ +references: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ author: Michael Haag, Mark Woan (improvements) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml index 2b4327d8b..46d6e1422 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml @@ -2,7 +2,7 @@ title: Suspicious PowerShell Invocation based on Parent Process status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth -reference: https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ +references: https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index 4a0963167..69a9a91a0 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -1,7 +1,7 @@ title: Suspicious Program Location with Network Connections status: experimental description: Detects programs with network connections running in suspicious files system locations -reference: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +references: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index b186c75c3..49053564f 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -2,7 +2,7 @@ title: Regsvr32 Anomaly status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth -reference: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html +references: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index 8709b3701..2cd13d306 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -2,7 +2,7 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag -reference: +references: - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml index 479fb4fe7..eabf207e6 100644 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml @@ -1,7 +1,7 @@ title: Suspicious WMI execution status: experimental description: Detects WMI executing suspicious commands -reference: +references: - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml index 467056159..b08b5d313 100644 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml @@ -1,7 +1,7 @@ title: System File Execution Location Anomaly status: experimental description: Detects a Windows program executable started in a suspicious folder -reference: https://twitter.com/GelosSnake/status/934900723426439170 +references: https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth date: 2017/11/27 logsource: diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index 3472e28c3..d516ac99f 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -1,7 +1,7 @@ title: UAC Bypass via Event Viewer status: experimental description: Detects UAC bypass method using Windows event viewer -reference: +references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 85d50ff89..4fbd2e557 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -1,7 +1,7 @@ title: UAC Bypass via sdclt status: experimental description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand -reference: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ +references: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ author: Omer Yampel logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml b/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml index 061db9210..7267b3d3e 100644 --- a/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml +++ b/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml @@ -1,6 +1,6 @@ title: Exploit for CVE-2017-8759 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 -reference: +references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 42e2a5c94..93951e190 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -1,7 +1,7 @@ title: Microsoft Binary Github Communication status: experimental description: Detects an executable in the Windows folder accessing github.com -reference: https://twitter.com/M_haggis/status/900741347035889665 +references: https://twitter.com/M_haggis/status/900741347035889665 author: Michael Haag (idea), Florian Roth (rule) logsource: product: windows