security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into nasbench-rule-devel

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-11-29 16:20:55 +01:00
committed by GitHub
parent 81e8acf535 1d7ee1cd19
commit 1ff75ce60e
18 changed files with 306 additions and 309 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/auditd/lnx_auditd_change_file_time_attr.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: File Time Attribute Change
title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020/10/15
modified: 2021/11/27
modified: 2022/11/28
tags:
- attack.defense_evasion
- attack.t1070.006
rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: 'Credentials In Files'
title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: 'Detecting attempts to extract passwords with grep'
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020/10/15
modified: 2021/11/27
modified: 2022/11/28
tags:
- attack.credential_access
- attack.t1552.001
rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: 'Split A File Into Pieces'
title: Split A File Into Pieces - Linux
id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
status: test
description: 'Detection use of the command "split" to split files into parts and possible transfer.'
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
author: 'Igor Fits, oscd.community'
date: 2020/10/15
modified: 2021/11/27
modified: 2022/11/28
tags:
- attack.exfiltration
- attack.t1030
rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: 'Suspicious History File Operations'
title: Suspicious History File Operations - Linux
id: eae8ce9f-bde9-47a6-8e79-f20d18419910
status: test
description: 'Detects commandline operations on shell history files'
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020/10/17
modified: 2021/11/27
modified: 2022/11/28
tags:
- attack.credential_access
- attack.t1552.003
rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
+2 -4
View File
@@ -13,7 +13,7 @@ references:
- https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021/08/17
modified: 2022/10/09
modified: 2022/11/28
tags:
- attack.t1557.001
- attack.t1187
@@ -22,9 +22,7 @@ logsource:
service: dce_rpc
detection:
selection:
operation|startswith:
- 'Efs'
- 'efs'
operation|startswith: 'efs'
condition: selection
fields:
- id.orig_h
rules/network/zeek/zeek_dns_susp_zbit_flag.yml
+1 -3
View File
@@ -14,7 +14,7 @@ references:
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
author: '@neu5ron, SOC Prime Team, Corelight'
date: 2021/05/04
modified: 2022/10/05
modified: 2022/11/29
tags:
- attack.t1095
- attack.t1571
@@ -40,9 +40,7 @@ detection:
- '.azuregov-dns.org'
exclude_query_types:
qtype_name:
- 'NS'
- 'ns'
- 'MX'
- 'mx'
exclude_responses:
answers|endswith: '\\x00'
rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Regsvr32 Network Activity
title: Regsvr32 Network Activity - DNS
id: 36e037c4-c228-4866-b6a3-48eb292b9955
related:
- id: c7e91a02-d771-4a6d-a700-42587e0b1095
@@ -10,7 +10,7 @@ references:
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019/10/25
modified: 2022/10/09
modified: 2022/11/28
tags:
- attack.execution
- attack.t1559.001
rules/windows/driver_load/driver_load_vuln_drivers.yml
+1 -3
View File
@@ -21,7 +21,7 @@ references:
- https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
author: Nasreddine Bencherchali
date: 2022/08/18
modified: 2022/10/19
modified: 2022/11/28
tags:
- attack.privilege_escalation
- attack.t1543.003
@@ -864,8 +864,6 @@ detection:
- 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653'
- 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028'
- '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3'
- 'DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D'
- '0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5'
- '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3'
- 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955'
- 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339'
rules/windows/file/file_event/file_event_win_new_src_file.yml
+1 -4
View File
@@ -6,7 +6,7 @@ references:
- https://lolbas-project.github.io/lolbas/Libraries/Desk/
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022/04/27
modified: 2022/10/07
modified: 2022/11/28
tags:
- attack.t1218.011
- attack.defense_evasion
@@ -19,10 +19,7 @@ detection:
filter:
TargetFilename|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\SysWow64\'
- 'C:\Windows\winsxs\'
- 'C:\Windows\WinSxS\'
- 'C:\$WINDOWS.~BT\NewOS\'
condition: selection and not filter
rules/windows/file/file_event/file_event_win_remote_cred_dump.yml
+2 -1
View File
@@ -7,6 +7,7 @@ references:
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
author: SecurityAura
date: 2022/11/16
modified: 2022/11/29
tags:
- attack.credential_access
- attack.t1003
@@ -17,7 +18,7 @@ detection:
selection:
Image|endswith: '\svchost.exe'
# CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
TargetFilename|endswith: '\Windows\System32\????????.tmp'
TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
condition: selection
falsepositives:
- Unknown
rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
related:
- id: 074e0ded-6ced-4ebd-8b4d-53f55908119
@@ -9,7 +9,7 @@ references:
- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020/10/06
modified: 2022/10/09
modified: 2022/11/28
tags:
- attack.defense_evasion
- attack.t1216
rules/windows/image_load/image_load_silenttrinity_stage_use.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: SILENTTRINITY Stager Execution
title: SILENTTRINITY Stager Execution - DLL
id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
related:
- id: 03552375-cc2c-4883-bbe4-7958d5a980be
@@ -9,7 +9,7 @@ references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019/10/22
modified: 2022/10/09
modified: 2022/11/28
tags:
- attack.command_and_control
- attack.t1071
rules/windows/process_creation/proc_creation_win_mal_ryuk.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
author: Vasiliy Burov
date: 2019/08/06
modified: 2021/11/27
modified: 2022/11/29
tags:
- attack.execution
- attack.t1204
@@ -23,7 +23,7 @@ detection:
CommandLine|contains:
- 'samss'
- 'audioendpointbuilder'
- 'unistoresvc_?????'
- 'unistoresvc_'
condition: all of selection*
falsepositives:
- Unlikely
rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
+11 -14
View File
@@ -6,7 +6,7 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
author: Florian Roth
date: 2022/03/24
modified: 2022/10/28
modified: 2022/11/28
logsource:
product: windows
category: process_creation
@@ -16,25 +16,22 @@ detection:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' | iex;'
- ' | iex '
- ' | iex}'
- ' | IEX;'
- ' | IEX ;'
- ' | IEX -Error'
- ' | IEX (new'
- ' | IEX (New'
- ' | iex;'
- ' | iex '
- ' | iex}'
- ' | IEX ;'
- ' | IEX -Error'
- ' | IEX (new'
- ');IEX '
selection_combined_2:
CommandLine|contains:
- '::FromBase64String'
- '.GetString([System.Convert]::'
selection_standalone:
CommandLine|contains:
- ')|iex;$'
- ')|IEX;$'
- ');iex($'
- ');iex $'
CommandLine|contains:
- ')|iex;$'
- ');iex($'
- ');iex $'
- ' | IEX | '
condition: all of selection_combined* or selection_standalone
falsepositives:
rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml
+2 -4
View File
@@ -6,7 +6,7 @@ references:
- https://www.epicturla.com/blog/sysinturla
author: Florian Roth
date: 2020/05/28
modified: 2021/11/27
modified: 2022/11/29
tags:
- attack.resource_development
- attack.t1588.002
@@ -15,9 +15,7 @@ logsource:
product: windows
detection:
selection:
Product:
- 'Sysinternals DebugView'
- 'Sysinternals Debugview'
Product: 'Sysinternals DebugView'
filter:
OriginalFileName: 'Dbgview.exe'
Image|endswith: '\Dbgview.exe'
rules/windows/process_creation/proc_creation_win_susp_service_stop.yml
+247 -249
View File
@@ -10,6 +10,7 @@ references:
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
author: Nasreddine Bencherchali
date: 2022/09/01
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1489
@@ -35,284 +36,281 @@ detection:
CommandLine|contains: 'Stop-Service '
services:
CommandLine|contains:
- 'VSS'
- 'HealthTLService'
- 'ThreatLockerService'
- '"Veritas System Recovery"'
- 'EPlntegrationService'
- 'EPRedline'
- '"Client Agent 7.60"'
- 'SQLAgent$SVSTEM_BGC'
- '"Sophos Device Control Service"'
- '"Zoolz 2 Service"'
- '"Sophos AutoUpdate Service"'
- '"Sophos System Protection Service"'
- 'POVFSService'
- 'MSSQLFDLauncherSTPSAMA'
- '"Symantec System Recovery"'
- 'Antivirus'
- '"Sophos Health Service"'
- 'MSSQLFDLauncherSTPS'
- 'AcrSch2Svc'
- 'MSSQLSSVSTEM_BGC'
- 'MSSQLFDLauncherSPROFXENGAGEMENT'
- 'SQLAgentSTPS'
- '"Sophos Message Router"'
- 'MSSQLFDLauncher$S8SMONITORING'
- 'MySQL80'
- 'MSSQLSECWDB2'
- 'MSSQLWEEAMSQL2008R2'
- '"Sophos Clean Service"'
- '"Sophos Web Control Service"'
- 'EhttpSry'
- 'MSOLAPSTPSAMA'
- '"Veeam Backup Catalog Data Service"'
- 'MSSQLSSBSMONITORIMG'
- 'AcronisAgent'
- 'MySQLS7'
- 'UTODetect'
- 'MSSQLFOLauncherSSVSTEM_BGC'
- 'MSSQLSBKUPEXEC'
- 'SQLAgentSPRACTTICEBGC'
- '"Sophos MCS Client"'
- 'BackupExeclobEngine'
- 'SQLAgentSVEEAMSQL2008R2'
- '143Svc'
- '"SQLsafe Backup Service"'
- 'SQLAgentSCXDB'
- '"Sophos Safestore Service"'
- 'svcienericHost'
- 'MSSQLSTPSAMA'
- 'SQLAgentSCITRIX_METAFRAME'
- 'WeanClOudSve'
- '"Sophos File Scanner Service"'
- '"Sophos Agent"'
- 'M8EndpointAgent'
- 'mSSQLSFRACTICEMGT'
- 'SQLAgentSTPSAMA'
- 'McAfeeframework'
- '"Enterprise Client Service"'
- 'SQLAgentSSBSMONITORING'
- 'MSSQLSVEEAMSQL2012'
- 'SQ1SafeOLRService'
- 'VeeamEnterpriseHanagerSvc'
- 'SQLAgentSSQL EXPRESS'
- 'MSSQ!I.SPROFXENGAGEMEHT'
- 'IMANSVC'
- 'ARSM'
- 'MSSQLFOLavocher'
- 'MSExchangeMIA'
- 'TruekeyScheduler'
- 'MSSQ0SOPHOS'
- '"SQL Backups"'
- 'MSSQLSTPS'
- 'Weems JY'
- 'MSSQ0SHAREPOINT'
- 'mfevto'
- 'msftesq1SPROO'
- 'wozyprobackup'
- 'MSSQLSSQL_2008'
- 'MSSQLSSQLEXPRESS'
- 'MSSQLSPRACTTICEBGE'
- 'VeeamRISTSvc'
- 'HMS'
- '"Sophos MCS Agent"'
- '"Acronis VSS Provider"'
- 'MSSQLSVIEAMSQL2008112'
- 'HISSQLFDLauncherSSHAREPOINIT'
- '"SQLsafe Filter Service"'
- 'MSSQLSPROO'
- 'SQLAgentSPROO'
- 'MSOLAPSTPS'
- 'VeemaDep/oySvc'
- '"Client Agent 7.60"'
- '"Enterprise Client Service"'
- '"Sophos Agent"'
- '"Sophos AutoUpdate Service"'
- '"Sophos Clean Service"'
- '"Sophos Device Control Service"'
- '"Sophos File Scanner Service"'
- '"Sophos Health Service"'
- '"Sophos MCS Agent"'
- '"Sophos MCS Client"'
- '"Sophos Message Router"'
- '"Sophos Safestore Service"'
- '"Sophos System Protection Service"'
- '"Sophos Web Control Service"'
- '"SQL Backups"'
- '"SQL Server (MSSQLSERVER)"'
- '"SQL Server (SQLEXPRESS)'
- '"SQLsafe Backup Service"'
- '"SQLsafe Filter Service"'
- '"Symantec System Recovery"'
- '"Veeam Backup Catalog Data Service"'
- '"Veritas System Recovery"'
- '"Zoolz 2 Service"'
- '“Avast Business Console Client Antivirus Service”'
- '“avast! Antivirus”'
- '“SQL Backups”'
- '“Zoolz 2 Service”'
- '143Svc'
- 'AcronisAgent'
- 'AcrSch2Svc'
- 'Antivirus'
- 'ARSM'
- 'aswBcc'
- 'AVP'
- 'BackupExecAgentAccelerator'
- 'McAfeeEngineService'
- 'BackupExecAgentBrowser'
- 'McAfeeFramework'
- 'BackupExecDeviceMediaService'
- 'McAfeeFrameworkMcAfeeFramework'
- 'BackupExecJobEngine'
- 'McTaskManager'
- 'BackupExeclobEngine'
- 'BackupExecManagementService'
- 'mfemms'
- 'BackupExecRPCService'
- 'mfevtp'
- 'BackupExecVSSProvider'
- 'MMS'
- 'bedbg'
- 'mozyprobackup'
- 'BITS'
- 'BrokerInfrastructure'
- 'DCAgent'
- 'EhttpSrv'
- 'EhttpSry'
- 'ekrn'
- 'epag'
- 'EPIntegrationService'
- 'EPlntegrationService'
- 'EPProtectedService'
- 'EPRedline'
- 'EPSecurityService'
- 'EPUpdateService'
- 'EraserSvc11710'
- 'EsgShKernel'
- 'ESHASRV'
- 'FA_Scheduler'
- 'HealthTLService'
- 'HISSQLFDLauncherSSHAREPOINIT'
- 'HMS'
- 'IISAdmin'
- 'IMANSVC'
- 'IMAP4Svc'
- 'KAVFS'
- 'KAVFSGT'
- 'kavfsslp'
- 'klnagent'
- 'LogProcessorService'
- 'M8EndpointAgent'
- 'macmnsvc'
- 'masvc'
- 'MBAMService'
- 'MBEndpointAgent'
- 'McAfeeEngineService'
- 'MCAFEEEVENTPARSERSRV'
- 'McAfeeFramework'
- 'McAfeeFrameworkMcAfeeFramework'
- 'MCAFEETOMCATSRV530'
- 'McShield'
- 'McTaskManager'
- 'mfefire'
- 'mfemms'
- 'mfevto'
- 'mfevtp'
- 'mfewc'
- 'MMS'
- 'mozyprobackup'
- 'MsDtsServer'
- 'MsDtsServer100'
- 'MsDtsServer110'
- 'EraserSvc11710'
- 'MsDtsServer130'
- 'MSExchangeES'
- 'EsgShKernel'
- 'MSExchangeIS'
- 'FA_Scheduler'
- 'MSExchangeMGMT'
- 'IISAdmin'
- 'MSExchangeMIA'
- 'MSExchangeMTA'
- 'IMAP4Svc'
- 'MSExchangeSA'
- 'macmnsvc'
- 'MSExchangeSRS'
- 'masvc'
- 'MSOLAP$SQL_2008'
- 'MBAMService'
- 'MSOLAP$SYSTEM_BGC'
- 'MBEndpointAgent'
- 'MSOLAP$TPS'
- 'McShield'
- 'MSSQLSERVER'
- 'MSSQL$ECWDB2'
- 'MSSQLServerADHelper100'
- 'MSSQL$PRACTICEMGT'
- 'MSSQLServerOLAPService'
- 'MSSQL$PRACTTICEBGC'
- 'MySQL57'
- 'MSSQL$PROFXENGAGEMENT'
- 'ntrtscan'
- 'MSSQL$SBSMONITORING'
- 'OracleClientCache80'
- 'MSSQL$SHAREPOINT'
- 'PDVFSService'
- 'MSSQL$SQL_2008'
- 'POP3Svc'
- 'MSSQL$SYSTEM_BGC'
- 'ReportServer'
- 'MSSQL$TPS'
- 'ReportServer$SQL_2008'
- 'MSSQL$TPSAMA'
- 'ReportServer$SYSTEM_BGC'
- 'ReportServer$TPS'
- 'MSSQL$VEEAMSQL2012'
- 'ReportServer$TPSAMA'
- 'MSSQLFDLauncher'
- 'RESvc'
- 'MSSQLFDLauncher$PROFXENGAGEMENT'
- 'sacsvr'
- 'MSSQLFDLauncher$SBSMONITORING'
- 'MSSQLFDLauncher$SHAREPOINT'
- 'SamSs'
- 'MSSQLFDLauncher$SQL_2008'
- 'SAVAdminService'
- 'MSSQLFDLauncher$SYSTEM_BGC'
- 'SAVService'
- 'MSOLAP$TPSAMA'
- 'MSSQLFDLauncher$TPS'
- 'MSSQL$BKUPEXEC'
- 'MSSQLFDLauncher$TPSAMA'
- 'Smcinst'
- 'SQLTELEMETRY$ECWDB2'
- 'SmcService'
- 'SQLWriter'
- 'SMTPSvc'
- 'SstpSvc'
- 'SNAC'
- 'svcGenericHost'
- 'SntpService'
- 'swi_filter'
- 'sophossps'
- 'swi_service'
- 'SQLAgent$BKUPEXEC'
- 'swi_update_64'
- 'SQLAgent$ECWDB2'
- 'TmCCSF'
- 'SQLAgent$PRACTTICEBGC'
- 'tmlisten'
- 'SQLAgent$PRACTTICEMGT'
- 'TrueKey'
- 'SQLAgent$PROFXENGAGEMENT'
- 'TrueKeyScheduler'
- 'SQLAgent$SBSMONITORING'
- 'TrueKeyServiceHelper'
- 'SQLAgent$SHAREPOINT'
- 'SQLAgent$SQL_2008'
- 'UI0Detect'
- 'SQLAgent$SYSTEM_BGC'
- 'SQLAgent$TPS'
- 'VeeamBackupSvc'
- 'SQLAgent$TPSAMA'
- 'VeeamBrokerSvc'
- 'SQLAgent$VEEAMSQL2012'
- 'VeeamCatalogSvc'
- 'SQLBrowser'
- 'VeeamCloudSvc'
- 'SDRSVC'
- 'SQLSafeOLRService'
- 'SepMasterService'
- 'SQLSERVERAGENT'
- 'ShMonitor'
- 'SQLTELEMETRY'
- 'VeeamDeploymentService'
- 'NetMsmqActivator'
- 'VeeamDeploySvc'
- 'EhttpSrv'
- 'VeeamEnterpriseManagerSvc'
- 'ekrn'
- 'VeeamMountSvc'
- 'ESHASRV'
- 'VeeamNFSSvc'
- 'MSSQL$SOPHOS'
- 'VeeamRESTSvc'
- 'SQLAgent$SOPHOS'
- 'VeeamTransportSvc'
- 'AVP'
- 'W3Svc'
- 'klnagent'
- 'MSSQL$SQLEXPRESS'
- 'WRSVC'
- 'SQLAgent$SQLEXPRESS'
- 'wbengine'
- 'MSSQL$VEEAMSQL2008R2'
- 'kavfsslp'
- 'SQLAgent$VEEAMSQL2008R2'
- 'VeeamHvIntegrationSvc'
- 'KAVFSGT'
- 'swi_update'
- 'KAVFS'
- 'SQLAgent$CXDB'
- 'mfefire'
- 'SQLAgent$CITRIX_METAFRAME'
- '“SQL Backups”'
- '“avast! Antivirus”'
- 'MSSQL$PROD'
- 'aswBcc'
- '“Zoolz 2 Service”'
- '“Avast Business Console Client Antivirus Service”'
- 'MSSQLServerADHelper'
- 'mfewc'
- 'SQLAgent$PROD'
- 'Telemetryserver'
- 'msftesq1SPROO'
- 'msftesql$PROD'
- 'WdNisSvc'
- 'WinDefend'
- 'MCAFEETOMCATSRV530'
- 'MCAFEEEVENTPARSERSRV'
- 'MSSQLFDLauncher$ITRIS'
- 'MSOLAP$SQL_2008'
- 'MSOLAP$SYSTEM_BGC'
- 'MSOLAP$TPS'
- 'MSOLAP$TPSAMA'
- 'MSOLAPSTPS'
- 'MSOLAPSTPSAMA'
- 'MSSQ!I.SPROFXENGAGEMEHT'
- 'MSSQ0SHAREPOINT'
- 'MSSQ0SOPHOS'
- 'MSSQL$BKUPEXEC'
- 'MSSQL$ECWDB2'
- 'MSSQL$EPOSERVER'
- 'MSSQL$ITRIS'
- 'MSSQL$PRACTICEMGT'
- 'MSSQL$PRACTTICEBGC'
- 'MSSQL$PROD'
- 'MSSQL$PROFXENGAGEMENT'
- 'MSSQL$SBSMONITORING'
- 'MSSQL$SHAREPOINT'
- 'MSSQL$SOPHOS'
- 'MSSQL$SQL_2008'
- 'MSSQL$SQLEXPRESS'
- 'MSSQL$SYSTEM_BGC'
- 'MSSQL$TPS'
- 'MSSQL$TPSAMA'
- 'MSSQL$VEEAMSQL2008R2'
- 'MSSQL$VEEAMSQL2012'
- 'MSSQLFDLauncher'
- 'MSSQLFDLauncher$ITRIS'
- 'MSSQLFDLauncher$PROFXENGAGEMENT'
- 'MSSQLFDLauncher$S8SMONITORING'
- 'MSSQLFDLauncher$SBSMONITORING'
- 'MSSQLFDLauncher$SHAREPOINT'
- 'MSSQLFDLauncher$SQL_2008'
- 'MSSQLFDLauncher$SYSTEM_BGC'
- 'MSSQLFDLauncher$TPS'
- 'MSSQLFDLauncher$TPSAMA'
- 'MSSQLFDLauncherSPROFXENGAGEMENT'
- 'MSSQLFDLauncherSTPS'
- 'MSSQLFDLauncherSTPSAMA'
- 'MSSQLFOLauncherSSVSTEM_BGC'
- 'MSSQLFOLavocher'
- 'MSSQLLaunchpad$ITRIS'
- 'MSSQLSBKUPEXEC'
- 'MSSQLSECWDB2'
- 'MSSQLSERVER'
- 'MSSQLServerADHelper'
- 'MSSQLServerADHelper100'
- 'MSSQLServerOLAPService'
- 'mSSQLSFRACTICEMGT'
- 'MSSQLSPRACTTICEBGE'
- 'MSSQLSPROO'
- 'MSSQLSSBSMONITORIMG'
- 'MSSQLSSQL_2008'
- 'MSSQLSSQLEXPRESS'
- 'MSSQLSSVSTEM_BGC'
- 'MSSQLSTPS'
- 'MSSQLSTPSAMA'
- 'MSSQLSVEEAMSQL2012'
- 'MSSQLSVIEAMSQL2008112'
- 'MSSQLWEEAMSQL2008R2'
- 'MySQL57'
- 'MySQL80'
- 'MySQLS7'
- 'NetMsmqActivator'
- 'ntrtscan'
- 'OracleClientCache80'
- 'PDVFSService'
- 'POP3Svc'
- 'POVFSService'
- 'ReportServer'
- 'ReportServer$SQL_2008'
- 'ReportServer$SYSTEM_BGC'
- 'ReportServer$TPS'
- 'ReportServer$TPSAMA'
- 'RESvc'
- 'sacsvr'
- 'SamSs'
- 'SAVAdminService'
- 'SAVService'
- 'SDRSVC'
- 'SentinelAgent'
- 'SentinelHelperService'
- 'SepMasterService'
- 'ShMonitor'
- 'Smcinst'
- 'SmcService'
- 'SMTPSvc'
- 'SNAC'
- 'SntpService'
- 'sophossps'
- 'SQ1SafeOLRService'
- 'SQLAgent$BKUPEXEC'
- 'SQLAgent$CITRIX_METAFRAME'
- 'SQLAgent$CXDB'
- 'SQLAgent$ECWDB2'
- 'SQLAgent$EPOSERVER'
- 'SQLAgent$ITRIS'
- 'SQLAgent$PRACTTICEBGC'
- 'SQLAgent$PRACTTICEMGT'
- 'SQLAgent$PROD'
- 'SQLAgent$PROFXENGAGEMENT'
- 'SQLAgent$SBSMONITORING'
- 'SQLAgent$SHAREPOINT'
- 'SQLAgent$SOPHOS'
- 'SQLAgent$SQL_2008'
- 'SQLAgent$SQLEXPRESS'
- 'SQLAgent$SVSTEM_BGC'
- 'SQLAgent$SYSTEM_BGC'
- 'SQLAgent$TPS'
- 'SQLAgent$TPSAMA'
- 'SQLAgent$VEEAMSQL2008R2'
- 'SQLAgent$VEEAMSQL2012'
- 'SQLAgentSCITRIX_METAFRAME'
- 'SQLAgentSCXDB'
- 'SQLAgentSPRACTTICEBGC'
- 'SQLAgentSPROO'
- 'SQLAgentSSBSMONITORING'
- 'SQLAgentSSQL EXPRESS'
- 'SQLAgentSTPS'
- 'SQLAgentSTPSAMA'
- 'SQLAgentSVEEAMSQL2008R2'
- 'SQLBrowser'
- 'SQLSafeOLRService'
- 'SQLSERVERAGENT'
- 'SQLTELEMETRY'
- 'SQLTELEMETRY$ECWDB2'
- 'SQLTELEMETRY$ITRIS'
- 'SentinelHelperService'
- 'MsDtsServer130'
- 'LogProcessorService'
- 'SQLWriter'
- 'SSISTELEMETRY130'
- 'EPUpdateService'
- 'MSSQLLaunchpad$ITRIS'
- 'SstpSvc'
- 'svcGenericHost'
- 'svcienericHost'
- 'swi_filter'
- 'swi_service'
- 'swi_update'
- 'swi_update_64'
- 'Telemetryserver'
- 'ThreatLockerService'
- 'TmCCSF'
- 'tmlisten'
- 'TmPfw'
- 'BITS'
- 'SentinelAgent'
- 'BrokerInfrastructure'
- 'EPProtectedService'
- 'epag'
- 'epredline'
- 'EPIntegrationService'
- 'EPSecurityService'
- 'TrueKey'
- 'TruekeyScheduler'
- 'TrueKeyServiceHelper'
- 'UI0Detect'
- 'UTODetect'
- 'VeeamBackupSvc'
- 'VeeamBrokerSvc'
- 'VeeamCatalogSvc'
- 'VeeamCloudSvc'
- 'VeeamDeploymentService'
- 'VeeamDeploySvc'
- 'VeeamEnterpriseHanagerSvc'
- 'VeeamEnterpriseManagerSvc'
- 'VeeamHvIntegrationSvc'
- 'VeeamMountSvc'
- 'VeeamNFSSvc'
- 'VeeamRESTSvc'
- 'VeeamRISTSvc'
- 'VeeamTransportSvc'
- 'VeemaDep/oySvc'
- 'VSS'
- 'W3Svc'
- 'wbengine'
- 'WdNisSvc'
- 'WeanClOudSve'
- 'Weems JY'
- 'WinDefend'
- 'wozyprobackup'
- 'WRSVC'
condition: services and (all of selection_sc_net* or selection_pwsh)
falsepositives:
- Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry
rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml
+1 -2
View File
@@ -6,7 +6,7 @@ references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2022/11/08
modified: 2022/11/29
tags:
- attack.defense_evasion
- attack.t1006
@@ -24,7 +24,6 @@ detection:
- 'C:\Windows\servicing\'
- 'C:\Windows\CCM\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxs\'
filter_3:
ProcessId: 4
filter_specific:
tests/test_rules.py
+22 -9
View File
@@ -13,6 +13,7 @@ import re
from attackcti import attack_client
from colorama import init
from colorama import Fore
import collections
class TestRules(unittest.TestCase):
@@ -126,23 +127,35 @@ class TestRules(unittest.TestCase):
"There are rules with duplicate tags")
def test_look_for_duplicate_filters(self):
def check_list_or_recurse_on_dict(item, depth: int) -> None:
def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None:
if type(item) == list:
check_if_list_contain_duplicates(item, depth)
check_if_list_contain_duplicates(item, depth, special)
elif type(item) == dict and depth <= MAX_DEPTH:
for sub_item in item.values():
check_list_or_recurse_on_dict(sub_item, depth + 1)
for keys, sub_item in item.items():
if "|base64" in keys: # Covers both "base64" and "base64offset" modifiers
check_list_or_recurse_on_dict(sub_item, depth + 1, True)
else:
check_list_or_recurse_on_dict(sub_item, depth + 1, special)
def check_if_list_contain_duplicates(item: list, depth: int) -> None:
def check_if_list_contain_duplicates(item: list, depth: int, special: bool) -> None:
try:
if len(item) != len(set(item)):
print(Fore.RED + "Rule {} has duplicate filters".format(file))
# We use a list comprehension to convert all the element to lowercase. Since we don't care about casing in SIGMA except for the following modifiers
# - "base64offset"
# - "base64"
if special:
item_ = item
else:
item_= [i.lower() for i in item]
if len(item_) != len(set(item_)):
# We find the duplicates and then print them to the user
duplicates = [i for i, count in collections.Counter(item_).items() if count > 1]
print(Fore.RED + "Rule {} has duplicate filters {}".format(file, duplicates))
files_with_duplicate_filters.append(file)
except:
# unhashable types like dictionaries
for sub_item in item:
if type(sub_item) == dict and depth <= MAX_DEPTH:
check_list_or_recurse_on_dict(sub_item, depth + 1)
check_list_or_recurse_on_dict(sub_item, depth + 1, special)
MAX_DEPTH = 3
files_with_duplicate_filters = []
@@ -150,7 +163,7 @@ class TestRules(unittest.TestCase):
for file in self.yield_next_rule_file_path(self.path_to_rules):
detection = self.get_rule_part(
file_path=file, part_name="detection")
check_list_or_recurse_on_dict(detection, 1)
check_list_or_recurse_on_dict(detection, 1, False)
self.assertEqual(files_with_duplicate_filters, [], Fore.RED +
"There are rules with duplicate filters")