Merge pull request #1691 from SigmaHQ/rule-devel

Rules: scripts from Temp folders, reg disable sec services

rules/windows/process_creation/win_susp_reg_disable_sec_services.yml

@@ -0,0 +1,39 @@
+title: Reg Disable Security Service
+id: 5e95028c-5229-4214-afae-d653d573d0ec
+description: Detects a suspicious reg.exe invocation that looks as if it would disable an important security service
+status: experimental
+references:
+    - https://twitter.com/JohnLaTwC/status/1415295021041979392
+author: Florian Roth, John Lambert (idea)
+date: 2021/07/14
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_reg:
+        CommandLine|contains|all:
+            - 'reg'
+            - 'add'
+            - ' /d 4'
+            - ' /v Start'
+    selection_services:
+        CommandLine|contains:
+            - '\Sense '
+            - '\WinDefend'
+            - '\MsMpSvc'
+            - '\NisSrv'
+            - '\WdBoot '
+            - '\WdNisDrv'
+            - '\WdNisSvc'
+            - '\wscsvc '
+            - '\SecurityHealthService'
+            - '\wuauserv'
+            - '\UsoSvc '
+    condition: selection_reg and selection_services
+falsepositives:
+    - Unknown
+    - Other security solution installers
+level: high

rules/windows/process_creation/win_susp_script_exec_from_temp.yml

@@ -0,0 +1,34 @@
+title: Suspicious Script Execution From Temp Folder
+id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
+description: Detects a suspicious script executions from temporary folder
+status: experimental
+references:
+    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+author: Florian Roth, Max Altgelt
+date: 2021/07/14
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\mshta.exe'
+            - '\wscript.exe'
+            - '\cscript.exe'
+        CommandLine|contains: 
+            - '\Windows\Temp'
+            - '\Temporary Internet'
+            - '\AppData\Local\Temp'
+            - '\AppData\Roaming\Temp'
+            - '%TEMP%'
+            - '%TMP%'
+            - '%LocalAppData%\Temp'
+    filter:
+        CommandLine|contains: ' >'
+    condition: selection and not filter
+falsepositives:
+    - Administrative scripts
+level: high