security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Neo23x0/sigma into sigmacs

Browse Source
This commit is contained in:
Nate Guagenti
2020-06-09 16:54:02 -04:00
parent f4fe425fa7 5c835cf1f2
commit 2b735494cd
3 changed files with 79 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/malware/win_mal_flowcloud.yml
+28
View File
@@ -0,0 +1,28 @@
title: FlowCloud Malware
id: 5118765f-6657-4ddb-a487-d7bd673abbf1
status: experimental
description: Detects FlowCloud malware from threat group TA410.
references:
- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
author: NVISO
tags:
- attack.persistence
- attack.t1112
date: 2020/06/09
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 12 # key create
- 13 # value set
TargetObject:
- 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- 'HKLM\SYSTEM\Setup\PrintResponsor\*'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/malware/win_mal_octopus_scanner.yml
+24
View File
@@ -0,0 +1,24 @@
title: Octopus Scanner Malware
id: 805c55d9-31e6-4846-9878-c34c75054fe9
status: experimental
description: Detects Octopus Scanner Malware.
references:
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
tags:
- attack.t1195
author: NVISO
date: 2020/06/09
logsource:
product: windows
service: sysmon
detection:
filecreate:
EventID: 11
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
condition: filecreate and selection
falsepositives:
- Unknown
level: high
rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
+27
View File
@@ -0,0 +1,27 @@
title: DNS Tunnel Technique from MuddyWater
id: 36222790-0d43-4fe8-86e4-674b27809543
description: Detecting DNS tunnel activity for Muddywater actor
author: '@caliskanfurkan_'
status: experimental
date: 2020/06/04
references:
- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
ParentImage|endswith:
- '\excel.exe'
CommandLine|contains:
- 'DataExchange.dll'
condition: selection
falsepositives:
- Unkown
level: critical