fix: filename to lowercase

2021-09-07 09:16:35 +02:00
parent b0c2d7b75a
commit 33be089ea2
5 changed files with 133 additions and 0 deletions
@@ -0,0 +1,21 @@
+title: Suspicious C2 Activities
+id: f7158a64-6204-4d6d-868a-6e6378b467e0
+status: experimental
+description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
+author: Marie Euler
+references:
+    - 'https://github.com/Neo23x0/auditd'
+date: 2020/05/18
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        key:
+            - 'susp_activity'
+    condition: selection
+falsepositives:
+    - Admin or User activity
+level: medium
+tags:
+    - attack.command_and_control
@@ -0,0 +1,27 @@
+title: Execution via CL_Invocation.ps1
+id: 4cd29327-685a-460e-9dac-c3ab96e549dc
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+    - https://twitter.com/bohops/status/948061991012327424
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+          - 'CL_Invocation.ps1'
+          - 'SyncInvoke'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,29 @@
+title: Execution via CL_Invocation.ps1 (2 Lines)
+id: f588e69b-0750-46bb-8f87-0e9320d57536
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+    - https://twitter.com/bohops/status/948061991012327424
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection2:
+        EventID: 4104
+        ScriptBlockText|contains:
+          - 'CL_Invocation.ps1'
+          - 'SyncInvoke'
+    condition: selection2 | count(ScriptBlockText) by Computer > 2
+      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+      # PS > SyncInvoke c:\Evil.exe
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,27 @@
+title: Execution via CL_Mutexverifiers.ps1
+id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+    - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+          - 'CL_Mutexverifiers.ps1'
+          - 'runAfterCancelProcess'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,29 @@
+title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
+id: 6609c444-9670-4eab-9636-fe4755a851ce
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+    - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection2:
+        EventID: 4104
+        ScriptBlockText|contains:
+          - 'CL_Mutexverifiers.ps1'
+          - 'runAfterCancelProcess'
+    condition: selection2 | count(ScriptBlockText) by Computer > 2
+      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+      # PS > runAfterCancelProcess c:\Evil.exe
+falsepositives:
+    - Unknown
+level: high