From 48441962cce50cd475a5d682d2a796b03ddebba7 Mon Sep 17 00:00:00 2001 From: SherifEldeeb Date: Sun, 28 Jan 2018 02:24:16 +0300 Subject: [PATCH] Change All "str" references to be "list"to mach schema update --- rules/application/app_sqlinjection_errors.yml | 3 ++- rules/apt/apt_apt29_tor.yml | 3 ++- rules/apt/apt_carbonpaper_turla.yml | 3 ++- rules/apt/apt_cloudhopper.yml | 3 ++- rules/apt/apt_equationgroup_lnx.yml | 3 ++- rules/apt/apt_pandemic.yml | 3 ++- rules/apt/apt_stonedrill.yml | 3 ++- rules/apt/apt_ta17_293a_ps.yml | 3 ++- rules/apt/apt_turla_commands.yml | 3 ++- rules/apt/apt_turla_namedpipes.yml | 3 ++- rules/apt/apt_zxshell.yml | 3 ++- rules/apt/crime_fireball.yml | 3 ++- rules/linux/auditd/lnx_auditd_susp_cmds.yml | 3 ++- rules/linux/auditd/lnx_auditd_susp_exe_folders.yml | 3 ++- rules/linux/lnx_buffer_overflows.yml | 3 ++- rules/linux/lnx_clamav.yml | 3 ++- rules/linux/lnx_shell_susp_commands.yml | 3 ++- rules/linux/lnx_shellshock.yml | 3 ++- rules/linux/lnx_susp_ssh.yml | 3 ++- rules/linux/lnx_susp_vsftp.yml | 3 ++- rules/proxy/proxy_download_susp_dyndns.yml | 3 ++- rules/proxy/proxy_download_susp_tlds_blacklist.yml | 3 ++- rules/proxy/proxy_powershell_ua.yml | 3 ++- rules/proxy/proxy_susp_flash_download_loc.yml | 3 ++- rules/proxy/proxy_ua_apt.yml | 3 ++- rules/web/web_apache_segfault.yml | 3 ++- .../builtin/win_alert_active_directory_user_control.yml | 3 ++- rules/windows/builtin/win_alert_enable_weak_encryption.yml | 3 ++- rules/windows/builtin/win_eventlog_cleared.yml | 3 ++- rules/windows/builtin/win_mal_wceaux_dll.yml | 3 ++- rules/windows/builtin/win_multiple_suspicious_cli.yml | 3 ++- rules/windows/builtin/win_pass_the_hash.yml | 3 ++- rules/windows/builtin/win_plugx_susp_exe_locations.yml | 3 ++- rules/windows/builtin/win_susp_add_sid_history.yml | 3 ++- rules/windows/builtin/win_susp_backup_delete.yml | 3 ++- rules/windows/builtin/win_susp_cli_escape.yml | 3 ++- rules/windows/builtin/win_susp_commands_recon_activity.yml | 3 ++- rules/windows/builtin/win_susp_dns_config.yml | 3 ++- rules/windows/builtin/win_susp_dsrm_password_change.yml | 3 ++- rules/windows/builtin/win_susp_eventlog_cleared.yml | 3 ++- rules/windows/builtin/win_susp_iss_module_install.yml | 3 ++- rules/windows/builtin/win_susp_lsass_dump.yml | 3 ++- rules/windows/builtin/win_susp_msmpeng_crash.yml | 3 ++- rules/windows/builtin/win_susp_net_recon_activity.yml | 3 ++- rules/windows/builtin/win_susp_phantom_dll.yml | 3 ++- rules/windows/builtin/win_susp_process_creations.yml | 3 ++- rules/windows/builtin/win_susp_rasdial_activity.yml | 3 ++- rules/windows/builtin/win_susp_rc4_kerberos.yml | 3 ++- rules/windows/builtin/win_susp_run_locations.yml | 3 ++- rules/windows/builtin/win_susp_rundll32_activity.yml | 3 ++- rules/windows/malware/sysmon_malware_notpetya.yml | 3 ++- rules/windows/malware/sysmon_malware_wannacry.yml | 3 ++- rules/windows/malware/win_mal_wannacry.yml | 3 ++- rules/windows/other/win_tool_psexec.yml | 3 ++- rules/windows/other/win_wmi_persistence.yml | 3 ++- rules/windows/powershell/powershell_downgrade_attack.yml | 3 ++- rules/windows/powershell/powershell_exe_calling_ps.yml | 3 ++- rules/windows/powershell/powershell_malicious_commandlets.yml | 3 ++- rules/windows/powershell/powershell_malicious_keywords.yml | 3 ++- rules/windows/powershell/powershell_prompt_credentials.yml | 3 ++- rules/windows/powershell/powershell_psattack.yml | 3 ++- rules/windows/sysmon/sysmon_bitsadmin_download.yml | 3 ++- rules/windows/sysmon/sysmon_dhcp_calloutdll.yml | 3 ++- rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml | 3 ++- rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml | 3 ++- rules/windows/sysmon/sysmon_mal_namedpipes.yml | 3 ++- rules/windows/sysmon/sysmon_malware_backconnect_ports.yml | 3 ++- rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml | 3 ++- rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml | 3 ++- rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml | 3 ++- rules/windows/sysmon/sysmon_mshta_spawn_shell.yml | 3 ++- rules/windows/sysmon/sysmon_office_macro_cmd.yml | 3 ++- rules/windows/sysmon/sysmon_office_shell.yml | 3 ++- rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml | 3 ++- rules/windows/sysmon/sysmon_powershell_network_connection.yml | 3 ++- .../sysmon_powershell_suspicious_parameter_variation.yml | 3 ++- rules/windows/sysmon/sysmon_rundll32_net_connections.yml | 3 ++- rules/windows/sysmon/sysmon_susp_certutil_command.yml | 3 ++- rules/windows/sysmon/sysmon_susp_control_dll_load.yml | 3 ++- rules/windows/sysmon/sysmon_susp_exec_folder.yml | 3 ++- rules/windows/sysmon/sysmon_susp_mmc_source.yml | 3 ++- rules/windows/sysmon/sysmon_susp_net_execution.yml | 3 ++- rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml | 3 ++- .../sysmon/sysmon_susp_prog_location_network_connection.yml | 3 ++- rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml | 3 ++- rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml | 3 ++- rules/windows/sysmon/sysmon_susp_wmi_execution.yml | 3 ++- rules/windows/sysmon/sysmon_system_exe_anomaly.yml | 3 ++- rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 3 ++- rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml | 3 ++- rules/windows/sysmon/sysmon_win_binary_github_com.yml | 3 ++- 91 files changed, 182 insertions(+), 91 deletions(-) diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index f16f47cc5..b6063f05d 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages status: experimental description: Detects SQL error messages that indicate probing for an injection attack author: Bjoern Kimminich -references: http://www.sqlinjection.net/errors +references: + - http://www.sqlinjection.net/errors logsource: category: application product: sql diff --git a/rules/apt/apt_apt29_tor.yml b/rules/apt/apt_apt29_tor.yml index b8640948d..ff03d7b9a 100644 --- a/rules/apt/apt_apt29_tor.yml +++ b/rules/apt/apt_apt29_tor.yml @@ -1,7 +1,8 @@ action: global title: APT29 Google Update Service Install description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' -references: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html +references: + - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html logsource: product: windows detection: diff --git a/rules/apt/apt_carbonpaper_turla.yml b/rules/apt/apt_carbonpaper_turla.yml index df615aa32..0afd0473a 100644 --- a/rules/apt/apt_carbonpaper_turla.yml +++ b/rules/apt/apt_carbonpaper_turla.yml @@ -1,6 +1,7 @@ title: Turla Service Install description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' -references: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ +references: + - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ logsource: product: windows service: system diff --git a/rules/apt/apt_cloudhopper.yml b/rules/apt/apt_cloudhopper.yml index 0d63e4c70..222faa986 100644 --- a/rules/apt/apt_cloudhopper.yml +++ b/rules/apt/apt_cloudhopper.yml @@ -1,7 +1,8 @@ title: WMIExec VBS Script description: Detects suspicious file execution by wscript and cscript author: Florian Roth -references: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf +references: + - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf logsource: product: windows service: sysmon diff --git a/rules/apt/apt_equationgroup_lnx.yml b/rules/apt/apt_equationgroup_lnx.yml index 808747ceb..24a0dc4f8 100644 --- a/rules/apt/apt_equationgroup_lnx.yml +++ b/rules/apt/apt_equationgroup_lnx.yml @@ -1,6 +1,7 @@ title: Equation Group Indicators description: Detects suspicious shell commands used in various Equation Group scripts and tools -references: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 +references: + - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 author: Florian Roth logsource: product: linux diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml index 8643d0cb5..db6b9dfdd 100644 --- a/rules/apt/apt_pandemic.yml +++ b/rules/apt/apt_pandemic.yml @@ -1,7 +1,8 @@ title: Pandemic Registry Key status: experimental description: Detects Pandemic Windows Implant -references: +references: + - - https://wikileaks.org/vault7/#Pandemic - https://twitter.com/MalwareJake/status/870349480356454401 author: Florian Roth diff --git a/rules/apt/apt_stonedrill.yml b/rules/apt/apt_stonedrill.yml index 650c04f5d..6055faae2 100644 --- a/rules/apt/apt_stonedrill.yml +++ b/rules/apt/apt_stonedrill.yml @@ -1,7 +1,8 @@ title: StoneDrill Service Install description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky' author: Florian Roth -references: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ +references: + - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ logsource: product: windows service: system diff --git a/rules/apt/apt_ta17_293a_ps.yml b/rules/apt/apt_ta17_293a_ps.yml index 38b511507..e2f01b715 100644 --- a/rules/apt/apt_ta17_293a_ps.yml +++ b/rules/apt/apt_ta17_293a_ps.yml @@ -1,6 +1,7 @@ title: Ps.exe Renamed SysInternals Tool description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report -references: https://www.us-cert.gov/ncas/alerts/TA17-293A +references: + - https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth date: 2017/10/22 logsource: diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index d6be983b2..96f9add90 100644 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -3,7 +3,8 @@ action: global title: Turla Group Lateral Movement status: experimental description: Detects automated lateral movement by Turla group -references: https://securelist.com/the-epic-turla-operation/65545/ +references: + - https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis date: 2017/11/07 logsource: diff --git a/rules/apt/apt_turla_namedpipes.yml b/rules/apt/apt_turla_namedpipes.yml index dea97cfcb..37827a884 100644 --- a/rules/apt/apt_turla_namedpipes.yml +++ b/rules/apt/apt_turla_namedpipes.yml @@ -1,7 +1,8 @@ title: Turla Group Named Pipes status: experimental description: Detects a named pipe used by Turla group samples -references: Internal Research +references: + - Internal Research date: 2017/11/06 author: Markus Neis logsource: diff --git a/rules/apt/apt_zxshell.yml b/rules/apt/apt_zxshell.yml index e6b4e63ba..f91bdc69d 100644 --- a/rules/apt/apt_zxshell.yml +++ b/rules/apt/apt_zxshell.yml @@ -1,7 +1,8 @@ title: ZxShell Malware description: Detects a ZxShell start by the called and well-known function name author: Florian Roth -references: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 logsource: product: windows service: sysmon diff --git a/rules/apt/crime_fireball.yml b/rules/apt/crime_fireball.yml index 84cc02070..ddd520b63 100644 --- a/rules/apt/crime_fireball.yml +++ b/rules/apt/crime_fireball.yml @@ -3,7 +3,8 @@ status: experimental description: Detects Archer malware invocation via rundll32 author: Florian Roth date: 2017/06/03 -references: +references: + - - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 1f27e2ffe..72f72669d 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -1,7 +1,8 @@ title: Detects Suspicious Commands on Linux systems status: experimental description: Detects relevant commands often related to malware or hacking activity -references: 'Internal Research - mostly derived from exploit code including code in MSF' +references: + - 'Internal Research - mostly derived from exploit code including code in MSF' date: 2017/12/12 author: Florian Roth logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 80c35cad6..8dab5fd54 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -1,7 +1,8 @@ title: Program Executions in Suspicious Folders status: experimental description: Detects program executions in suspicious non-program folders related to malware or hacking activity -references: 'Internal Research' +references: + - 'Internal Research' date: 2018/01/23 author: Florian Roth logsource: diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index ef92ee2fc..4e0ace1c0 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -1,6 +1,7 @@ title: Buffer Overflow Attempts description: Detects buffer overflow attempts in Linux system log files -references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml logsource: product: linux detection: diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index a4729d56e..336c636fa 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -1,6 +1,7 @@ title: Relevant ClamAV Message description: Detects relevant ClamAV messages -references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml logsource: product: linux service: clamav diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index c37310d87..4e2d9adac 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -1,6 +1,7 @@ title: Suspicious Activity in Shell Commands description: Detects suspicious shell commands used in various exploit codes (see references) -references: +references: + - - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 - http://pastebin.com/FtygZ1cg diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 38e11bbaa..3b89b68a7 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -1,6 +1,7 @@ title: Shellshock Expression description: Detects shellshock expressions in log files -references: http://rubular.com/r/zxBfjWfFYs +references: + - http://rubular.com/r/zxBfjWfFYs logsource: product: linux detection: diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index 44ce6552f..731951dc4 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -1,6 +1,7 @@ title: Suspicious SSHD Error description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -references: https://github.com/openssh/openssh-portable/blob/master/ssherr.c +references: + - https://github.com/openssh/openssh-portable/blob/master/ssherr.c author: Florian Roth date: 2017/06/30 logsource: diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index fc92017a1..bbc5e04a8 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -1,6 +1,7 @@ title: Suspicious VSFTPD Error Messages description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -references: https://github.com/dagwieers/vsftpd/ +references: + - https://github.com/dagwieers/vsftpd/ author: Florian Roth date: 2017/07/05 logsource: diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index d4432b628..83143db4e 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -1,7 +1,8 @@ title: Download from Suspicious Dyndns Hosts status: experimental description: Detects download of certain file types from hosts with dynamic DNS names (selected list) -references: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats +references: + - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats author: Florian Roth date: 2017/11/08 logsource: diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index d05f8309f..358de00ca 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -1,7 +1,8 @@ title: Download from Suspicious TLD status: experimental description: Detects download of certain file types from hosts in suspicious TLDs -references: +references: + - - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf - https://www.spamhaus.org/statistics/tlds/ diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index effff040c..ccf64bfcf 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -1,7 +1,8 @@ title: Windows PowerShell User Agent status: experimental description: Detects Windows PowerShell Web Access -references: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest +references: + - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 80f87f141..adf0ada9d 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -1,7 +1,8 @@ title: Flash Player Update from Suspicious Location status: experimental description: Detects a flashplayer update from an unofficial location -references: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb +references: + - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb author: Florian Roth logsource: category: proxy diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 155871eba..3ecfc11ab 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -1,7 +1,8 @@ title: APT User Agent status: experimental description: Detects suspicious user agent strings used in APT malware in proxy logs -references: Internal Research +references: + - Internal Research author: Florian Roth logsource: category: proxy diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index d51faf2bd..ed3352d9d 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -1,7 +1,8 @@ title: Apache Segmentation Fault description: Detects a segmentation fault error message caused by a creashing apacke worker process author: Florian Roth -references: http://www.securityfocus.com/infocus/1633 +references: + - http://www.securityfocus.com/infocus/1633 logsource: product: apache detection: diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 89da9b0de..ad10fbea3 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,6 +1,7 @@ title: Enabled User Right in AD to Control User Objects description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. -references: +references: + - - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' logsource: diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index f34bbfd64..291f1f5a0 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,6 +1,7 @@ title: Weak Encryption Enabled and Kerberoast description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. -references: +references: + - - https://adsecurity.org/?p=2053 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' diff --git a/rules/windows/builtin/win_eventlog_cleared.yml b/rules/windows/builtin/win_eventlog_cleared.yml index c45f3c2b9..3c015cf38 100644 --- a/rules/windows/builtin/win_eventlog_cleared.yml +++ b/rules/windows/builtin/win_eventlog_cleared.yml @@ -3,7 +3,8 @@ status: experimental description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution author: Florian Roth date: 2017/06/27 -references: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index 73cf9838c..2983b2ba3 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -2,7 +2,8 @@ title: WCE wceaux.dll Access status: experimental description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host author: Thomas Patzke -references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html +references: + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html logsource: product: windows service: security diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml index a4db02335..845789df8 100644 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml @@ -2,7 +2,8 @@ action: global title: Quick Execution of a Series of Suspicious Commands description: Detects multiple suspicious process in a limited timeframe status: experimental -references: +references: + - - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index c79ce2bad..c8f28fd23 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,7 +1,8 @@ title: Pass the Hash Activity status: experimental description: 'Detects the attack technique pass the hash which is used to move laterally inside the network' -references: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events +references: + - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) logsource: product: windows diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index 77dbd377d..3cc5f46c8 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -1,7 +1,8 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: +references: + - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 9d7a68a55..af0079590 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -1,7 +1,8 @@ title: Addition of SID History to Active Directory Object status: stable description: An attacker can use the SID history attribute to gain additional privileges. -references: https://adsecurity.org/?p=1772 +references: + - https://adsecurity.org/?p=1772 author: Thomas Patzke logsource: product: windows diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index a178db8e2..2c53a797e 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -1,7 +1,8 @@ title: Backup Catalog Deleted status: experimental description: Detects backup catalog deletions -references: +references: + - - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml index 39bae210a..bcaa2d1cf 100644 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ b/rules/windows/builtin/win_susp_cli_escape.yml @@ -2,7 +2,8 @@ action: global title: Suspicious Commandline Escape description: Detects suspicious process that use escape characters status: experimental -references: +references: + - - https://twitter.com/vysecurity/status/885545634958385153 - https://twitter.com/Hexacorn/status/885553465417756673 - https://twitter.com/Hexacorn/status/885570278637678592 diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml index 5858471bd..68e1a5e5e 100644 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml @@ -3,7 +3,8 @@ action: global title: Reconnaissance Activity with Net Command status: experimental description: 'Detects a set of commands often used in recon stages by different attack groups' -references: +references: + - - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index 68679e081..3eebe27d3 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -2,7 +2,8 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded status: experimental date: 2017/05/08 -references: +references: + - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - https://twitter.com/gentilkiwi/status/861641945944391680 diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/win_susp_dsrm_password_change.yml index c4798def2..ec8e7a46d 100644 --- a/rules/windows/builtin/win_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/win_susp_dsrm_password_change.yml @@ -1,7 +1,8 @@ title: Password Change on Directory Service Restore Mode (DSRM) Account status: stable description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. -references: https://adsecurity.org/?p=1714 +references: + - https://adsecurity.org/?p=1714 author: Thomas Patzke logsource: product: windows diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 0d10b3db9..3d4de217c 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,6 +1,7 @@ title: Eventlog Cleared description: One of the Windows Eventlogs has been cleared -references: https://twitter.com/deviouspolack/status/832535435960209408 +references: + - https://twitter.com/deviouspolack/status/832535435960209408 author: Florian Roth logsource: product: windows diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml index 3563095e9..c2ad6d212 100644 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ b/rules/windows/builtin/win_susp_iss_module_install.yml @@ -3,7 +3,8 @@ action: global title: IIS Native-Code Module Command Line Installation description: Detects suspicious IIS native-code module installations via command line status: experimental -references: +references: + - - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth detection: diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 38f6670a2..857ebe803 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -1,7 +1,8 @@ title: Password Dumper Activity on LSASS description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental -references: https://twitter.com/jackcr/status/807385668833968128 +references: + - https://twitter.com/jackcr/status/807385668833968128 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 937ee121d..39b56e7d9 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -2,7 +2,8 @@ title: Microsoft Malware Protection Engine Crash description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine status: experimental date: 2017/05/09 -references: +references: + - - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index 3761dfafa..ad857762a 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -1,7 +1,8 @@ title: Reconnaissance Activity status: experimental description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' -references: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html +references: + - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method) logsource: product: windows diff --git a/rules/windows/builtin/win_susp_phantom_dll.yml b/rules/windows/builtin/win_susp_phantom_dll.yml index 8ec72786a..1dfeabe13 100644 --- a/rules/windows/builtin/win_susp_phantom_dll.yml +++ b/rules/windows/builtin/win_susp_phantom_dll.yml @@ -2,7 +2,8 @@ action: global title: Phantom DLLs Usage description: Detects Phantom DLLs usage and matching executable status: experimental -references: +references: + - - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ author: juju4 diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index f1fcbc36d..f20f0be99 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -3,7 +3,8 @@ action: global title: Suspicious Process Creation description: Detects suspicious process starts on Windows systems bsed on keywords status: experimental -references: +references: + - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml index 334767d12..0ca74c6cb 100644 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ b/rules/windows/builtin/win_susp_rasdial_activity.yml @@ -2,7 +2,8 @@ action: global title: Suspicious RASdial Activity description: Detects suspicious process related to rasdial.exe status: experimental -references: +references: + - - https://twitter.com/subTee/status/891298217907830785 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 44862ee05..0e355b2fc 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -1,6 +1,7 @@ title: Suspicious Kerberos RC4 Ticket Encryption status: experimental -references: https://adsecurity.org/?p=3458 +references: + - https://adsecurity.org/?p=3458 description: Detects logons using RC4 encryption type logsource: product: windows diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index 65e1f1475..5620a4893 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -2,7 +2,8 @@ action: global title: Suspicious Process Start Locations description: Detects suspicious process run from unusual locations status: experimental -references: +references: + - - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4 detection: diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml index b64230457..c8c11105a 100644 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ b/rules/windows/builtin/win_susp_rundll32_activity.yml @@ -2,7 +2,8 @@ action: global title: Suspicious Rundll32 Activity description: Detects suspicious process related to rundll32 based on arguments status: experimental -references: +references: + - - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index 15f45ac44..d12233e4e 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -2,7 +2,8 @@ title: NotPetya Ransomware Activity status: experimental description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi -references: +references: + - - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 logsource: diff --git a/rules/windows/malware/sysmon_malware_wannacry.yml b/rules/windows/malware/sysmon_malware_wannacry.yml index 65c74aab1..dc7d33d88 100644 --- a/rules/windows/malware/sysmon_malware_wannacry.yml +++ b/rules/windows/malware/sysmon_malware_wannacry.yml @@ -1,7 +1,8 @@ title: WannaCry Ransomware via Sysmon status: experimental description: Detects WannaCry ransomware activity via Sysmon -references: https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) logsource: product: windows diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml index a998e3e09..7aea41d32 100644 --- a/rules/windows/malware/win_mal_wannacry.yml +++ b/rules/windows/malware/win_mal_wannacry.yml @@ -2,7 +2,8 @@ action: global title: WannaCry Ransomware description: Detects WannaCry Ransomware Activity status: experimental -references: +references: + - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa author: Florian Roth detection: diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 0605f8ebf..aa77de45c 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -2,7 +2,8 @@ title: PsExec Tool Execution status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke -references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html +references: + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html logsource: product: windows detection: diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index b359622e6..e48c3779b 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -2,7 +2,8 @@ title: WMI Persistence status: experimental description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher) author: Florian Roth -references: https://twitter.com/mattifestation/status/899646620148539397 +references: + - https://twitter.com/mattifestation/status/899646620148539397 logsource: product: windows service: wmi diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 6342d5ce9..728c1b54c 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -1,7 +1,8 @@ title: PowerShell Downgrade Attack status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -references: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ +references: + - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (rule), Lee Holmes (idea) logsource: product: windows diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index e7584aef2..dee93074c 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -1,7 +1,8 @@ title: PowerShell called from an Executable Version Mismatch status: experimental description: Detects PowerShell called from an executable by the version mismatch method -references: https://adsecurity.org/?p=2921 +references: + - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 0d798b0b0..e41ed4d9e 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -1,7 +1,8 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -references: https://adsecurity.org/?p=2921 +references: + - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index d4b81a5d8..c56cc7a38 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -1,7 +1,8 @@ title: Malicious PowerShell Commandlets status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -references: https://adsecurity.org/?p=2921 +references: + - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index fbd3b38bc..7e1720898 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -1,7 +1,8 @@ title: PowerShell Credential Prompt status: experimental description: Detects PowerShell calling a credential prompt -references: +references: + - - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G author: John Lambert (idea), Florian Roth (rule) diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 11c36dcc2..18df89e05 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -1,7 +1,8 @@ title: PowerShell PSAttack status: experimental description: Detects the use of PSAttack PowerShell hack tool -references: https://adsecurity.org/?p=2921 +references: + - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_bitsadmin_download.yml b/rules/windows/sysmon/sysmon_bitsadmin_download.yml index 65aca7f1d..92ae11523 100644 --- a/rules/windows/sysmon/sysmon_bitsadmin_download.yml +++ b/rules/windows/sysmon/sysmon_bitsadmin_download.yml @@ -1,7 +1,8 @@ title: Bitsadmin Download status: experimental description: Detects usage of bitsadmin downloading a file -references: +references: + - - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 author: Michael Haag diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index a0c16526a..adde51bb4 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -1,7 +1,8 @@ title: DHCP Callout DLL installation status: experimental description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -references: +references: + - - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml index 2b0202d9b..a5f773973 100644 --- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml @@ -1,7 +1,8 @@ title: DNS ServerLevelPluginDll Install status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) -references: +references: + - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml index a54eae4b0..c92391d61 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml +++ b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml @@ -1,7 +1,8 @@ title: Droppers exploiting CVE-2017-11882 status: experimental description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -references: +references: + - - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml index 9b50b2235..33e87085e 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml @@ -1,7 +1,8 @@ title: Malicious Named Pipe status: experimental description: Detects the creation of a named pipe used by known APT malware -references: Various sources +references: + - Various sources date: 2017/11/06 author: Florian Roth logsource: diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index 70972032e..bde56111f 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -1,7 +1,8 @@ title: Suspicious Typical Malware Back Connect Ports status: experimental description: Detects programs that connect to typical malware back connetc ports based on statistical analysis from two different sandbox system databases -references: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +references: + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index c63ae611f..92768aad1 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -1,7 +1,8 @@ title: Malware Shellcode in Verclsid Target Process status: experimental description: Detetcs a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro -references: https://twitter.com/JohnLaTwC/status/837743453039534080 +references: + - https://twitter.com/JohnLaTwC/status/837743453039534080 author: John Lambert (tech), Florian Roth (rule) date: 2017/03/04 logsource: diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 92108dc86..6bc5b9a42 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -1,7 +1,8 @@ title: Mimikatz Detection LSASS Access status: experimental description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ) -references: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow +references: + - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 10443ce11..8ac6e4bbb 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -1,7 +1,8 @@ title: Mimikatz In-Memory status: experimental description: Detects certain DLL loads when Mimikatz gets executed -references: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ +references: + - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml index 9e64fbdb4..3f1418996 100644 --- a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml +++ b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml @@ -1,7 +1,8 @@ title: MSHTA Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from MSHTA. -references: https://www.trustedsec.com/july-2015/malicious-htas/ +references: + - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_office_macro_cmd.yml b/rules/windows/sysmon/sysmon_office_macro_cmd.yml index 053e2efb5..ad9f87e4a 100644 --- a/rules/windows/sysmon/sysmon_office_macro_cmd.yml +++ b/rules/windows/sysmon/sysmon_office_macro_cmd.yml @@ -1,7 +1,8 @@ title: Office Macro Starts Cmd status: experimental description: Detects a Windows command line executable started from Microsoft Word or Excel -references: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Florian Roth logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index bff44d0f6..6e61e3ba9 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -1,7 +1,8 @@ title: Microsoft Office Product Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. -references: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Michael Haag logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 82c84b7e7..8cb9a7a62 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -1,7 +1,8 @@ title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: +references: + - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 36023fd93..11e807ea0 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -2,7 +2,8 @@ title: PowerShell Network Connections status: experimental description: "Detetcs a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')" author: Florian Roth -references: https://www.youtube.com/watch?v=DLtJTxMWZ2o +references: + - https://www.youtube.com/watch?v=DLtJTxMWZ2o logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml index 818c90e10..424640ded 100644 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml @@ -1,7 +1,8 @@ title: Suspicious PowerShell Parameter Substring status: experimental description: Detects suspicious PowerShell invocation with a parameter substring -references: http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier +references: + - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier author: Florian Roth (rule), Daniel Bohannon (idea) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index e928fdf51..bca589d34 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -1,7 +1,8 @@ title: Rundll32 Internet Connection status: experimental description: Detects a rundll32 that communicates with piblic IP addresses -references: https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 +references: + - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 author: Florian Roth date: 2017/11/04 logsource: diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml index a58838d23..c74bd2fd9 100644 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml @@ -4,7 +4,8 @@ description: Detetcs a suspicious Microsoft certutil execution with sub commands author: - Florian Roth - juju4 -references: +references: + - - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 - https://twitter.com/subTee/status/888071631528235010 diff --git a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml index 0bc8f699f..f2a069d1a 100644 --- a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml @@ -3,7 +3,8 @@ status: experimental description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits author: Florian Roth date: 2017/04/15 -references: https://twitter.com/rikvduijn/status/853251879320662017 +references: + - https://twitter.com/rikvduijn/status/853251879320662017 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml index 6f5c889b3..8a444db69 100644 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_exec_folder.yml @@ -3,7 +3,8 @@ status: experimental description: Detects process starts of binaries from a suspicious folder author: Florian Roth date: 2017/10/14 -references: +references: + - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses logsource: diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index b0e73b565..f31d0bf06 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -1,7 +1,8 @@ title: Processes created by MMC status: experimental description: Processes started by MMC could by a sign of lateral movement using MMC application COM object -references: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +references: + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/sysmon/sysmon_susp_net_execution.yml index 31ac43127..a3ac5f82c 100644 --- a/rules/windows/sysmon/sysmon_susp_net_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_net_execution.yml @@ -1,7 +1,8 @@ title: Net.exe Execution status: experimental description: Detects execution of Net.exe, whether suspicious or benign. -references: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ +references: + - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ author: Michael Haag, Mark Woan (improvements) logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml index 46d6e1422..f6aa932a4 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml @@ -2,7 +2,8 @@ title: Suspicious PowerShell Invocation based on Parent Process status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth -references: https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ +references: + - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index 69a9a91a0..d7febde9c 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -1,7 +1,8 @@ title: Suspicious Program Location with Network Connections status: experimental description: Detects programs with network connections running in suspicious files system locations -references: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +references: + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index 49053564f..40917ac41 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -2,7 +2,8 @@ title: Regsvr32 Anomaly status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth -references: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html +references: + - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index 2cd13d306..5cf9faa6c 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -2,7 +2,8 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag -references: +references: + - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml index eabf207e6..3088ab4df 100644 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml @@ -1,7 +1,8 @@ title: Suspicious WMI execution status: experimental description: Detects WMI executing suspicious commands -references: +references: + - - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml index b08b5d313..847f2bbcf 100644 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml @@ -1,7 +1,8 @@ title: System File Execution Location Anomaly status: experimental description: Detects a Windows program executable started in a suspicious folder -references: https://twitter.com/GelosSnake/status/934900723426439170 +references: + - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth date: 2017/11/27 logsource: diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index d516ac99f..f3f4e2913 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -1,7 +1,8 @@ title: UAC Bypass via Event Viewer status: experimental description: Detects UAC bypass method using Windows event viewer -references: +references: + - - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 4fbd2e557..7e986069f 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -1,7 +1,8 @@ title: UAC Bypass via sdclt status: experimental description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand -references: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ +references: + - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ author: Omer Yampel logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 93951e190..dd8af4d8d 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -1,7 +1,8 @@ title: Microsoft Binary Github Communication status: experimental description: Detects an executable in the Windows folder accessing github.com -references: https://twitter.com/M_haggis/status/900741347035889665 +references: + - https://twitter.com/M_haggis/status/900741347035889665 author: Michael Haag (idea), Florian Roth (rule) logsource: product: windows