diff --git a/rules/cloud/aws/aws_ec2_startup_script_change.yml b/rules/cloud/aws/aws_ec2_startup_script_change.yml index 73c1dd1dc..1e8aa959c 100644 --- a/rules/cloud/aws/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws/aws_ec2_startup_script_change.yml @@ -13,7 +13,7 @@ logsource: detection: selection_source: eventSource: ec2.amazonaws.com - requestParameters.userData: "*" + requestParameters.userData: '*' eventName: ModifyInstanceAttribute condition: selection_source falsepositives: diff --git a/rules/cloud/aws/aws_elasticache_security_group_created.yml b/rules/cloud/aws/aws_elasticache_security_group_created.yml index 17c6ebb8e..ed485043d 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_created.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: elasticache.amazonaws.com - eventName: "CreateCacheSecurityGroup" + eventName: 'CreateCacheSecurityGroup' condition: selection level: low tags: diff --git a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml index 5487aa55c..fc7daf4a1 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml @@ -14,11 +14,11 @@ detection: selection: eventSource: elasticache.amazonaws.com eventName: - - "DeleteCacheSecurityGroup" - - "AuthorizeCacheSecurityGroupIngress" - - "RevokeCacheSecurityGroupIngress" - - "AuthorizeCacheSecurityGroupEgress" - - "RevokeCacheSecurityGroupEgress" + - 'DeleteCacheSecurityGroup' + - 'AuthorizeCacheSecurityGroupIngress' + - 'RevokeCacheSecurityGroupIngress' + - 'AuthorizeCacheSecurityGroupEgress' + - 'RevokeCacheSecurityGroupEgress' condition: selection level: low tags: diff --git a/rules/cloud/aws/aws_rds_change_master_password.yml b/rules/cloud/aws/aws_rds_change_master_password.yml index 8fe0d7958..161c07abb 100644 --- a/rules/cloud/aws/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/aws_rds_change_master_password.yml @@ -13,7 +13,7 @@ logsource: detection: selection_source: eventSource: rds.amazonaws.com - responseElements.pendingModifiedValues.masterUserPassword: "*" + responseElements.pendingModifiedValues.masterUserPassword: '*' eventName: ModifyDBInstance condition: selection_source falsepositives: diff --git a/rules/cloud/aws/aws_rds_public_db_restore.yml b/rules/cloud/aws/aws_rds_public_db_restore.yml index d69d7352b..b3bf32e71 100644 --- a/rules/cloud/aws/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/aws_rds_public_db_restore.yml @@ -13,7 +13,7 @@ logsource: detection: selection_source: eventSource: rds.amazonaws.com - responseElements.publiclyAccessible: "true" + responseElements.publiclyAccessible: 'true' eventName: RestoreDBInstanceFromDBSnapshot condition: selection_source falsepositives: diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml index 2867e6d78..ea55bf75a 100644 --- a/rules/cloud/azure/azure_app_credential_modification.yml +++ b/rules/cloud/azure/azure_app_credential_modification.yml @@ -11,7 +11,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: "Update application - Certificates and secrets management" + properties.message: 'Update application - Certificates and secrets management' condition: selection level: medium tags: diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml index 100ef8868..0c72bddfe 100644 --- a/rules/cloud/azure/azure_service_principal_created.yml +++ b/rules/cloud/azure/azure_service_principal_created.yml @@ -11,7 +11,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: "Add service principal" + properties.message: 'Add service principal' condition: selection level: medium tags: diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index e9c4857d9..7b59edc1e 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Activity performed by terminated user" + eventName: 'Activity performed by terminated user' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index 1b75ffd8e..b45f1711e 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Activity from anonymous IP addresses" + eventName: 'Activity from anonymous IP addresses' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index 34557397e..cbbb77acc 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Activity from infrequent country" + eventName: 'Activity from infrequent country' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index b224f6014..14a1ac8d1 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Data exfiltration to unsanctioned apps" + eventName: 'Data exfiltration to unsanctioned apps' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index bf3b9d459..210f444f1 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Activity from suspicious IP addresses" + eventName: 'Activity from suspicious IP addresses' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index b23d04651..78797ef3f 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -14,7 +14,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Impossible travel activity" + eventName: 'Impossible travel activity' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index e9a282bd0..419f8a3b5 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Log on from a risky IP address" + eventName: 'Log on from a risky IP address' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index 936b3c708..a83c5cdc6 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Potential ransomware activity" + eventName: 'Potential ransomware activity' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index 61f478323..bed597d4b 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Suspicious inbox forwarding" + eventName: 'Suspicious inbox forwarding' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index df7d6e742..cfe53ef79 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Suspicious OAuth app file download activities" + eventName: 'Suspicious OAuth app file download activities' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml index 84e368e0f..9c34fe514 100644 --- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "Unusual volume of file deletion" + eventName: 'Unusual volume of file deletion' status: success condition: selection falsepositives: diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml index c0c02669d..90b4a790c 100644 --- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: SecurityComplianceCenter - eventName: "User restricted from sending email" + eventName: 'User restricted from sending email' status: success condition: selection falsepositives: diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index 0da15dea2..68fc146fd 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -1,10 +1,10 @@ title: Group Modification Logging id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e status: stable -description: "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\ +description: 'Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\ \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\ . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\ - \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP." + \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.' author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 references: diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml index 92fb83d52..e8166edca 100644 --- a/rules/network/net_high_null_records_requests_rate.yml +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -9,7 +9,7 @@ logsource: category: dns detection: selection: - record_type: "NULL" + record_type: 'NULL' timeframe: 1m condition: selection | count() by src_ip > 50 falsepositives: diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml index 4b4bcdabb..fac27dab9 100644 --- a/rules/network/net_high_txt_records_requests_rate.yml +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -9,7 +9,7 @@ logsource: category: dns detection: selection: - record_type: "TXT" + record_type: 'TXT' timeframe: 1m condition: selection | count() by src_ip > 50 falsepositives: diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index ec347448f..4b80f9055 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -18,85 +18,85 @@ tags: detection: selection: query|endswith: - - "monerohash.com" - - "do-dear.com" - - "xmrminerpro.com" - - "secumine.net" - - "xmrpool.com" - - "minexmr.org" - - "hashanywhere.com" - - "xmrget.com" - - "mininglottery.eu" - - "minergate.com" - - "moriaxmr.com" - - "multipooler.com" - - "moneropools.com" - - "xmrpool.eu" - - "coolmining.club" - - "supportxmr.com" - - "minexmr.com" - - "hashvault.pro" - - "xmrpool.net" - - "crypto-pool.fr" - - "xmr.pt" - - "miner.rocks" - - "walpool.com" - - "herominers.com" - - "gntl.co.uk" - - "semipool.com" - - "coinfoundry.org" - - "cryptoknight.cc" - - "fairhash.org" - - "baikalmine.com" - - "tubepool.xyz" - - "fairpool.xyz" - - "asiapool.io" - - "coinpoolit.webhop.me" - - "nanopool.org" - - "moneropool.com" - - "miner.center" - - "prohash.net" - - "poolto.be" - - "cryptoescrow.eu" - - "monerominers.net" - - "cryptonotepool.org" - - "extrmepool.org" - - "webcoin.me" - - "kippo.eu" - - "hashinvest.ws" - - "monero.farm" - - "linux-repository-updates.com" - - "1gh.com" - - "dwarfpool.com" - - "hash-to-coins.com" - - "pool-proxy.com" - - "hashfor.cash" - - "fairpool.cloud" - - "litecoinpool.org" - - "mineshaft.ml" - - "abcxyz.stream" - - "moneropool.ru" - - "cryptonotepool.org.uk" - - "extremepool.org" - - "extremehash.com" - - "hashinvest.net" - - "unipool.pro" - - "crypto-pools.org" - - "monero.net" - - "backup-pool.com" - - "mooo.com" # Dynamic DNS, may want to exclude - - "freeyy.me" - - "cryptonight.net" - - "shscrypto.net" + - 'monerohash.com' + - 'do-dear.com' + - 'xmrminerpro.com' + - 'secumine.net' + - 'xmrpool.com' + - 'minexmr.org' + - 'hashanywhere.com' + - 'xmrget.com' + - 'mininglottery.eu' + - 'minergate.com' + - 'moriaxmr.com' + - 'multipooler.com' + - 'moneropools.com' + - 'xmrpool.eu' + - 'coolmining.club' + - 'supportxmr.com' + - 'minexmr.com' + - 'hashvault.pro' + - 'xmrpool.net' + - 'crypto-pool.fr' + - 'xmr.pt' + - 'miner.rocks' + - 'walpool.com' + - 'herominers.com' + - 'gntl.co.uk' + - 'semipool.com' + - 'coinfoundry.org' + - 'cryptoknight.cc' + - 'fairhash.org' + - 'baikalmine.com' + - 'tubepool.xyz' + - 'fairpool.xyz' + - 'asiapool.io' + - 'coinpoolit.webhop.me' + - 'nanopool.org' + - 'moneropool.com' + - 'miner.center' + - 'prohash.net' + - 'poolto.be' + - 'cryptoescrow.eu' + - 'monerominers.net' + - 'cryptonotepool.org' + - 'extrmepool.org' + - 'webcoin.me' + - 'kippo.eu' + - 'hashinvest.ws' + - 'monero.farm' + - 'linux-repository-updates.com' + - '1gh.com' + - 'dwarfpool.com' + - 'hash-to-coins.com' + - 'pool-proxy.com' + - 'hashfor.cash' + - 'fairpool.cloud' + - 'litecoinpool.org' + - 'mineshaft.ml' + - 'abcxyz.stream' + - 'moneropool.ru' + - 'cryptonotepool.org.uk' + - 'extremepool.org' + - 'extremehash.com' + - 'hashinvest.net' + - 'unipool.pro' + - 'crypto-pools.org' + - 'monero.net' + - 'backup-pool.com' + - 'mooo.com' # Dynamic DNS, may want to exclude + - 'freeyy.me' + - 'cryptonight.net' + - 'shscrypto.net' exclude_answers: answers: - - "127.0.0.1" - - "0.0.0.0" + - '127.0.0.1' + - '0.0.0.0' exclude_rejected: - rejected: "true" + rejected: 'true' condition: selection and not (exclude_answers or exclude_rejected) falsepositives: - - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name". + - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'. fields: - id.orig_h - id.resp_h diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 7c6018e8d..38a787730 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -15,38 +15,38 @@ tags: detection: selection: query: - - "tor2web.org" - - "tor2web.com" - - "torlink.co" - - "onion.to" - - "onion.ink" - - "onion.cab" - - "onion.nu" - - "onion.link" - - "onion.it" - - "onion.city" - - "onion.direct" - - "onion.top" - - "onion.casa" - - "onion.plus" - - "onion.rip" - - "onion.dog" - - "tor2web.fi" - - "tor2web.blutmagie.de" - - "onion.sh" - - "onion.lu" - - "onion.pet" - - "t2w.pw" - - "tor2web.ae.org" - - "tor2web.io" - - "tor2web.xyz" - - "onion.lt" - - "s1.tor-gateways.de" - - "s2.tor-gateways.de" - - "s3.tor-gateways.de" - - "s4.tor-gateways.de" - - "s5.tor-gateways.de" - - "hiddenservice.net" + - 'tor2web.org' + - 'tor2web.com' + - 'torlink.co' + - 'onion.to' + - 'onion.ink' + - 'onion.cab' + - 'onion.nu' + - 'onion.link' + - 'onion.it' + - 'onion.city' + - 'onion.direct' + - 'onion.top' + - 'onion.casa' + - 'onion.plus' + - 'onion.rip' + - 'onion.dog' + - 'tor2web.fi' + - 'tor2web.blutmagie.de' + - 'onion.sh' + - 'onion.lu' + - 'onion.pet' + - 't2w.pw' + - 'tor2web.ae.org' + - 'tor2web.io' + - 'tor2web.xyz' + - 'onion.lt' + - 's1.tor-gateways.de' + - 's2.tor-gateways.de' + - 's3.tor-gateways.de' + - 's4.tor-gateways.de' + - 's5.tor-gateways.de' + - 'hiddenservice.net' condition: selection fields: - clientip diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index 81609c8b9..ac1f505b9 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -1,7 +1,7 @@ title: Executable from Webdav id: aac2fd97-bcba-491b-ad66-a6edf89c71bf status: test -description: "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/" +description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/' author: 'SOC Prime, Adam Swan' references: - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html diff --git a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml index 4e1f31edc..df467848c 100644 --- a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml +++ b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -27,7 +27,7 @@ detection: uri: /wsman method: POST auth_header: - client_header_names|contains: "AUTHORIZATION" + client_header_names|contains: 'AUTHORIZATION' too_small_http_client_body: request_body_len: 0 #winrm_ports: diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index a935a6980..46d5fcc7f 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -12,13 +12,13 @@ logsource: category: proxy detection: selection1: - c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' cs-method: 'GET' c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' cs-host: 'www.amazon.com' cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' selection2: - c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' cs-method: 'POST' c-uri: '/N4215/adj/amzn.us.sr.aps' cs-host: 'www.amazon.com' diff --git a/rules/web/web_solarwinds_cve_2020_10148.yml b/rules/web/web_solarwinds_cve_2020_10148.yml index b6799f605..dc8e60310 100644 --- a/rules/web/web_solarwinds_cve_2020_10148.yml +++ b/rules/web/web_solarwinds_cve_2020_10148.yml @@ -14,16 +14,16 @@ logsource: detection: selection: c-uri|contains: - - "WebResource.axd" - - "ScriptResource.axd" - - "i18n.ashx" - - "Skipi18n" + - 'WebResource.axd' + - 'ScriptResource.axd' + - 'i18n.ashx' + - 'Skipi18n' valid_request_1: - c-uri|contains: "Orion/Skipi18n/Profiler/" + c-uri|contains: 'Orion/Skipi18n/Profiler/' valid_request_2: c-uri|contains: - - "css.i18n.ashx" - - "js.i18n.ashx" + - 'css.i18n.ashx' + - 'js.i18n.ashx' condition: selection and not valid_request_1 and not valid_request_2 falsepositives: - Unknown diff --git a/rules/windows/builtin/application/win_av_relevant_match.yml b/rules/windows/builtin/application/win_av_relevant_match.yml index c3443c4b5..0bd6d9c6f 100644 --- a/rules/windows/builtin/application/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/win_av_relevant_match.yml @@ -10,29 +10,29 @@ logsource: service: application detection: keywords: - - "HTool-" - - "Hacktool" - - "ASP/Backdoor" - - "JSP/Backdoor" - - "PHP/Backdoor" - - "Backdoor.ASP" - - "Backdoor.JSP" - - "Backdoor.PHP" - - "Webshell" - - "Portscan" - - "Mimikatz" - - ".WinCred." # . are needed to avoid false positives with many other strings - - "PlugX" - - "Korplug" - - "Pwdump" - - "Chopper" - - "WmiExec" - - "Xscan" - - "Clearlog" - - "ASPXSpy" + - 'HTool-' + - 'Hacktool' + - 'ASP/Backdoor' + - 'JSP/Backdoor' + - 'PHP/Backdoor' + - 'Backdoor.ASP' + - 'Backdoor.JSP' + - 'Backdoor.PHP' + - 'Webshell' + - 'Portscan' + - 'Mimikatz' + - '.WinCred.' # . are needed to avoid false positives with many other strings + - 'PlugX' + - 'Korplug' + - 'Pwdump' + - 'Chopper' + - 'WmiExec' + - 'Xscan' + - 'Clearlog' + - 'ASPXSpy' filter: - - "Keygen" - - "Crack" + - 'Keygen' + - 'Crack' condition: keywords and not filter falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools diff --git a/rules/windows/builtin/security/win_defender_bypass.yml b/rules/windows/builtin/security/win_defender_bypass.yml index 7367db3ce..46345954a 100644 --- a/rules/windows/builtin/security/win_defender_bypass.yml +++ b/rules/windows/builtin/security/win_defender_bypass.yml @@ -2,7 +2,7 @@ title: Windows Defender Exclusion Set id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d status: test description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender' -author: "@BarryShooshooga" +author: '@BarryShooshooga' references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ date: 2019/10/26 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 0f746e487..14b5f86e4 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -3,9 +3,9 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references" +description: 'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references' references: - - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 diff --git a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml index 041d524ba..2bc2ee687 100644 --- a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml +++ b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml @@ -19,11 +19,11 @@ detection: selection: EventID: 4689 ProcessName|endswith: nltest.exe - Status: "0x0" + Status: '0x0' condition: selection fields: - - "SubjectUserName" - - "SubjectDomainName" + - 'SubjectUserName' + - 'SubjectDomainName' falsepositives: - Red team activity - rare legitimate use by an administrator diff --git a/rules/windows/builtin/security/win_protected_storage_service_access.yml b/rules/windows/builtin/security/win_protected_storage_service_access.yml index 0716acb0e..29cea968c 100644 --- a/rules/windows/builtin/security/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/security/win_protected_storage_service_access.yml @@ -14,7 +14,7 @@ detection: selection: EventID: 5145 ShareName|contains: 'IPC' - RelativeTargetName: "protected_storage" + RelativeTargetName: 'protected_storage' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_scm_database_handle_failure.yml b/rules/windows/builtin/security/win_scm_database_handle_failure.yml index 90139b070..a664dac6e 100644 --- a/rules/windows/builtin/security/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/security/win_scm_database_handle_failure.yml @@ -18,9 +18,9 @@ detection: EventID: 4656 ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'ServicesActive' - #Keywords: "Audit Failure" <-> in the ref "Keywords":-9214364837600034816 + #Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816 filter: - SubjectLogonId: "0x3e4" + SubjectLogonId: '0x3e4' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml index 952176861..d689433ac 100644 --- a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml @@ -17,7 +17,7 @@ detection: ObjectName: 'servicesactive' PrivilegeList: 'SeTakeOwnershipPrivilege' filter: - SubjectLogonId: "0x3e4" + SubjectLogonId: '0x3e4' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_susp_rottenpotato.yml b/rules/windows/builtin/security/win_susp_rottenpotato.yml index f7562e905..1fd50a283 100644 --- a/rules/windows/builtin/security/win_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/win_susp_rottenpotato.yml @@ -4,7 +4,7 @@ status: experimental description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like references: - https://twitter.com/SBousseaden/status/1195284233729777665 -author: "@SBousseaden, Florian Roth" +author: '@SBousseaden, Florian Roth' date: 2019/11/15 modified: 2021/07/07 tags: diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml index 4a0dbf7ec..54c521f46 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -1,6 +1,8 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +description: 'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014' +references: + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 diff --git a/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml index 0ffb293a3..5c732db69 100644 --- a/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml +++ b/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml @@ -9,7 +9,7 @@ tags: - attack.t1210 - car.2013-07-002 status: experimental -author: "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)" +author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)' date: 2019/05/24 modified: 2021/10/13 logsource: diff --git a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml index dbb4ca85a..b6235d1e0 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml @@ -12,7 +12,7 @@ tags: - attack.defense_evasion - attack.t1073 # an old one - attack.t1574.002 -author: "Dimitrios Slamaris, @atc_project (fix)" +author: 'Dimitrios Slamaris, @atc_project (fix)' logsource: product: windows service: system diff --git a/rules/windows/edr/edr_command_execution_by_office_applications.yml b/rules/windows/edr/edr_command_execution_by_office_applications.yml index d8496c10d..d7298eae9 100644 --- a/rules/windows/edr/edr_command_execution_by_office_applications.yml +++ b/rules/windows/edr/edr_command_execution_by_office_applications.yml @@ -4,7 +4,7 @@ description: Initial execution of malicious document calls wmic Win32_Process::C references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml index 6c4745fe3..d51fc0f63 100644 --- a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -4,7 +4,7 @@ description: This rule will monitor executable and script file creation by offic references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' tags: - attack.t1204.002 - attack.t1047 @@ -26,16 +26,16 @@ detection: - 'powerpnt.exe' selection2: TargetFilename|endswith: - - ".exe" - - ".dll" - - ".ocx" - - ".com" - - ".ps1" - - ".vbs" - - ".sys" - - ".bat" - - ".scr" - - ".proj" + - '.exe' + - '.dll' + - '.ocx' + - '.com' + - '.ps1' + - '.vbs' + - '.sys' + - '.bat' + - '.scr' + - '.proj' condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index 26c5cf2f5..8f63f2a3c 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -12,19 +12,19 @@ logsource: detection: selection: Signature|contains: - - "MeteTool" - - "MPreter" - - "Meterpreter" - - "Metasploit" - - "PowerSploit" - - "CobaltSrike" - - "Swrort" - - "Rozena" - - "Backdoor.Cobalt" - - "CobaltStr" - - "COBEACON" - - "Cometer" - - "Razy" + - 'MeteTool' + - 'MPreter' + - 'Meterpreter' + - 'Metasploit' + - 'PowerSploit' + - 'CobaltSrike' + - 'Swrort' + - 'Rozena' + - 'Backdoor.Cobalt' + - 'CobaltStr' + - 'COBEACON' + - 'Cometer' + - 'Razy' condition: selection fields: - FileName diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 5b6992800..0cb6b1d0b 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -13,18 +13,18 @@ logsource: detection: selection: Signature|contains: - - "DumpCreds" - - "Mimikatz" - - "PWCrack" - - "HTool/WCE" - - "PSWtool" - - "PWDump" - - "SecurityTool" - - "PShlSpy" - - "Rubeus" - - "Kekeo" - - "LsassDump" - - "Outflank" + - 'DumpCreds' + - 'Mimikatz' + - 'PWCrack' + - 'HTool/WCE' + - 'PSWtool' + - 'PWDump' + - 'SecurityTool' + - 'PShlSpy' + - 'Rubeus' + - 'Kekeo' + - 'LsassDump' + - 'Outflank' condition: selection fields: - FileName diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 4f0a63aaa..90a124677 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -24,48 +24,48 @@ logsource: detection: selection: - Signature|startswith: - - "PHP/" - - "JSP/" - - "ASP/" - - "Perl/" - - "PHP." - - "JSP." - - "ASP." - - "Perl." - - "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops - - "IIS/BackDoor" - - "JAVA/Backdoor" - - "Troj/ASP" - - "Troj/PHP" - - "Troj/JSP" + - 'PHP/' + - 'JSP/' + - 'ASP/' + - 'Perl/' + - 'PHP.' + - 'JSP.' + - 'ASP.' + - 'Perl.' + - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops + - 'IIS/BackDoor' + - 'JAVA/Backdoor' + - 'Troj/ASP' + - 'Troj/PHP' + - 'Troj/JSP' - Signature|contains: - - "Webshell" - - "Chopper" - - "SinoChoper" - - "ASPXSpy" - - "Aspdoor" - - "filebrowser" - - "PHP_" - - "JSP_" - - "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops - - "PHP:" - - "JSP:" - - "ASP:" - - "Perl:" - - "PHPShell" - - "Trojan.PHP" - - "Trojan.ASP" - - "Trojan.JSP" - - "Trojan.VBS" - - "PHP?Agent" - - "ASP?Agent" - - "JSP?Agent" - - "VBS?Agent" - - "Backdoor?PHP" - - "Backdoor?JSP" - - "Backdoor?ASP" - - "Backdoor?VBS" - - "Backdoor?Java" + - 'Webshell' + - 'Chopper' + - 'SinoChoper' + - 'ASPXSpy' + - 'Aspdoor' + - 'filebrowser' + - 'PHP_' + - 'JSP_' + - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops + - 'PHP:' + - 'JSP:' + - 'ASP:' + - 'Perl:' + - 'PHPShell' + - 'Trojan.PHP' + - 'Trojan.ASP' + - 'Trojan.JSP' + - 'Trojan.VBS' + - 'PHP?Agent' + - 'ASP?Agent' + - 'JSP?Agent' + - 'VBS?Agent' + - 'Backdoor?PHP' + - 'Backdoor?JSP' + - 'Backdoor?ASP' + - 'Backdoor?VBS' + - 'Backdoor?Java' condition: selection fields: - FileName diff --git a/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml index 725be9c9d..8996bef6c 100644 --- a/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml @@ -15,12 +15,12 @@ logsource: definition: fields have to be extract from event detection: selection: - HostName: "ConsoleHost" + HostName: 'ConsoleHost' filter: HostApplication|contains: - - "bxor" - - "join" - - "char" + - 'bxor' + - 'join' + - 'char' condition: selection and filter falsepositives: - unknown diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 6e6f969ba..27ec125ce 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -3,7 +3,9 @@ id: 2f211361-7dce-442d-b78a-c04039677378 related: - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 type: derived -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 +references: + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 diff --git a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml index 69132d3f9..411443846 100644 --- a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml @@ -17,7 +17,7 @@ logsource: definition: Script block logging must be enabled detection: selection: - ScriptBlockText|contains: "Start-Dnscat2" + ScriptBlockText|contains: 'Start-Dnscat2' condition: selection falsepositives: - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely) diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml index 370d23f63..bc3c07a11 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -1,8 +1,10 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 +references: + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental -author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community +author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' date: 2019/11/08 modified: 2021/10/16 tags: diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml index 751c93c74..55aff9fcd 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -18,101 +18,101 @@ logsource: detection: select_Malicious: ScriptBlockText|contains: - - "Invoke-DllInjection" - - "Invoke-Shellcode" - - "Invoke-WmiCommand" - - "Get-GPPPassword" - - "Get-Keystrokes" - - "Get-TimedScreenshot" - - "Get-VaultCredential" - - "Invoke-CredentialInjection" - - "Invoke-Mimikatz" - - "Invoke-NinjaCopy" - - "Invoke-TokenManipulation" - - "Out-Minidump" - - "VolumeShadowCopyTools" - - "Invoke-ReflectivePEInjection" - - "Invoke-UserHunter" - - "Find-GPOLocation" - - "Invoke-ACLScanner" - - "Invoke-DowngradeAccount" - - "Get-ServiceUnquoted" - - "Get-ServiceFilePermission" - - "Get-ServicePermission" - - "Invoke-ServiceAbuse" - - "Install-ServiceBinary" - - "Get-RegAutoLogon" - - "Get-VulnAutoRun" - - "Get-VulnSchTask" - - "Get-UnattendedInstallFile" - - "Get-ApplicationHost" - - "Get-RegAlwaysInstallElevated" - - "Get-Unconstrained" - - "Add-RegBackdoor" - - "Add-ScrnSaveBackdoor" - - "Gupt-Backdoor" - - "Invoke-ADSBackdoor" - - "Enabled-DuplicateToken" - - "Invoke-PsUaCme" - - "Remove-Update" - - "Check-VM" - - "Get-LSASecret" - - "Get-PassHashes" - - "Show-TargetScreen" - - "Port-Scan" - - "Invoke-PoshRatHttp" - - "Invoke-PowerShellTCP" - - "Invoke-PowerShellWMI" - - "Add-Exfiltration" - - "Add-Persistence" - - "Do-Exfiltration" - - "Start-CaptureServer" - - "Get-ChromeDump" - - "Get-ClipboardContents" - - "Get-FoxDump" - - "Get-IndexedItem" - - "Get-Screenshot" - - "Invoke-Inveigh" - - "Invoke-NetRipper" - - "Invoke-EgressCheck" - - "Invoke-PostExfil" - - "Invoke-PSInject" - - "Invoke-RunAs" - - "MailRaider" - - "New-HoneyHash" - - "Set-MacAttribute" - - "Invoke-DCSync" - - "Invoke-PowerDump" - - "Exploit-Jboss" - - "Invoke-ThunderStruck" - - "Invoke-VoiceTroll" - - "Set-Wallpaper" - - "Invoke-InveighRelay" - - "Invoke-PsExec" - - "Invoke-SSHCommand" - - "Get-SecurityPackages" - - "Install-SSP" - - "Invoke-BackdoorLNK" - - "PowerBreach" - - "Get-SiteListPassword" - - "Get-System" - - "Invoke-BypassUAC" - - "Invoke-Tater" - - "Invoke-WScriptBypassUAC" - - "PowerUp" - - "PowerView" - - "Get-RickAstley" - - "Find-Fruit" - - "HTTP-Login" - - "Find-TrustedDocuments" - - "Invoke-Paranoia" - - "Invoke-WinEnum" - - "Invoke-ARPScan" - - "Invoke-PortScan" - - "Invoke-ReverseDNSLookup" - - "Invoke-SMBScanner" - - "Invoke-Mimikittenz" - - "Invoke-AllChecks" + - 'Invoke-DllInjection' + - 'Invoke-Shellcode' + - 'Invoke-WmiCommand' + - 'Get-GPPPassword' + - 'Get-Keystrokes' + - 'Get-TimedScreenshot' + - 'Get-VaultCredential' + - 'Invoke-CredentialInjection' + - 'Invoke-Mimikatz' + - 'Invoke-NinjaCopy' + - 'Invoke-TokenManipulation' + - 'Out-Minidump' + - 'VolumeShadowCopyTools' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-UserHunter' + - 'Find-GPOLocation' + - 'Invoke-ACLScanner' + - 'Invoke-DowngradeAccount' + - 'Get-ServiceUnquoted' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Invoke-ServiceAbuse' + - 'Install-ServiceBinary' + - 'Get-RegAutoLogon' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Get-UnattendedInstallFile' + - 'Get-ApplicationHost' + - 'Get-RegAlwaysInstallElevated' + - 'Get-Unconstrained' + - 'Add-RegBackdoor' + - 'Add-ScrnSaveBackdoor' + - 'Gupt-Backdoor' + - 'Invoke-ADSBackdoor' + - 'Enabled-DuplicateToken' + - 'Invoke-PsUaCme' + - 'Remove-Update' + - 'Check-VM' + - 'Get-LSASecret' + - 'Get-PassHashes' + - 'Show-TargetScreen' + - 'Port-Scan' + - 'Invoke-PoshRatHttp' + - 'Invoke-PowerShellTCP' + - 'Invoke-PowerShellWMI' + - 'Add-Exfiltration' + - 'Add-Persistence' + - 'Do-Exfiltration' + - 'Start-CaptureServer' + - 'Get-ChromeDump' + - 'Get-ClipboardContents' + - 'Get-FoxDump' + - 'Get-IndexedItem' + - 'Get-Screenshot' + - 'Invoke-Inveigh' + - 'Invoke-NetRipper' + - 'Invoke-EgressCheck' + - 'Invoke-PostExfil' + - 'Invoke-PSInject' + - 'Invoke-RunAs' + - 'MailRaider' + - 'New-HoneyHash' + - 'Set-MacAttribute' + - 'Invoke-DCSync' + - 'Invoke-PowerDump' + - 'Exploit-Jboss' + - 'Invoke-ThunderStruck' + - 'Invoke-VoiceTroll' + - 'Set-Wallpaper' + - 'Invoke-InveighRelay' + - 'Invoke-PsExec' + - 'Invoke-SSHCommand' + - 'Get-SecurityPackages' + - 'Install-SSP' + - 'Invoke-BackdoorLNK' + - 'PowerBreach' + - 'Get-SiteListPassword' + - 'Get-System' + - 'Invoke-BypassUAC' + - 'Invoke-Tater' + - 'Invoke-WScriptBypassUAC' + - 'PowerUp' + - 'PowerView' + - 'Get-RickAstley' + - 'Find-Fruit' + - 'HTTP-Login' + - 'Find-TrustedDocuments' + - 'Invoke-Paranoia' + - 'Invoke-WinEnum' + - 'Invoke-ARPScan' + - 'Invoke-PortScan' + - 'Invoke-ReverseDNSLookup' + - 'Invoke-SMBScanner' + - 'Invoke-Mimikittenz' + - 'Invoke-AllChecks' false_positives: ScriptBlockText|contains: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml index c8c392434..f6e400310 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml @@ -18,26 +18,26 @@ logsource: detection: Malicious: ScriptBlockText|contains: - - "AdjustTokenPrivileges" - - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" - - "Microsoft.Win32.UnsafeNativeMethods" - - "ReadProcessMemory.Invoke" - - "SE_PRIVILEGE_ENABLED" - - "LSA_UNICODE_STRING" - - "MiniDumpWriteDump" - - "PAGE_EXECUTE_READ" - - "SECURITY_DELEGATION" - - "TOKEN_ADJUST_PRIVILEGES" - - "TOKEN_ALL_ACCESS" - - "TOKEN_ASSIGN_PRIMARY" - - "TOKEN_DUPLICATE" - - "TOKEN_ELEVATION" - - "TOKEN_IMPERSONATE" - - "TOKEN_INFORMATION_CLASS" - - "TOKEN_PRIVILEGES" - - "TOKEN_QUERY" - - "Metasploit" - - "Mimikatz" + - 'AdjustTokenPrivileges' + - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC' + - 'Microsoft.Win32.UnsafeNativeMethods' + - 'ReadProcessMemory.Invoke' + - 'SE_PRIVILEGE_ENABLED' + - 'LSA_UNICODE_STRING' + - 'MiniDumpWriteDump' + - 'PAGE_EXECUTE_READ' + - 'SECURITY_DELEGATION' + - 'TOKEN_ADJUST_PRIVILEGES' + - 'TOKEN_ALL_ACCESS' + - 'TOKEN_ASSIGN_PRIMARY' + - 'TOKEN_DUPLICATE' + - 'TOKEN_ELEVATION' + - 'TOKEN_IMPERSONATE' + - 'TOKEN_INFORMATION_CLASS' + - 'TOKEN_PRIVILEGES' + - 'TOKEN_QUERY' + - 'Metasploit' + - 'Mimikatz' condition: Malicious falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml index 0f99583dc..8030c50e0 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml @@ -17,7 +17,7 @@ logsource: definition: Script Block Logging must be enable detection: PfxCertificate: - ScriptBlockText|contains: "Export-PfxCertificate" + ScriptBlockText|contains: 'Export-PfxCertificate' condition: PfxCertificate falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml index a37fa3fee..7d4d83170 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml @@ -21,17 +21,17 @@ logsource: detection: framework: ScriptBlockText|contains: - - "System.Reflection.Assembly.Load($" - - "[System.Reflection.Assembly]::Load($" - - "[Reflection.Assembly]::Load($" - - "System.Reflection.AssemblyName" - - "Reflection.Emit.AssemblyBuilderAccess" - - "Runtime.InteropServices.DllImportAttribute" - - "SuspendThread" - - "rundll32" - # - "FromBase64" - - "Invoke-WMIMethod" - - "http://127.0.0.1" + - 'System.Reflection.Assembly.Load($' + - '[System.Reflection.Assembly]::Load($' + - '[Reflection.Assembly]::Load($' + - 'System.Reflection.AssemblyName' + - 'Reflection.Emit.AssemblyBuilderAccess' + - 'Runtime.InteropServices.DllImportAttribute' + - 'SuspendThread' + - 'rundll32' + # - 'FromBase64' + - 'Invoke-WMIMethod' + - 'http://127.0.0.1' condition: framework falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml index cc59e9346..dc92e77d1 100644 --- a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml @@ -19,27 +19,27 @@ logsource: detection: selection: ScriptBlockText|contains: - - "WMImplant" - - " change_user " - - " gen_cli " - - " command_exec " - - " disable_wdigest " - - " disable_winrm " - - " enable_wdigest " - - " enable_winrm " - - " registry_mod " - - " remote_posh " - - " sched_job " - - " service_mod " - - " process_kill " - # - " process_start " - - " active_users " - - " basic_info " - # - " drive_list " - # - " installed_programs " - - " power_off " - - " vacant_system " - - " logon_events " + - 'WMImplant' + - ' change_user ' + - ' gen_cli ' + - ' command_exec ' + - ' disable_wdigest ' + - ' disable_winrm ' + - ' enable_wdigest ' + - ' enable_winrm ' + - ' registry_mod ' + - ' remote_posh ' + - ' sched_job ' + - ' service_mod ' + - ' process_kill ' + # - ' process_start ' + - ' active_users ' + - ' basic_info ' + # - ' drive_list ' + # - ' installed_programs ' + - ' power_off ' + - ' vacant_system ' + - ' logon_events ' condition: selection falsepositives: - Administrative scripts that use the same keywords. diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index a7d7c5399..acd4cc71c 100644 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -25,20 +25,20 @@ detection: - ')' selection2: CallTrace|contains|all: - - "UNKNOWN(" - - ")|UNKNOWN(" - CallTrace|endswith: ")" + - 'UNKNOWN(' + - ')|UNKNOWN(' + CallTrace|endswith: ')' selection3: - CallTrace|contains: "UNKNOWN" + CallTrace|contains: 'UNKNOWN' GrantedAccess: - - "0x1F0FFF" - - "0x1F1FFF" - - "0x143A" - - "0x1410" - - "0x1010" - - "0x1F2FFF" - - "0x1F3FFF" - - "0x1FFFFF" + - '0x1F0FFF' + - '0x1F1FFF' + - '0x143A' + - '0x1410' + - '0x1010' + - '0x1F2FFF' + - '0x1F3FFF' + - '0x1FFFFF' filter: - SourceImage|endswith: - '\Windows\System32\sdiagnhost.exe' diff --git a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml index bbeede229..5fe6da531 100644 --- a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml @@ -21,7 +21,7 @@ detection: - '|C:\\Windows\\System32\\KERNELBASE.dll+' - '_ctypes.pyd+' - 'python27.dll+' - GrantedAccess: "0x1FFFFF" + GrantedAccess: '0x1FFFFF' condition: selection level: critical falsepositives: diff --git a/rules/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml index fa39b72fb..53b05c85e 100644 --- a/rules/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml @@ -21,7 +21,7 @@ detection: - 'libffi-7.dll' - '_ctypes.pyd+' - 'python3*.dll+' # Pypy requires python>=3.6 - GrantedAccess: "0x1FFFFF" + GrantedAccess: '0x1FFFFF' condition: selection level: critical falsepositives: diff --git a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml index 54af48794..82aa793cf 100644 --- a/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml +++ b/rules/windows/process_creation/process_creation_lolbins_by_office_applications.yml @@ -4,7 +4,7 @@ description: This rule will monitor any office apps that spins up a new LOLBin p references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml index 9a2bd4996..78a464d71 100644 --- a/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml @@ -4,7 +4,7 @@ description: This rule will monitor LOLBin process creations by wmiprvse. Add mo references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml index 700d264f4..080978a4e 100644 --- a/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml @@ -4,7 +4,7 @@ description: Initial execution of malicious document calls wmic to execute the f references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index a901d3fd7..bf4a10458 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -4,7 +4,7 @@ description: Excel called wmic to finally proxy execute regsvr32 with the payloa references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index 8989e0e30..153f3bc80 100644 --- a/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -4,7 +4,7 @@ description: Excel called wmic to finally proxy execute regsvr32 with the payloa references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml index edbae2013..c2ea7d396 100644 --- a/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml @@ -4,7 +4,7 @@ description: Initial execution of malicious document calls wmic to execute the f references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index e33112a82..32bcf3f1e 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -42,11 +42,11 @@ detection: - '0x11' selection_disable_5: #ETW provider removal from a trace session CommandLine|contains|all: - - "logman" - - "update" - - "trace" - - "--p" - - "-ets" + - 'logman' + - 'update' + - 'trace' + - '--p' + - '-ets' condition: 1 of them falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index 6d645f479..ff6dbfec8 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -1,7 +1,9 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 4bf943c6-5146-4273-98dd-e958fd1e3abf status: test -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block +references: + — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 modified: 2021/11/27 diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 8e6063397..c3eaa2599 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -10,13 +10,13 @@ logsource: product: windows detection: selection: - - Description: "Windows PowerShell" - - Product: "PowerShell Core 6" + - Description: 'Windows PowerShell' + - Product: 'PowerShell Core 6' filter: CommandLine|contains: - - "bxor" - - "join" - - "char" + - 'bxor' + - 'join' + - 'char' false_positives: ParentImage: - C:\Program Files\Amazon\SSM\ssm-document-worker.exe diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml index c2a1e6e84..2da7f1895 100644 --- a/rules/windows/process_creation/win_remote_time_discovery.yml +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -1,7 +1,7 @@ title: Discovery of a System Time id: b243b280-65fe-48df-ba07-6ddea7646427 status: test -description: "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system." +description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml index 283ab860d..9bdd3dfa4 100644 --- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml @@ -15,19 +15,19 @@ logsource: detection: selection: OriginalFileName: - - "powershell.exe" - - "powershell_ise.exe" - - "psexec.exe" - - "psexec.c" # old versions of psexec (2016 seen) - - "cscript.exe" - - "wscript.exe" - - "mshta.exe" - - "regsvr32.exe" - - "wmic.exe" - - "certutil.exe" - - "rundll32.exe" - - "cmstp.exe" - - "msiexec.exe" + - 'powershell.exe' + - 'powershell_ise.exe' + - 'psexec.exe' + - 'psexec.c' # old versions of psexec (2016 seen) + - 'cscript.exe' + - 'wscript.exe' + - 'mshta.exe' + - 'regsvr32.exe' + - 'wmic.exe' + - 'certutil.exe' + - 'rundll32.exe' + - 'cmstp.exe' + - 'msiexec.exe' filter: Image|endswith: - '\powershell.exe' diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index f42ec99fc..9d379112e 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -42,14 +42,14 @@ detection: - '\nginx.exe' - '\php-cgi.exe' - '\jbosssvc.exe' - - "MicrosoftEdgeSH.exe" - - ParentImage|contains: "tomcat" + - 'MicrosoftEdgeSH.exe' + - ParentImage|contains: 'tomcat' selection_powershell: - CommandLine|contains: - - "powershell" - - "pwsh" - - Description: "Windows PowerShell" - - Product: "PowerShell Core 6" + - 'powershell' + - 'pwsh' + - Description: 'Windows PowerShell' + - Product: 'PowerShell Core 6' condition: all of selection* falsepositives: - Other scripts diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml index 0b9558835..08b8f9352 100644 --- a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -17,7 +17,7 @@ detection: selection: TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' TargetObject|endswith: '$' - Image|endswith: "lsass.exe" + Image|endswith: 'lsass.exe' condition: selection falsepositives: - unknown