security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #3718 from SigmaHQ/rule-devel

Browse Source 
Rule devel
This commit is contained in:
Florian Roth
2022-11-19 11:33:53 +01:00
committed by GitHub
parent f0bac30cfb 66adbb43f7
commit 74e2d1bd3c
9 changed files with 133 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml
+7 -1
View File
@@ -6,7 +6,7 @@ references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
author: Florian Roth
date: 2022/08/24
modified: 2022/09/07
modified: 2022/11/12
tags:
- attack.defense_evasion
- attack.s0139
@@ -105,6 +105,9 @@ detection:
- 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- 19584675d94829987952432e018d5056 # SysmonQuiet
- 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
- 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz
- 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller
- 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller
- Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
@@ -193,6 +196,9 @@ detection:
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
condition: selection
fields:
- TargetFilename
rules/windows/driver_load/driver_load_process_hacker.yml
+68
View File
@@ -0,0 +1,68 @@
title: Process Hacker and System Informer Driver Load
id: 67add051-9ee7-4ad3-93ba-42935615ae8d
status: experimental
description: Detects the load of drivers used by Process Hacker and System Informer
references:
- https://processhacker.sourceforge.io/
- https://systeminformer.sourceforge.io/
- https://github.com/winsiderss/systeminformer
author: Florian Roth
date: 2022/11/16
tags:
- attack.privilege_escalation
- cve.2021.21551
- attack.t1543
logsource:
category: driver_load
product: windows
detection:
selection_image:
ImageLoaded|endswith:
- '\kprocesshacker.sys'
- '\SystemInformer.sys'
selection_processhack_sysmon:
Hashes|contains:
- 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
- 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
- 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
- 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
selection_processhack_hashes:
Imphash:
- '821D74031D3F625BCBD0DF08B70F1E77'
- 'F86759BB4DE4320918615DC06E998A39'
- '0A64EEB85419257D0CE32BD5D55C3A18'
- '6E7B34DFC017700B1517B230DF6FF0D0'
selection_systeminformer_sysmon:
Hashes|contains:
- 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24'
- 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454'
- 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D'
- 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B'
- 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D'
- 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34'
- 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89'
- 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB'
- 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B'
- 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97'
- 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656'
- 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4'
- 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138'
selection_systeminformer_hashes:
SHA256:
- '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24'
- 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454'
- '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d'
- 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b'
- '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d'
- '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34'
- '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89'
- '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb'
- 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b'
- '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97'
- '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656'
- 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4'
- '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138'
condition: 1 of selection*
falsepositives:
- Legitimate user of process hacker or system informer by low level developers or system administrators
level: medium
rules/windows/driver_load/driver_load_vuln_hevd_driver.yml
+2 -1
View File
@@ -6,6 +6,7 @@ references:
- https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
author: Nasreddine Bencherchali
date: 2022/08/18
modified: 2022/11/19
tags:
- attack.privilege_escalation
- attack.t1543.003
@@ -20,7 +21,7 @@ detection:
- 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' #Version 3.0
- 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' #Version 3.0
selection_other:
IMPHASH:
Imphash:
- 'f26d0b110873a1c7d8c4f08fbeab89c5' #Version 3.0
- 'c46ea2e651fd5f7f716c8867c6d13594' #Version 3.0
condition: 1 of selection*
rules/windows/driver_load/driver_load_vuln_winring0_driver.yml
+2 -2
View File
@@ -7,7 +7,7 @@ references:
- https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
author: Florian Roth
date: 2022/07/26
modified: 2022/10/03
modified: 2022/11/19
tags:
- attack.privilege_escalation
- attack.t1543.003
@@ -25,7 +25,7 @@ detection:
selection_sysmon:
Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'
selection_other:
IMPHASH: 'd41fa95d4642dc981f10de36f4dc8cd7'
Imphash: 'd41fa95d4642dc981f10de36f4dc8cd7'
condition: 1 of selection*
falsepositives:
- Unknown
rules/windows/driver_load/driver_load_windivert.yml
+2 -2
View File
@@ -7,7 +7,7 @@ references:
- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
author: Florian Roth
date: 2021/07/30
modified: 2022/07/27
modified: 2022/11/19
tags:
- attack.collection
- attack.defense_evasion
@@ -46,7 +46,7 @@ detection:
- 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
- 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
selection_hashes:
IMPHASH:
Imphash:
- '0604bb7cb4bb851e2168d5c7d9399087'
- '2e5f0e649d97f32b03c09e4686d0574f'
- '52f8aa269f69f0edad9e8fcdaedce276'
rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard, Florian Roth
date: 2021/08/30
modified: 2022/07/27
modified: 2022/11/19
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -47,7 +47,7 @@ detection:
- 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
- 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
selection_hash:
IMPHASH:
Imphash:
- '767637c23bb42cd5d7397cf58b0be688'
- '14c4e4c72ba075e9069ee67f39188ad8'
- '3c782813d4afce07bbfc5a9772acdbdc'
rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Florian Roth, oscd.community
date: 2019/01/29
modified: 2022/01/07
modified: 2022/11/14
tags:
- attack.lateral_movement
- attack.defense_evasion
@@ -19,7 +19,7 @@ detection:
selection:
Image|endswith: '\netsh.exe'
CommandLine|contains|all:
- 'i'
- ' i'
- ' p'
- '=3389'
- ' c'
rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml
+36
View File
@@ -0,0 +1,36 @@
title: Suspicious RunAs-Like Flag Combination
id: 50d66fb0-03f8-4da0-8add-84e77d12a020
status: experimental
description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
references:
- https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
author: Florian Roth
date: 2022/11/11
logsource:
category: process_creation
product: windows
detection:
selection_user:
CommandLine|contains:
- ' -u system '
- ' --user system '
- ' -u NT'
- ' -u "NT'
- " -u 'NT"
- ' --system '
- ' -u administrator '
selection_command:
CommandLine|contains:
- ' -c cmd'
- ' -c "cmd'
- ' -c powershell'
- ' -c "powershell'
- ' --command cmd'
- ' --command powershell'
- ' -c whoami'
- ' -c wscript'
- ' -c cscript'
condition: all of selection*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
+12 -4
View File
@@ -1,23 +1,31 @@
title: Process Hacker Usage
title: Process Hacker / System Informer Usage
id: 811e0002-b13b-4a15-9d00-a613fce66e42
status: experimental
description: Detects suspicious use of Process Hacker, a tool to view and manipulate processes, kernel options and other low level stuff
description: Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff
references:
- https://processhacker.sourceforge.io/
- https://github.com/winsiderss/systeminformer
- https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
author: Florian Roth
date: 2022/10/10
modified: 2022/11/16
logsource:
category: process_creation
product: windows
detection:
selection_image:
Image|contains: '\ProcessHacker_'
- Image|contains: '\ProcessHacker_'
- Image|endswith:
- '\SystemInformer.exe'
- '\ProcessHacker.exe'
selection_pe:
- OriginalFileName:
- 'ProcessHacker.exe'
- 'Process Hacker'
- Description: 'Process Hacker'
- 'SystemInformer.exe'
- Description:
- 'Process Hacker'
- 'System Informer'
- Product: 'Process Hacker'
selection_hashes:
Hashes|contains: