Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd

rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml

@@ -0,0 +1,23 @@
+title: Modification of ld.so.preload
+description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'PATH'
+        name: '/etc/ld.so.preload'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/network/net_possible_dns_rebinding.yml

@@ -0,0 +1,22 @@
+title: Possible DNS Rebinding
+status: experimental
+description: 'Detects DNS-answer with TTL <10.'
+date: 2019/10/25
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+    product: dns
+detection:
+    selection:
+        answer: '*'
+    filter1:
+        ttl: '>0'
+    filter2:
+        ttl: '<10'
+    timeframe: 30s
+    condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
+level: medium

rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml

@@ -0,0 +1,18 @@
+title: Suspicious reverse connect via HTTP proxy
+status: experimental
+description: Detects auth on proxy-server by machine account (aka SYSTEM) 
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+    category: proxy
+detection:
+    selection:
+      username|re: '\S+\$$'
+    condition: selection
+falsepositives:
+    - Update OS or other softs which start by SYSTEM
+    - User account with $ in attribute "SamAccountName"

rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml

@@ -0,0 +1,26 @@
+title: New (or renamed) user account with '$' in attribute 'SamAccountName'.
+status: experimental
+description: Detects possible bypass EDR and SIEM via abnormal user account name.
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2019/11/13
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 
+            - 4720 # create user
+            - 4781 # rename user
+        UserName|contains: '$'    #SamAccountName
+    condition: selection
+fields:
+    - EventID
+    - UserName
+    - SubjectAccountName
+falsepositives:
+    - Unkown
+level: medium

rules/windows/builtin/win_possible_dc_sync.yml

@@ -0,0 +1,24 @@
+title: Possible DC Sync
+description: Detects DC sync via create new SPN
+status: experimental
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+references:
+    - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+    - https://jsecurity101.com/2019/Syncing-into-the-Shadows/
+tags:
+    - attack.credential_access
+    - attack.t1003
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4742
+        ServicePrincipalNames: '*GC/*'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high

rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml

@@ -0,0 +1,23 @@
+title: Register new logon process by Rubeus
+description: Detects potential use of Rubeus via registered new trusted logon process
+status: experimental
+references:
+    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+tags:
+    - attack.lateral_movement
+    - attack.privilege_escalation
+    - attack.t1208
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+logsource:
+    product: windows
+    service: security
+    definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end
+detection:
+    selection:
+        - EventID: 4611
+          LogonProcessName: 'User32LogonProcesss'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high

rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml

@@ -0,0 +1,28 @@
+title: Suspicious outbound Kerberos connection
+status: experimental
+description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
+references:
+    - https://github.com/GhostPack/Rubeus8
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+modified: 2019/11/13
+tags:
+    - attack.lateral_movement
+    - attack.t1208
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 5156
+        DestinationPort: 88
+    filter:
+        Image|endswith:
+            - '\lsass.exe'
+            - '\opera.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+    condition: selection and not filter 
+falsepositives:
+    - Other browsers
+level: high

rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml

@@ -0,0 +1,23 @@
+title: User couldn't call a privileged service 'LsaRegisterLogonProcess'
+description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
+status: experimental
+references:
+    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+tags:
+    - attack.lateral_movement
+    - attack.privilege_escalation
+    - attack.t1208
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        - EventID: 4673
+          Service: 'LsaRegisterLogonProcess()'
+          Keywords: '0x8010000000000000'   #failure
+    condition: selection
+falsepositives:
+    - Unkown
+level: high

rules/windows/powershell/powershell_clear_powershell_history.yml

@@ -0,0 +1,23 @@
+title: Clear PowerShell History
+status: experimental
+description: Detects keywords that could indicate clearing PowerShell history
+date: 2019/10/25
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
+tags:
+    - attack.defense_evasion
+    - attack.t1146
+logsource:
+    product: windows
+    service: powershell
+detection:
+    keywords:
+        - 'del (Get-PSReadlineOption).HistorySavePath'
+        - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing'
+        - 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
+        - 'rm (Get-PSReadlineOption).HistorySavePath'
+    condition: keywords
+falsepositives:
+    - some PS-scripts
+level: medium

rules/windows/process_creation/win_bootconf_mod.yml

@@ -0,0 +1,30 @@
+title: Modification of Boot Configuration
+description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
+     - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
+tags:
+    - attack.impact
+    - attack.t1490
+detection:
+    selection1:
+        Image|endswith: '\bcdedit.exe'
+        CommandLine: 'set'
+    selection2:
+      - CommandLine|contains|all:
+            - 'bootstatuspolicy'
+            - 'ignoreallfailures'
+      - CommandLine|contains|all:
+            - 'recoveryenabled'
+            - 'no'
+    condition: selection1 and selection2
+falsepositives:
+    - Unlikely
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_hh_chm.yml

@@ -0,0 +1,24 @@
+title: HH.exe execution
+description: Identifies usage of hh.exe executing recently modified .chm files.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
+date: 2019/10/24
+modified: 2019/11/11
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1223
+detection:
+    selection:
+        Image|endswith: '\hh.exe'
+        CommandLine|contains: '.chm'
+    condition: selection
+falsepositives:
+    - unlike
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_indirect_cmd.yml

@@ -0,0 +1,25 @@
+title: Indirect Command Execution
+description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
+date: 2019/10/24
+modified: 2019/11/11
+tags:
+    - attack.defense_evasion
+    - attack.t1202
+detection:
+    selection:
+        ParentImage|endswith:
+            - '\pcalua.exe'
+            - '\forfiles.exe'
+    condition: selection
+falsepositives:
+    - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
+    - Legit usage of scripts
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_interactive_at.yml

@@ -0,0 +1,23 @@
+title: Interactive AT Job
+description: Detect an interactive AT job, which may be used as a form of privilege escalation
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
+date: 2019/10/24
+modified: 2019/11/11
+tags:
+    - attack.privilege_escalation
+    - attack.t1053
+detection:
+    selection:
+        Image|endswith: '\at.exe'
+        CommandLine|contains: 'interactive'
+    condition: selection
+falsepositives:
+    - Unlikely (at.exe deprecated as of Windows 8)
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_lsass_dump.yml

@@ -0,0 +1,31 @@
+title: LSASS Memory Dumping
+description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
+    - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
+tags:
+    - attack.credential_access
+    - attack.t1003
+detection:
+    selection1:
+        CommandLine|contains|all:
+            - 'lsass'
+            - '.dmp'
+    selection2:
+        Image|endswith: '\werfault.exe'
+    selection3:
+        Image|contains: '\procdump'
+        Image|endswith: '.exe'
+        CommandLine|contains: 'lsass'
+    condition: selection1 and not selection2 or selection3
+falsepositives:
+    - Unlikely
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_mshta_javascript.yml

@@ -0,0 +1,25 @@
+title: Mshta Network Connections
+description: Identifies suspicious mshta.exe commands
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1170
+detection:
+    selection:
+        Image|endswith: '\mshta.exe'
+        CommandLine|contains: 'javascript'
+    condition: selection
+falsepositives:
+    - unknown
+level: high
+logsource:
+    category: process_creation
+    product: windows
+## todo — add sysmon eid 3 for this rule

rules/windows/process_creation/win_net_enum.yml

@@ -0,0 +1,27 @@
+title: Windows Network Enumeration
+status: stable
+description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml
+author: Endgame, JHasenbusch (ported for oscd.community)
+date: 2018/10/30
+modified: 2019/11/11
+tags:
+    - attack.discovery
+    - attack.t1018
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: 
+            - '\net.exe'
+            - '\net1.exe'
+        CommandLine|contains: 'view'
+    filter:
+        CommandLine|contains: '\\'
+    condition: selection and not filter
+falsepositives:
+    - Legitimate use of net.exe utility by legitimate user
+level: low 

rules/windows/process_creation/win_net_user_add.yml

@@ -0,0 +1,29 @@
+title: Net.exe User Account Creation
+status: experimental
+description: Identifies creation of local users via the net.exe command
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml
+author: Endgame, JHasenbusch (adapted to sigma for oscd.community)
+date: 2018/10/30
+modified: 2019/11/11
+tags:
+    - attack.persistance
+    - attack.credential_access
+    - attack.t1136
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: 
+            - '\net.exe'
+            - '\net1.exe'
+        CommandLine|contains|all: 
+            - 'user'
+            - 'add'
+    condition: selection
+falsepositives:
+    - Legit user creation
+    - Better use event ids for user creation rather than command line rules
+level: low

rules/windows/process_creation/win_powershell_audio_capture.yml

@@ -0,0 +1,22 @@
+title: Audio Capture via PowerShell
+description: Detects audio capture via PowerShell Cmdlet
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
+tags:
+    - attack.collection
+    - attack.t1123
+detection:
+    selection:
+        CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet'
+    condition: selection
+falsepositives:
+    - Legitimate audio capture by legitimate user
+level: medium
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_powershell_bitsjob.yaml

@@ -0,0 +1,24 @@
+title: Suspicious Bitsadmin Job via PowerShell
+status: experimental
+description: Detect download by BITS jobs via PowerShell
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md
+author: Endgame, JHasenbusch (ported to sigma for oscd.community)
+date: 2018/10/30
+modified: 2019/11/11
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1197
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\powershell.exe'
+        CommandLine|contains: 'Start-BitsTransfer'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/win_remote_time_discovery.yml

@@ -0,0 +1,29 @@
+title: Discovery of a system time
+description: Identifies use of various commands to query a system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md
+tags:
+    - attack.discovery
+    - attack.t1124
+detection:
+    selection:
+      - Image|endswith: 
+            - '\net.exe'
+            - '\net1.exe'
+        CommandLine|contains: 'time'
+      - Image|endswith: '\w32tm.exe'
+        CommandLine|contains: 'tz'
+      - Image|endswith: '\powershell.exe'
+        CommandLine|contains: 'Get-Date'
+    condition: selection
+falsepositives:
+    - Legitimate use of the system utilities to discover system time for legitimate reason
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_soundrec_audio_capture.yml

@@ -0,0 +1,23 @@
+title: Audio Capture via SoundRecorder
+description: Detect attacker collecting audio via SoundRecorder application
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
+tags:
+    - attack.collection
+    - attack.t1123
+detection:
+    selection:
+        Image|endswith: '\SoundRecorder.exe'
+        CommandLine|contains: '/FILE'
+    condition: selection
+falsepositives:
+    - Legitimate audio capture by legitimate user
+level: medium
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_susp_net_execution.yml

@@ -3,11 +3,19 @@ status: experimental
 description: Detects execution of Net.exe, whether suspicious or benign.
 references:
     - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
-author: Michael Haag, Mark Woan (improvements)
+    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
+    - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
+    - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
+author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
 tags:
     - attack.s0039
+    - attack.t1027
+    - attack.t1049
+    - attack.t1077
+    - attack.t1135
     - attack.lateral_movement
     - attack.discovery
+    - attack.defense_evasion
 logsource:
     category: process_creation
     product: windows
@@ -16,6 +24,7 @@ detection:
         Image:
             - '*\net.exe'
             - '*\net1.exe'
+    cmdline:
         CommandLine:
             - '* group*'
             - '* localgroup*'
@@ -25,7 +34,7 @@ detection:
             - '* accounts*'
             - '* use*'
             - '* stop *'
-    condition: selection
+    condition: selection and cmdline
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/process_creation/win_trust_discovery.yml

@@ -0,0 +1,25 @@
+title: Domain Trust Discovery
+description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
+    - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
+tags:
+    - attack.discovery
+    - attack.t1482
+detection:
+    selection:
+      - Image|endswith: '\nltest.exe'
+        CommandLine|contains: 'domain_trusts'
+      - Image|endswith: '\dsquery.exe'
+        CommandLine|contains: 'trustedDomain'
+    condition: selection
+falsepositives:
+    - Legitimate use of the utilities by legitimate user for legitimate reason
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_uac_cmstp.yml

@@ -0,0 +1,27 @@
+title: Bypass UAC via CMSTP
+description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+modified: 2019/11/11
+date: 2019/10/24
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1191
+    - attack.t1088
+detection:
+    selection:
+        Image|endswith: '\cmstp.exe'
+        CommandLine|contains: 
+            - '/s'
+            - '/au'
+    condition: selection
+falsepositives:
+    - Legitimate use of cmstp.exe utility by legitimate user
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_uac_fodhelper.yml

@@ -0,0 +1,22 @@
+title: Bypass UAC via Fodhelper.exe
+description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md
+tags:
+    - attack.privilege_escalation
+    - attack.t1088
+detection:
+    selection:
+        ParentImage|endswith: '\fodhelper.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of fodhelper.exe utility by legitimate user
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/process_creation/win_uac_wsreset.yml

@@ -0,0 +1,23 @@
+title: Bypass UAC via WSReset.exe
+description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
+tags:
+    - attack.privilege_escalation
+    - attack.t1088
+detection:
+    selection:
+        ParentImage|endswith: '\wsreset.exe'
+    filter:
+        Image|endswith: '\conhost.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
+logsource:
+    category: process_creation
+    product: windows

rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml

@@ -0,0 +1,31 @@
+title: Disable security events logging adding reg key MiniNt
+status: experimental
+description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
+references:
+    - https://twitter.com/0gtweet/status/1182516740955226112
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2019/11/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+      - EventID: 12 # key create
+        TargetObject|contains: '\SYSTEM\'
+        TargetObject|endswith: '\Control\MiniNt'
+      - EventID: 14  # key rename
+        NewName|contains: '\SYSTEM\'
+        NewName|endswith: '\Control\MiniNt'
+    condition: selection
+fields:
+    - EventID
+    - Image
+    - TargetObject
+    - NewName
+falsepositives:
+    - Unkown
+level: high

rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml

@@ -0,0 +1,34 @@
+title: New DLL added to AppCertDlls registry key
+status: experimental
+description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. 
+references:
+    - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+    - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
+tags:
+    - attack.persistence
+    - attack.t1182
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2019/11/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+      - EventID: 
+            - 12  # key create
+            - 13  # value set
+        TargetObject|contains: '\SYSTEM\'
+        TargetObject|endswith: '\Control\Session Manager\AppCertDlls'
+      - EventID: 14  # key rename
+        NewName|contains: '\SYSTEM\'
+        NewName|endswith: '\Control\Session Manager\AppCertDlls'
+    condition: selection
+fields:
+    - EventID
+    - Image
+    - TargetObject
+    - NewName
+falsepositives:
+    - Unkown
+level: medium

rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml

@@ -0,0 +1,33 @@
+title: New DLL added to AppInit_DLLs registry key
+status: experimental
+description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll 
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
+tags:
+    - attack.persistence
+    - attack.t1103
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2019/11/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+      - EventID: 
+            - 12 # key create
+            - 13 # value set
+        TargetObject|contains: '\SOFTWARE\'
+        TargetObject|endswith: '\Windows\AppInit_Dlls'
+      - EventID: 14 # key rename
+        NewName|contains: '\SOFTWARE\'
+        NewName|endswith: '\Windows\AppInit_Dlls'
+    condition: selection
+fields:
+    - EventID
+    - Image
+    - TargetObject
+    - NewName
+falsepositives:
+    - Unkown
+level: medium

rules/windows/sysmon/sysmon_possible_dns_rebinding.yml

@@ -0,0 +1,43 @@
+title: Possible DNS Rebinding
+status: experimental
+description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
+date: 2019/10/25
+modified: 2019/11/13
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    dns_answer:
+        EventID: 22
+        QueryName: '*'
+        QueryStatus: '0' 
+    filter_int_ip:
+        QueryResults|startswith: 
+            - '(::ffff:)?10.'
+            - '(::ffff:)?192.168.'
+            - '(::ffff:)?172.16.'
+            - '(::ffff:)?172.17.'
+            - '(::ffff:)?172.18.'
+            - '(::ffff:)?172.19.'
+            - '(::ffff:)?172.20.'
+            - '(::ffff:)?172.21.'
+            - '(::ffff:)?172.22.'
+            - '(::ffff:)?172.23.'
+            - '(::ffff:)?172.24.'
+            - '(::ffff:)?172.25.'
+            - '(::ffff:)?172.26.'
+            - '(::ffff:)?172.27.'
+            - '(::ffff:)?172.28.'
+            - '(::ffff:)?172.29.'
+            - '(::ffff:)?172.30.'
+            - '(::ffff:)?172.31.'
+            - '(::ffff:)?127.'        
+    timeframe: 30s
+    condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
+level: medium

rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml

@@ -0,0 +1,29 @@
+title: Suspicious outbound Kerberos connection
+status: experimental
+description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
+references:
+    - https://github.com/GhostPack/Rubeus8
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+modified: 2019/11/13
+tags:
+    - attack.lateral_movement
+    - attack.t1208
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 3
+        DestinationPort: 88
+        Initiated: 'true'
+    filter:
+        Image|endswith:
+            - '\lsass.exe'
+            - '\opera.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+    condition: selection and not filter 
+falsepositives:
+    - Other browsers
+level: high