security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #4482 From @nasbench - Add New Automation Workflows

Browse Source 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
2023-10-18 11:53:44 +02:00
committed by GitHub
parent cc4d2115b1
commit 95793d73bd
501 changed files with 7250 additions and 3382 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/labeler.yml
+37
View File
@@ -0,0 +1,37 @@
Rules:
- 'deprecated/**/*'
- 'rules/**/*'
- 'rules-compliance/**/*'
- 'rules-dfir/**/*'
- 'rules-emerging-threats/**/*'
- 'rules-placeholder/**/*'
- 'rules-threat-hunting/**/*'
Emerging-Threats:
- 'rules-emerging-threats/**/*'
MacOS:
- 'rules/macos/**/*'
- 'rules-compliance/macos/**/*'
- 'rules-dfir/macos/**/*'
- 'rules-emerging-threats/macos/**/*'
- 'rules-placeholder/macos/**/*'
- 'rules-threat-hunting/macos/**/*'
Windows:
- 'rules/windows/**/*'
- 'rules-compliance/windows/**/*'
- 'rules-dfir/windows/**/*'
- 'rules-emerging-threats/windows/**/*'
- 'rules-placeholder/windows/**/*'
- 'rules-threat-hunting/windows/**/*'
Linux:
- 'rules/linux/**/*'
- 'rules-compliance/linux/**/*'
- 'rules-dfir/linux/**/*'
- 'rules-emerging-threats/linux/**/*'
- 'rules-placeholder/linux/**/*'
- 'rules-threat-hunting/linux/**/*'
Maintenance:
- 'documentation/**/*'
- 'tests/**/*'
- '.github/**/*'
- 'README.md'
- 'Releases.md'
.github/workflows/greetings.yml
+34
View File
@@ -0,0 +1,34 @@
name: Auto message for PR's and Issues
on: [pull_request, issues]
jobs:
build:
name: Hello new contributor
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: |-
Welcome @${{github.actor}} :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to `false positives` or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it [here](https://github.com/SigmaHQ/pySigma)
If you're reporting an issue related to the deprecated sigmac library please consider submitting it [here](https://github.com/SigmaHQ/legacy-sigmatools)
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
pr-message: |-
Welcome @${{github.actor}} :wave:
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! :smiley:
.github/workflows/pr-labeler.yml
+15
View File
@@ -0,0 +1,15 @@
on:
pull_request_target:
types:
- opened
name: PR Labeler Workflow
jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v4
.github/workflows/ref-archiver.yml
+33
View File
@@ -0,0 +1,33 @@
name: "Reference Archiver"
on:
#push:
# branches:
# - "*"
schedule:
- cron: "30 1 1,15 * *" # At 01:30 on day-of-month 1 and 15.
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
archive:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3.3.0
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v4.5.0
with:
python-version: 3.11
- name: Execute Reference Archiver
run: |
pip install PyYAML argparse requests
python tests/reference-archiver.py
- name: Post Results
uses: JasonEtco/create-an-issue@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
filename: .github/archiver_output.md
.github/workflows/sigma-rule-promoter.yml
+54
View File
@@ -0,0 +1,54 @@
name: "Promote Experimental Rules To Test"
on:
#push:
# branches:
# - "*"
schedule:
- cron: "0 0 1 * *" # At 00:00 on day-of-month 1.
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
pull-master:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3.3.0
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v4.5.0
with:
python-version: 3.11
- name: Execute Rule Promoter Script
run: |
pip install PyYAML
python tests/promote_rules_status.py
- name: Create Pull Request
uses: peter-evans/create-pull-request@v5
with:
reviewers: nasbench, frack113, phantinuss
delete-branch: true
commit-message: 'chore: promote older rules status from `experimental` to `test`'
title: 'Promote Older Rules From `experimental` to `test`'
body: |
### Summary of the Pull Request
This PR promotes and upgrade the status of rules that haven't been changed for over 300 days from `experimental` to `test`
### Changelog
chore: promote older rules status from `experimental` to `test`
### Example Log Event
N/A
### Fixed Issues
N/A
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
.github/workflows/sigma-test.yml
+21 -1
View File
@@ -7,10 +7,30 @@ on: # yamllint disable-line rule:truthy
push:
branches:
- "*"
paths:
- "deprecated/**.yml"
- "rules-compliance/**.yml"
- "rules-dfir/**.yml"
- "rules-emerging-threats/**.yml"
- "rules-placeholder/**.yml"
- "rules-threat-hunting/**.yml"
- "rules/**.yml"
- "unsupported/**.yml"
pull_request:
branches:
- master
- oscd
paths:
- "deprecated/**.yml"
- "rules-compliance/**.yml"
- "rules-dfir/**.yml"
- "rules-emerging-threats/**.yml"
- "rules-placeholder/**.yml"
- "rules-threat-hunting/**.yml"
- "rules/**.yml"
- "unsupported/**.yml"
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
EVTX_BASELINE_VERSION: v0.7
.github/workflows/sigma-validation.yml
+21
View File
@@ -4,9 +4,30 @@ on:
push:
branches:
- "*"
paths:
- "deprecated/**.yml"
- "rules-compliance/**.yml"
- "rules-dfir/**.yml"
- "rules-emerging-threats/**.yml"
- "rules-placeholder/**.yml"
- "rules-threat-hunting/**.yml"
- "rules/**.yml"
- "unsupported/**.yml"
pull_request:
branches:
- master
paths:
- "deprecated/**.yml"
- "rules-compliance/**.yml"
- "rules-dfir/**.yml"
- "rules-emerging-threats/**.yml"
- "rules-placeholder/**.yml"
- "rules-threat-hunting/**.yml"
- "rules/**.yml"
- "unsupported/**.yml"
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
validate-sigma-rules:
.yamllint
+18 -9
View File
@@ -1,12 +1,21 @@
---
# https://yamllint.readthedocs.io/en/latest/configuration.html
extends: default
ignore:
- .github/
- deprecated/
- other/godmode_sigma_rule.yml
- tests/
- unsupported/
rules:
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 2, max-start: 2, max-end: 2}
indentation: disable
line-length: disable
new-line-at-end-of-file: disable
trailing-spaces: disable
comments:
require-starting-space: true
min-spaces-from-content: 1
comments-indentation: disable
document-start: {present: false}
empty-lines: {max: 2, max-start: 2, max-end: 2}
indentation: {spaces: 4}
line-length: disable
new-line-at-end-of-file: enable
trailing-spaces: {}
CONTRIBUTING.md
+46
View File
@@ -0,0 +1,46 @@
# Contributing to Sigma 🧙‍♂️
First off, thank you for considering contributing to Sigma! Your help is invaluable in keeping this project up-to-date and useful for the community.
The following guidelines will help you understand how to contribute effectively.
## 📝 Reporting False Positives Or Proposing New Detection Rule Ideas 🔎
If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the [GitHub repository](https://github.com/SigmaHQ/sigma/issues/new/choose) by selecting one of the available templates.
## 🛠️ Submitting Pull Requests (PRs)
1. Fork the [SigmaHQ repository](https://github.com/SigmaHQ/sigma) and clone your fork to your local machine.
2. Create a new branch for your changes:
```
git checkout -b your-feature-branch
```
3. Make your changes and commit them to your branch:
```
git add .
git commit -m "Your commit message"
```
4. Push your changes to your fork:
```
git push origin your-feature-branch
```
5. Create a new Pull Request (PR) against the upstream repository:
* Go to the [Sigma repository](https://github.com/SigmaHQ/sigma) on GitHub
* Click the "New Pull Request" button
* Choose your fork and your feature branch
* Add a clear and descriptive title and a detailed description of your changes
* Submit the Pull Request
## 📚 Adding or Updating Detection Rules
To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions document](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
Thank you for contributing to Sigma! 🧙‍♂️
LICENSE.Detection.Rules.md
-17
View File
@@ -1,17 +0,0 @@
# Detection Rule License (DRL) 1.1
Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions:
If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules:
1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable
3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable
If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules:
1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES.
Pipfile
-2
View File
@@ -6,8 +6,6 @@ verify_ssl = true
[dev-packages]
coverage = "~=5.0"
yamllint = "~=1.21"
elasticsearch = "~=7.6"
elasticsearch-async = "~=6.2"
pytest = "~=5.4"
colorama = "*"
setuptools = "*"
_config.yml
-1
View File
@@ -1 +0,0 @@
theme: jekyll-theme-minimal
rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: Turla Group Lateral Movement
title: Turla Group Lateral Movement
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
status: test
description: Detects automated lateral movement by Turla group
rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml
+6 -6
View File
@@ -19,12 +19,12 @@ logsource:
detection:
selection:
- CommandLine|contains|all:
- '\AppData\Roaming\Oracle'
- '\java'
- '.exe '
- '\AppData\Roaming\Oracle'
- '\java'
- '.exe '
- CommandLine|contains|all:
- 'cscript.exe'
- 'Retrive'
- '.vbs '
- 'cscript.exe'
- 'Retrive'
- '.vbs '
condition: selection
level: high
rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml
+25 -25
View File
@@ -24,36 +24,36 @@ logsource:
detection:
selection1:
- Image|endswith:
- '\tasksche.exe'
- '\mssecsvc.exe'
- '\taskdl.exe'
- '\taskhsvc.exe'
- '\taskse.exe'
- '\111.exe'
- '\lhdfrgui.exe'
# - '\diskpart.exe' # cannot be used in a rule of level critical
- '\linuxnew.exe'
- '\wannacry.exe'
- '\tasksche.exe'
- '\mssecsvc.exe'
- '\taskdl.exe'
- '\taskhsvc.exe'
- '\taskse.exe'
- '\111.exe'
- '\lhdfrgui.exe'
# - '\diskpart.exe' # cannot be used in a rule of level critical
- '\linuxnew.exe'
- '\wannacry.exe'
- Image|contains: 'WanaDecryptor'
selection2:
- CommandLine|contains|all:
- 'icacls'
- '/grant'
- 'Everyone:F'
- '/T'
- '/C'
- '/Q'
- 'icacls'
- '/grant'
- 'Everyone:F'
- '/T'
- '/C'
- '/Q'
- CommandLine|contains|all:
- 'bcdedit'
- '/set'
- '{default}'
- 'recoveryenabled'
- 'no'
- 'bcdedit'
- '/set'
- '{default}'
- 'recoveryenabled'
- 'no'
- CommandLine|contains|all:
- 'wbadmin'
- 'delete'
- 'catalog'
- '-quiet'
- 'wbadmin'
- 'delete'
- 'catalog'
- '-quiet'
- CommandLine|contains: '@Please_Read_Me@.txt'
condition: 1 of selection*
fields:
rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml
+1 -1
View File
@@ -24,7 +24,7 @@ detection:
- '\iehelper' # ruag apt case
- '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
- '\userpipe' # ruag apt case
#- '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
# - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
condition: selection
falsepositives:
- Unlikely
rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml
+3 -3
View File
@@ -29,9 +29,9 @@ detection:
selection_extensions:
- CommandLine|contains: '.dat",'
- CommandLine|endswith:
- '.dll #1'
- '.dll" #1'
- '.dll",#1'
- '.dll #1'
- '.dll" #1'
- '.dll",#1'
filter_main_exclude_temp:
CommandLine|contains: '\AppData\Local\Temp\'
condition: all of selection_* and not 1 of filter_main_*
rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml
+2 -2
View File
@@ -23,8 +23,8 @@ detection:
selection:
- CommandLine|contains: '-noni -ep bypass $'
- CommandLine|contains|all:
- 'cyzfc.dat,'
- 'PointFunctionCall'
- 'cyzfc.dat,'
- 'PointFunctionCall'
condition: selection
falsepositives:
- Unlikely
rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml
+5 -5
View File
@@ -22,12 +22,12 @@ logsource:
detection:
selection:
- CommandLine|contains|all:
- 'powershell.exe mshta.exe http'
- '.hta'
- 'powershell.exe mshta.exe http'
- '.hta'
- CommandLine|contains:
- 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
- 'cmd.exe /c taskkill /im cmd.exe'
- "(New-Object System.Net.WebClient).UploadFile('http"
- 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
- 'cmd.exe /c taskkill /im cmd.exe'
- "(New-Object System.Net.WebClient).UploadFile('http"
condition: selection
falsepositives:
- Unknown
rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml
+12 -12
View File
@@ -28,20 +28,20 @@ detection:
ParentCommandLine|endswith: '.exe'
selection2:
- CommandLine|contains|all:
- '/c'
- 'del'
- 'C:\Users\'
- '\AppData\Local\Temp\'
- '/c'
- 'del'
- 'C:\Users\'
- '\AppData\Local\Temp\'
- CommandLine|contains|all:
- '/c'
- 'del'
- 'C:\Users\'
- '\Desktop\'
- '/c'
- 'del'
- 'C:\Users\'
- '\Desktop\'
- CommandLine|contains|all:
- '/C'
- 'type nul >'
- 'C:\Users\'
- '\Desktop\'
- '/C'
- 'type nul >'
- 'C:\Users\'
- '\Desktop\'
selection3:
CommandLine|endswith: '.exe'
condition: all of selection*
rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml
+2 -2
View File
@@ -20,8 +20,8 @@ detection:
selection:
- CommandLine|contains: '-export dll_u'
- CommandLine|endswith:
- ',dll_u'
- ' dll_u'
- ',dll_u'
- ' dll_u'
condition: selection
falsepositives:
- Unlikely
rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml
+8 -11
View File
@@ -19,21 +19,18 @@ logsource:
detection:
selection_cli:
- CommandLine|contains:
- 'Temp\wtask.exe /create'
- '%windir:~-3,1%%PUBLIC:~-9,1%'
- '/tn "Security Script '
- '%windir:~-1,1%'
- 'Temp\wtask.exe /create'
- '%windir:~-3,1%%PUBLIC:~-9,1%'
- '/tn "Security Script '
- '%windir:~-1,1%'
- CommandLine|contains|all:
- '/E:vbscript'
- 'C:\Users\'
- '.txt'
- '/F'
- '/E:vbscript'
- 'C:\Users\'
- '.txt'
- '/F'
selection_img:
Image|endswith: 'Temp\winwsh.exe'
condition: 1 of selection_*
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unlikely
level: high
rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml
+1 -1
View File
@@ -30,7 +30,7 @@ detection:
- '.dll",Control_RunDLL'
- '.dll'',Control_RunDLL'
filter_ide:
ParentImage|endswith: '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe
ParentImage|endswith: '\tracker.exe' # When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml
+38 -38
View File
@@ -61,45 +61,45 @@ detection:
- 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
selection_hashes:
- sha256:
- '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
- '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
- '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
- '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
- 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
- '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
- '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
- '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
- '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
- 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
- '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
- '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
- '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
- '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
- '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
- '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
- '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
- '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
- '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
- '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
- '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
- '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
- 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
- '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
- '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
- '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
- '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
- 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
- '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
- '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
- '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
- '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
- '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
- '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
- '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
- '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
- sha1:
- '53a44c2396d15c3a03723fa5e5db54cafd527635'
- '9c5e496921e3bc882dc40694f1dcc3746a75db19'
- 'aeb573accfd95758550cf30bf04f389a92922844'
- '79ef78a797403a4ed1a616c68e07fff868a8650a'
- '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
- '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
- 'e841a63e47361a572db9a7334af459ddca11347a'
- 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
- '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
- 'dd44133716b8a241957b912fa6a02efde3ce3025'
- '8793bf166cb89eb55f0593404e4e933ab605e803'
- 'a39b57032dbb2335499a51e13470a7cd5d86b138'
- '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
- 'd209430d6af54792371174e70e27dd11d3def7a7'
- '1c6452026c56efd2c94cea7e0f671eb55515edb0'
- 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
- '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
- 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
- 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
- '53a44c2396d15c3a03723fa5e5db54cafd527635'
- '9c5e496921e3bc882dc40694f1dcc3746a75db19'
- 'aeb573accfd95758550cf30bf04f389a92922844'
- '79ef78a797403a4ed1a616c68e07fff868a8650a'
- '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
- '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
- 'e841a63e47361a572db9a7334af459ddca11347a'
- 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
- '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
- 'dd44133716b8a241957b912fa6a02efde3ce3025'
- '8793bf166cb89eb55f0593404e4e933ab605e803'
- 'a39b57032dbb2335499a51e13470a7cd5d86b138'
- '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
- 'd209430d6af54792371174e70e27dd11d3def7a7'
- '1c6452026c56efd2c94cea7e0f671eb55515edb0'
- 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
- '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
- 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
- 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
condition: 1 of selection_*
falsepositives:
- Unknown
rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml
+2 -2
View File
@@ -11,8 +11,8 @@ tags:
- attack.execution
- attack.t1059.001
- detection.emerging_threats
#- sunburst
#- unc2452
# - sunburst
# - unc2452
logsource:
category: process_creation
product: windows
rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml
+3 -3
View File
@@ -2,9 +2,9 @@ title: CVE-2021-26858 Exchange Exploitation
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
status: test
description: |
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
creation of non-standard files on disk by Exchange Servers Unified Messaging service
which could indicate dropping web shells or other malicious content
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
creation of non-standard files on disk by Exchange Servers Unified Messaging service
which could indicate dropping web shells or other malicious content
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml
+6 -6
View File
@@ -21,13 +21,13 @@ logsource:
detection:
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_parent:
ParentImage|endswith: '\elevation_service.exe'
IntegrityLevel: 'System'
rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml
+2 -2
View File
@@ -20,8 +20,8 @@ detection:
selection_tools:
- Image|endswith: '\sqlcmd.exe'
- CommandLine|contains:
- 'sqlcmd '
- 'sqlcmd.exe'
- 'sqlcmd '
- 'sqlcmd.exe'
selection_svr:
CommandLine|contains: ' -S localhost '
selection_query:
rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml
+2 -2
View File
@@ -18,8 +18,8 @@ detection:
Image|endswith: '\GoogleUpdate.exe'
filter_main_legit_paths:
- Image|startswith:
- 'C:\Program Files\Google\'
- 'C:\Program Files (x86)\Google\'
- 'C:\Program Files\Google\'
- 'C:\Program Files (x86)\Google\'
- Image|contains: '\AppData\Local\Google\Update\'
condition: selection and not 1 of filter_main_*
falsepositives:
rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml
+2 -2
View File
@@ -30,8 +30,8 @@ detection:
selection_vsperfmon:
- Image|contains: '\ProgramData\VSPerfMon\'
- CommandLine|contains|all:
- 'schtasks'
- 'VSPerfMon'
- 'schtasks'
- 'VSPerfMon'
selection_opera_1:
Image|endswith: 'Opera_browser.exe'
ParentImage|endswith:
rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
+6 -6
View File
@@ -24,12 +24,12 @@ detection:
- '\Sysmon64.exe'
filter_main_generic:
- Image:
- 'C:\Windows\Sysmon.exe'
- 'C:\Windows\Sysmon64.exe'
- 'C:\Windows\System32\conhost.exe'
- 'wevtutil.exe'
- 'C:\WINDOWS\system32\wevtutil.exe'
- 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
- 'C:\Windows\Sysmon.exe'
- 'C:\Windows\Sysmon64.exe'
- 'C:\Windows\System32\conhost.exe'
- 'wevtutil.exe'
- 'C:\WINDOWS\system32\wevtutil.exe'
- 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
- Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
filter_main_null:
Image: null
rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml
+5 -5
View File
@@ -20,12 +20,12 @@ detection:
Image|endswith: '\policydefinitions\postgresql.exe'
selection2:
- CommandLine|contains:
- 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp'
- ' 1> \\\\127.0.0.1\ADMIN$\__16'
- 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp'
- ' 1> \\\\127.0.0.1\ADMIN$\__16'
- CommandLine|contains|all:
- 'powershell -c '
- '\comsvcs.dll MiniDump '
- '\winupd.log full'
- 'powershell -c '
- '\comsvcs.dll MiniDump '
- '\winupd.log full'
condition: 1 of selection*
falsepositives:
- Unknown
rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml
+7 -7
View File
@@ -17,16 +17,16 @@ detection:
selection:
# Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
EventID:
#- 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
# - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
- 30803 # Failed to establish a network connection.
- 30804 # A network connection was disconnected.
- 30806 # The client re-established its session to the server.
#- 31001 # Error (Doesn't contain the "ServerAddress" field)
# - 31001 # Error (Doesn't contain the "ServerAddress" field)
filter_main_local_ips:
ServerAddress|startswith:
- '10.' #10.0.0.0/8
- '192.168.' #192.168.0.0/16
- '172.16.' #172.16.0.0/12
- '10.' # 10.0.0.0/8
- '192.168.' # 192.168.0.0/16
- '172.16.' # 172.16.0.0/12
- '172.17.'
- '172.18.'
- '172.19.'
@@ -42,8 +42,8 @@ detection:
- '172.29.'
- '172.30.'
- '172.31.'
- '127.' #127.0.0.0/8
- '169.254.' #169.254.0.0/16
- '127.' # 127.0.0.0/8
- '169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur from external trusted servers. Apply additional filters accordingly
rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml
+1 -1
View File
@@ -44,7 +44,7 @@ detection:
- '\MOVEitTransfer\wwwroot\human2.aspx.lnk'
- '\MOVEitTransfer\wwwroot\human2.aspx'
# Uncomment selection if you wanna threat hunt for additional artifacts
#selection_cmdline:
# selection_cmdline:
# TargetFilename|contains: ':\Windows\TEMP\'
# TargetFilename|endswith: '.cmdline'
selection_compiled_asp:
rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml
+7 -7
View File
@@ -28,14 +28,14 @@ detection:
selection_binaries:
# Note: add additional binaries that the attacker might use
- Image|endswith:
- '\cmd.exe'
- '\wscript.exe'
- '\cmd.exe'
- '\wscript.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'cscript.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wscript.exe'
- 'Cmd.Exe'
- 'cscript.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Unlikely
rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml
+3 -3
View File
@@ -2,9 +2,9 @@ title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
status: experimental
description: |
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
references:
- https://github.security.telekom.com/2023/08/darkgate-loader.html
rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml
+4 -4
View File
@@ -2,8 +2,8 @@ title: DarkGate - Autoit3.EXE Execution Parameters
id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d
status: experimental
description: |
Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
command-and-control server.
references:
- https://github.security.telekom.com/2023/08/darkgate-loader.html
@@ -28,8 +28,8 @@ detection:
- '\msiexec.exe'
filter_main_legit_autoit_location:
Image|endswith:
- ':\Program Files (x86)\AutoIt3\AutoIt3.exe'
- ':\Program Files\AutoIt3\AutoIt3.exe'
- ':\Program Files (x86)\AutoIt3\AutoIt3.exe'
- ':\Program Files\AutoIt3\AutoIt3.exe'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml
+5 -5
View File
@@ -19,11 +19,11 @@ detection:
selection:
- Image|endswith: '\QbotUninstall.exe'
- Hashes|contains:
- 'IMPHASH=E772C815072311D6FB8C3390743E6BE5'
- 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180'
- 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6'
- 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071'
- 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0'
- 'IMPHASH=E772C815072311D6FB8C3390743E6BE5'
- 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180'
- 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6'
- 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071'
- 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0'
condition: selection
falsepositives:
- Unlikely
rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml
+1 -1
View File
@@ -20,5 +20,5 @@ detection:
QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+'
condition: selection
falsepositives:
- Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
- Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
level: high
rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml
+12 -12
View File
@@ -48,20 +48,20 @@ detection:
- 'MD5=7FAEA2B01796B80D180399040BB69835'
selection_hashes_2:
- sha256:
- '7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
- '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03'
- 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952'
- '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
- '7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
- '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03'
- 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952'
- '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
- sha1:
- 'BF939C9C261D27EE7BB92325CC588624FCA75429'
- '20D554A80D759C50D6537DD7097FED84DD258B3E'
- '894E7D4FFD764BB458809C7F0643694B036EAD30'
- '3B3E778B647371262120A523EB873C20BB82BEAF'
- 'BF939C9C261D27EE7BB92325CC588624FCA75429'
- '20D554A80D759C50D6537DD7097FED84DD258B3E'
- '894E7D4FFD764BB458809C7F0643694B036EAD30'
- '3B3E778B647371262120A523EB873C20BB82BEAF'
- md5:
- '74BC2D0B6680FAA1A5A76B27E5479CBC'
- '82187AD3F0C6C225E2FBA0C867280CC9'
- '11BC82A9BD8297BD0823BCE5D6202082'
- '7FAEA2B01796B80D180399040BB69835'
- '74BC2D0B6680FAA1A5A76B27E5479CBC'
- '82187AD3F0C6C225E2FBA0C867280CC9'
- '11BC82A9BD8297BD0823BCE5D6202082'
- '7FAEA2B01796B80D180399040BB69835'
condition: 1 of selection_*
falsepositives:
- Unlikely
rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml
+24 -24
View File
@@ -62,32 +62,32 @@ detection:
- 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
selection_hashes_2:
- sha256:
- 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
- '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
- 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
- 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
- '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
- 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
- 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
- '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
- 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
- '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
- 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
- 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
- '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
- 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
- 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
- '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
- sha1:
- '480DC408EF50BE69EBCF84B95750F7E93A8A1859'
- '3B43A5D8B83C637D00D769660D01333E88F5A187'
- '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
- 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
- '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
- '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
- 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
- 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
- '480DC408EF50BE69EBCF84B95750F7E93A8A1859'
- '3B43A5D8B83C637D00D769660D01333E88F5A187'
- '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
- 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
- '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
- '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
- 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
- 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
- md5:
- 'BB915073385DD16A846DFA318AFA3C19'
- '08D79E1FFFA244CC0DC61F7D2036ACA9'
- '4965EDF659753E3C05D800C6C8A23A7A'
- '9833A4779B69B38E3E51F04E395674C6'
- '704DB9184700481A56E5100FB56496CE'
- '8EE6802F085F7A9DF7E0303E65722DC0'
- 'F3D4144860CA10BA60F7EF4D176CC736'
- '0EEB1C0133EB4D571178B2D9D14CE3E9'
- 'BB915073385DD16A846DFA318AFA3C19'
- '08D79E1FFFA244CC0DC61F7D2036ACA9'
- '4965EDF659753E3C05D800C6C8A23A7A'
- '9833A4779B69B38E3E51F04E395674C6'
- '704DB9184700481A56E5100FB56496CE'
- '8EE6802F085F7A9DF7E0303E65722DC0'
- 'F3D4144860CA10BA60F7EF4D176CC736'
- '0EEB1C0133EB4D571178B2D9D14CE3E9'
selection_pe_1:
- OriginalFileName: '3CXDesktopApp.exe'
- Image|endswith: '\3CXDesktopApp.exe'
rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
+37 -37
View File
@@ -24,37 +24,37 @@ detection:
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'net group'
- 'net user'
- 'o365accountconfiguration'
- 'query session'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'net group'
- 'net user'
- 'o365accountconfiguration'
- 'query session'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re: '[-/][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
@@ -84,13 +84,13 @@ detection:
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml
+37 -37
View File
@@ -26,37 +26,37 @@ detection:
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'net group'
- 'net user'
- 'o365accountconfiguration'
- 'query session'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'net group'
- 'net user'
- 'o365accountconfiguration'
- 'query session'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re: '[-/][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
@@ -86,13 +86,13 @@ detection:
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml
+5 -5
View File
@@ -22,9 +22,9 @@ detection:
filter_main_local_ips:
# Note: Uncomment this filter if you want to exclude local IPs
CommandLine|contains:
- 'https://10.' #10.0.0.0/8
- 'https://192.168.' #192.168.0.0/16
- 'https://172.16.' #172.16.0.0/12
- 'https://10.' # 10.0.0.0/8
- 'https://192.168.' # 192.168.0.0/16
- 'https://172.16.' # 172.16.0.0/12
- 'https://172.17.'
- 'https://172.18.'
- 'https://172.19.'
@@ -40,8 +40,8 @@ detection:
- 'https://172.29.'
- 'https://172.30.'
- 'https://172.31.'
- 'https://127.' #127.0.0.0/8
- 'https://169.254.' #169.254.0.0/16
- 'https://127.' # 127.0.0.0/8
- 'https://169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml
+1 -1
View File
@@ -21,5 +21,5 @@ detection:
Date: '%ClosingTime%'
condition: selection
falsepositives:
- User doing actual work outside of normal business hours.
- User doing actual work outside of normal business hours.
level: low
rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml
+1 -1
View File
@@ -28,5 +28,5 @@ detection:
- failure
condition: selection
falsepositives:
- Not using a PAW/SAW in the environment
- Not using a PAW/SAW in the environment
level: high
rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml
+1 -1
View File
@@ -23,5 +23,5 @@ detection:
DeviceInfo: '%UnApprovedDevice%'
condition: selection
falsepositives:
- A legit admin not following proper processes
- A legit admin not following proper processes
level: high
rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml
+1 -1
View File
@@ -23,5 +23,5 @@ detection:
Initiatied.By: '%ApprovedUserUpn%'
condition: selection
falsepositives:
- An admin doing actual work outside of normal business hours
- An admin doing actual work outside of normal business hours
level: high
rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml
+1 -1
View File
@@ -15,7 +15,7 @@ logsource:
product: windows
detection:
selection:
CommandLine|contains|all:
CommandLine|contains|all:
- 'echo '
- '%userdomain%'
condition: selection
rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml
+5 -5
View File
@@ -50,11 +50,11 @@ detection:
Image|endswith: '\TiWorker.exe'
filter_main_programfiles:
- Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- TargetFilename|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\'
@@ -91,7 +91,7 @@ detection:
TargetFilename|startswith: 'C:\WINDOWS\TEMP\'
condition: selection and not 1 of filter_*
falsepositives:
#Please contribute to FP to increase the level
# Please contribute to FP to increase the level
- Software installers
- Update utilities
- 32bit applications launching their 64bit versions
rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml
+4 -4
View File
@@ -24,10 +24,10 @@ detection:
- Product: 'The curl executable'
selection_cli:
- CommandLine|contains:
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
filter_optional_localhost:
CommandLine|contains:
rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml
+4 -4
View File
@@ -20,11 +20,11 @@ logsource:
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains: '/TRANSPORT:QUIC'
condition: all of selection_*
rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml
+4 -4
View File
@@ -17,11 +17,11 @@ logsource:
detection:
selection_powershell:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows Powershell'
- Product: 'PowerShell Core 6'
selection_length:
rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml
+4 -4
View File
@@ -16,11 +16,11 @@ logsource:
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains:
- 'Import-Module '
rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
id: d81a9fc6-55db-4461-b962-0e78fea5b0ad
related:
- id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32
rules/category/antivirus/av_hacktool.yml
+43 -46
View File
@@ -16,54 +16,51 @@ logsource:
detection:
selection:
- Signature|startswith:
- 'HTOOL'
- 'HKTL'
- 'SecurityTool'
- 'Adfind'
- 'ATK/'
- 'Exploit.Script.CVE'
# - 'FRP.'
- 'PWS.'
- 'PWSX'
- 'HTOOL'
- 'HKTL'
- 'SecurityTool'
- 'Adfind'
- 'ATK/'
- 'Exploit.Script.CVE'
# - 'FRP.'
- 'PWS.'
- 'PWSX'
- Signature|contains:
- 'Hacktool'
- 'ATK/' # Sophos
- 'Potato'
- 'Rozena'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool'
- 'SharpDump'
- 'Sliver'
- 'Splinter'
- 'Swrort'
- 'Impacket'
- 'Koadic'
- 'Lazagne'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'Mimikatz'
- 'Mpreter'
- 'Nighthawk'
- 'PentestPowerShell'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'Brutel'
- 'BruteR'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'DumpCreds'
- 'FastReverseProxy'
- 'PWDump'
- 'Hacktool'
- 'ATK/' # Sophos
- 'Potato'
- 'Rozena'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool'
- 'SharpDump'
- 'Sliver'
- 'Splinter'
- 'Swrort'
- 'Impacket'
- 'Koadic'
- 'Lazagne'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'Mimikatz'
- 'Mpreter'
- 'Nighthawk'
- 'PentestPowerShell'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'Brutel'
- 'BruteR'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'DumpCreds'
- 'FastReverseProxy'
- 'PWDump'
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: high
rules/category/antivirus/av_password_dumper.yml
+16 -19
View File
@@ -21,26 +21,23 @@ detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'DumpCreds'
- 'Mimikatz'
- 'PWCrack'
- 'HTool/WCE'
- 'PSWTool'
- 'PWDump'
- 'SecurityTool'
- 'PShlSpy'
- 'Rubeus'
- 'Kekeo'
- 'LsassDump'
- 'Outflank'
- 'DumpLsass'
- 'SharpDump'
- 'PWSX'
- 'PWS.'
- 'DumpCreds'
- 'Mimikatz'
- 'PWCrack'
- 'HTool/WCE'
- 'PSWTool'
- 'PWDump'
- 'SecurityTool'
- 'PShlSpy'
- 'Rubeus'
- 'Kekeo'
- 'LsassDump'
- 'Outflank'
- 'DumpLsass'
- 'SharpDump'
- 'PWSX'
- 'PWS.'
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical
rules/category/antivirus/av_webshell.yml
+52 -55
View File
@@ -24,63 +24,60 @@ logsource:
detection:
selection:
- Signature|startswith:
- 'PHP.'
- 'JSP.'
- 'ASP.'
- 'Perl.'
- 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
- 'IIS/BackDoor'
- 'JAVA/Backdoor'
- 'Troj/ASP'
- 'Troj/PHP'
- 'Troj/JSP'
- 'PHP.'
- 'JSP.'
- 'ASP.'
- 'Perl.'
- 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
- 'IIS/BackDoor'
- 'JAVA/Backdoor'
- 'Troj/ASP'
- 'Troj/PHP'
- 'Troj/JSP'
- Signature|contains:
- 'Webshell'
- 'Chopper'
- 'SinoChoper'
- 'ASPXSpy'
- 'Aspdoor'
- 'filebrowser'
- 'PHP_'
- 'JSP_'
- 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
- 'PHP:'
- 'JSP:'
- 'ASP:'
- 'Perl:'
- 'PHP/'
- 'JSP/'
- 'ASP/'
- 'Perl/'
- 'PHPShell'
- 'Trojan.PHP'
- 'Trojan.ASP'
- 'Trojan.JSP'
- 'Trojan.VBS'
- 'PHP/Agent'
- 'ASP/Agent'
- 'JSP/Agent'
- 'VBS/Agent'
- 'Backdoor/PHP'
- 'Backdoor/JSP'
- 'Backdoor/ASP'
- 'Backdoor/VBS'
- 'Backdoor/Java'
- 'PHP.Agent'
- 'ASP.Agent'
- 'JSP.Agent'
- 'VBS.Agent'
- 'Backdoor.PHP'
- 'Backdoor.JSP'
- 'Backdoor.ASP'
- 'Backdoor.VBS'
- 'Backdoor.Java'
- 'PShlSpy'
- 'C99shell'
- 'Webshell'
- 'Chopper'
- 'SinoChoper'
- 'ASPXSpy'
- 'Aspdoor'
- 'filebrowser'
- 'PHP_'
- 'JSP_'
- 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
- 'PHP:'
- 'JSP:'
- 'ASP:'
- 'Perl:'
- 'PHP/'
- 'JSP/'
- 'ASP/'
- 'Perl/'
- 'PHPShell'
- 'Trojan.PHP'
- 'Trojan.ASP'
- 'Trojan.JSP'
- 'Trojan.VBS'
- 'PHP/Agent'
- 'ASP/Agent'
- 'JSP/Agent'
- 'VBS/Agent'
- 'Backdoor/PHP'
- 'Backdoor/JSP'
- 'Backdoor/ASP'
- 'Backdoor/VBS'
- 'Backdoor/Java'
- 'PHP.Agent'
- 'ASP.Agent'
- 'JSP.Agent'
- 'VBS.Agent'
- 'Backdoor.PHP'
- 'Backdoor.JSP'
- 'Backdoor.ASP'
- 'Backdoor.VBS'
- 'Backdoor.Java'
- 'PShlSpy'
- 'C99shell'
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: high
rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml
+1 -1
View File
@@ -16,7 +16,7 @@ logsource:
detection:
selection:
eventSource: 'glue.amazonaws.com'
eventName:
eventName:
- 'CreateDevEndpoint'
- 'DeleteDevEndpoint'
- 'UpdateDevEndpoint'
rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml
+1 -1
View File
@@ -23,7 +23,7 @@ logsource:
service: activitylogs
detection:
selection:
operationName|startswith:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'
operationName|endswith:
rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml
+1 -1
View File
@@ -18,5 +18,5 @@ detection:
riskEventType: 'anonymizedIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins
level: high
rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: Azure AD Account Credential Leaked
title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: experimental
description: Indicates that the user's valid credentials have been leaked.
rules/cloud/github/github_delete_action_invoked.yml
+1 -1
View File
@@ -28,5 +28,5 @@ fields:
- 'org'
- 'actor_location.country_code'
falsepositives:
- Validate the deletion activity is permitted. The "actor" field need to be validated.
- Validate the deletion activity is permitted. The "actor" field need to be validated.
level: medium
rules/cloud/github/github_disable_high_risk_configuration.yml
+1 -1
View File
@@ -36,5 +36,5 @@ fields:
- 'repository_public'
- '@timestamp'
falsepositives:
- Approved administrator/owner activities.
- Approved administrator/owner activities.
level: high
rules/cloud/github/github_new_org_member.yml
+1 -1
View File
@@ -30,5 +30,5 @@ fields:
- 'repository_public'
- '@timestamp'
falsepositives:
- Organization approved new members
- Organization approved new members
level: informational
rules/cloud/github/github_new_secret_created.yml
+1 -1
View File
@@ -30,5 +30,5 @@ fields:
- 'org'
- 'actor_location.country_code'
falsepositives:
- This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
- This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
level: low
rules/linux/auditd/lnx_auditd_modify_system_firewall.yml
+2 -2
View File
@@ -1,8 +1,8 @@
title: Modify System Firewall
id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
related:
- id: 53059bc0-1472-438b-956a-7508a94a91f0
type: similar
- id: 53059bc0-1472-438b-956a-7508a94a91f0
type: similar
status: experimental
description: |
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
rules/linux/auditd/lnx_auditd_susp_c2_commands.yml
+1 -1
View File
@@ -6,7 +6,7 @@ description: |
This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
references:
- 'https://github.com/Neo23x0/auditd'
- https://github.com/Neo23x0/auditd
author: Marie Euler
date: 2020/05/18
modified: 2021/11/27
rules/linux/process_creation/proc_creation_lnx_base64_execution.yml
+8 -8
View File
@@ -19,15 +19,15 @@ detection:
CommandLine|contains: 'base64 '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- ' |sh'
- '| bash'
- '| sh'
- '|bash'
- ' |sh'
- '| bash'
- '| sh'
- '|bash'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml
+5 -5
View File
@@ -16,11 +16,11 @@ logsource:
detection:
selection:
CommandLine|contains:
- "IyEvYmluL2Jhc2" #!/bin/bash"
- "IyEvYmluL2Rhc2" #!/bin/dash"
- "IyEvYmluL3pza" #!/bin/zsh"
- "IyEvYmluL2Zpc2" #!/bin/fish
- "IyEvYmluL3No" # !/bin/sh"
- "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
- "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
- "IyEvYmluL3pza" # Note: #!/bin/zsh"
- "IyEvYmluL2Zpc2" # Note: #!/bin/fish
- "IyEvYmluL3No" # Note: # !/bin/sh"
condition: selection
falsepositives:
- Legitimate administration activities
rules/linux/process_creation/proc_creation_lnx_hack_tools.yml
+15 -15
View File
@@ -18,21 +18,21 @@ logsource:
detection:
selection:
- Image|endswith:
# Add more as you see fit
- '/sqlmap'
- '/teamserver'
- '/aircrack-ng'
- '/john'
- '/setoolkit'
- '/wpscan'
- '/hydra'
- '/nikto'
# eBPF related malicious tools/poc's
- '/ebpfkit'
- '/bpfdos'
- '/exechijack'
- '/pidhide'
- '/writeblocker'
# Add more as you see fit
- '/sqlmap'
- '/teamserver'
- '/aircrack-ng'
- '/john'
- '/setoolkit'
- '/wpscan'
- '/hydra'
- '/nikto'
# eBPF related malicious tools/poc's
- '/ebpfkit'
- '/bpfdos'
- '/exechijack'
- '/pidhide'
- '/writeblocker'
- Image|contains: '/linpeas'
condition: selection
falsepositives:
rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml
+2 -2
View File
@@ -33,8 +33,8 @@ detection:
- 'ufw-logging-allow'
- 'ufw6-logging-deny'
- 'ufw6-logging-allow'
#- 'ufw-reject-output'
#- 'ufw-track-inputt'
# - 'ufw-reject-output'
# - 'ufw-track-inputt'
condition: all of selection_*
falsepositives:
- Network administrators
rules/linux/process_creation/proc_creation_lnx_kill_process.yml
+3 -3
View File
@@ -16,9 +16,9 @@ logsource:
detection:
selection:
Image|endswith:
- '/kill'
- '/pkill'
- '/killall'
- '/kill'
- '/pkill'
- '/killall'
condition: selection
falsepositives:
- Likely
rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
+2 -2
View File
@@ -19,8 +19,8 @@ logsource:
detection:
selection_nc:
Image|endswith:
- '/nc'
- '/ncat'
- '/nc'
- '/ncat'
selection_flags:
CommandLine|contains:
- ' -c '
rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml
+6 -6
View File
@@ -18,13 +18,13 @@ detection:
CommandLine|contains: ' -e '
selection_content:
- CommandLine|contains|all:
- 'fdopen('
- '::Socket::INET'
- 'fdopen('
- '::Socket::INET'
- CommandLine|contains|all:
- 'Socket'
- 'connect'
- 'open'
- 'exec'
- 'Socket'
- 'connect'
- 'open'
- 'exec'
condition: all of selection_*
falsepositives:
- Unlikely
rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
+5 -5
View File
@@ -19,12 +19,12 @@ logsource:
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli_1:
CommandLine|contains|all:
- 'import pty'
rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml
+5 -5
View File
@@ -20,9 +20,9 @@ detection:
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' #10.0.0.0/8
- ' 192.168.' #192.168.0.0/16
- ' 172.16.' #172.16.0.0/12
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
@@ -38,8 +38,8 @@ detection:
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' #127.0.0.0/8
- ' 169.254.' #169.254.0.0/16
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml
+4 -4
View File
@@ -26,10 +26,10 @@ detection:
Image|endswith: '/curl'
selection_cli:
- CommandLine|contains:
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
filter_optional_localhost:
CommandLine|contains:
rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml
+5 -5
View File
@@ -22,12 +22,12 @@ detection:
- '/shred'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml
+5 -5
View File
@@ -23,12 +23,12 @@ detection:
- '/more'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml
+8 -8
View File
@@ -20,15 +20,15 @@ detection:
- 'bash -c '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- '| bash'
- '| sh'
- '|bash'
- ' |sh'
- '| bash'
- '| sh'
- '|bash'
- ' |sh'
condition: all of selection*
falsepositives:
- Legitimate software that uses these patterns
rules/macos/process_creation/proc_creation_macos_binary_padding.yml
+1 -1
View File
@@ -21,7 +21,7 @@ detection:
CommandLine|contains: '-s +'
selection_dd:
Image|endswith: '/dd'
CommandLine|contains:
CommandLine|contains:
- 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
- 'if=/dev/random' # high-quality random data
- 'if=/dev/urandom' # low-quality random data
rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml
+1 -1
View File
@@ -18,7 +18,7 @@ logsource:
category: process_creation
product: macos
detection:
selection: #adds to admin group
selection: # adds to admin group
Image|endswith: '/dscl'
CommandLine|contains|all:
- ' -append '
rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml
+1 -1
View File
@@ -18,7 +18,7 @@ detection:
selection:
Image|endswith: '/dseditgroup'
CommandLine|contains|all:
- ' -o edit ' #edit operation
- ' -o edit ' # edit operation
- ' -a ' # username
- ' -t user'
- 'admin' # Group name
rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml
+2 -2
View File
@@ -25,8 +25,8 @@ detection:
- 'NSData.dataWithContentsOfURL'
selection_js:
- CommandLine|contains|all:
- ' -l '
- 'JavaScript'
- ' -l '
- 'JavaScript'
- CommandLine|contains: '.js'
condition: all of selection_*
fields:
rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml
+5 -5
View File
@@ -20,9 +20,9 @@ detection:
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' #10.0.0.0/8
- ' 192.168.' #192.168.0.0/16
- ' 172.16.' #172.16.0.0/12
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
@@ -38,8 +38,8 @@ detection:
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' #127.0.0.0/8
- ' 169.254.' #169.254.0.0/16
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml
+21 -21
View File
@@ -28,28 +28,28 @@ detection:
ParentImage|endswith: '/Script Editor'
selection_img:
- Image|endswith:
- '/curl'
- '/bash'
- '/sh'
- '/zsh'
- '/dash'
- '/fish'
- '/osascript'
- '/mktemp'
- '/chmod'
- '/php'
- '/nohup'
- '/openssl'
- '/plutil'
- '/PlistBuddy'
- '/xattr'
- '/sqlite'
- '/funzip'
- '/popen'
- '/curl'
- '/bash'
- '/sh'
- '/zsh'
- '/dash'
- '/fish'
- '/osascript'
- '/mktemp'
- '/chmod'
- '/php'
- '/nohup'
- '/openssl'
- '/plutil'
- '/PlistBuddy'
- '/xattr'
- '/sqlite'
- '/funzip'
- '/popen'
- Image|contains:
- 'python'
- 'perl'
- 'python'
- 'perl'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
level: medium
rules/network/zeek/zeek_dns_susp_zbit_flag.yml
+4 -4
View File
@@ -8,10 +8,10 @@ description: |
Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.
This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
references:
- 'https://twitter.com/neu5ron/status/1346245602502443009'
- 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma'
- 'https://tools.ietf.org/html/rfc2929#section-2.1'
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
- https://twitter.com/neu5ron/status/1346245602502443009
- https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma
- https://tools.ietf.org/html/rfc2929#section-2.1
- https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
author: '@neu5ron, SOC Prime Team, Corelight'
date: 2021/05/04
modified: 2022/11/29
rules/network/zeek/zeek_http_omigod_no_auth_rce.yml
+2 -2
View File
@@ -34,13 +34,13 @@ detection:
client_header_names|contains: 'AUTHORIZATION'
too_small_http_client_body:
request_body_len: 0
#winrm_ports:
# winrm_ports:
# id.resp_p:
# - 5985
# - 5986
# - 1270
condition: selection and not auth_header and not too_small_http_client_body
#condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
# condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
fields:
- id.orig_h
- id.resp_h
rules/network/zeek/zeek_rdp_public_listener.yml
+4 -4
View File
@@ -36,10 +36,10 @@ detection:
- '172.31.'
- 'fd'
- '2620:83:800f'
#approved_rdp:
#dst_ip:
#- x.x.x.x
condition: not selection #and not approved_rdp
# approved_rdp:
# dst_ip:
# - x.x.x.x
condition: not selection # and not approved_rdp
falsepositives:
- Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
fields:
rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
+1 -1
View File
@@ -23,7 +23,7 @@ detection:
selection:
path: '\\\*\IPC$'
name: 'atsvc'
#Accesses: '*WriteData*'
# Accesses: '*WriteData*'
condition: selection
falsepositives:
- Unknown
rules/web/proxy_generic/proxy_ua_malware.yml
+1 -1
View File
@@ -117,7 +117,7 @@ detection:
- 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
- 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
- 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
- 'OK' #Nymaim - https://twitter.com/suyog41/status/1558051450797690880
- 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
condition: selection
rules/web/proxy_generic/proxy_ua_susp.yml
+3 -8
View File
@@ -41,15 +41,10 @@ detection:
falsepositives:
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
fields:
- ClientIP
- c-uri
- c-useragent
- cs-host
falsepositives:
- Unknown
level: high
rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml
+1 -1
View File
@@ -21,7 +21,7 @@ detection:
cs-method:
- GET
- OPTIONS
#Success only
# Success only
sc-status:
- 200
- 301
rules/windows/builtin/application/Other/win_av_relevant_match.yml
+2 -2
View File
@@ -70,8 +70,8 @@ detection:
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
#- 'PWS.'
#- 'PWSX'
# - 'PWS.'
# - 'PWSX'
- 'Ransom'
# - 'Razy'
- 'Rozena'
rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml
+1 -1
View File
@@ -20,5 +20,5 @@ detection:
condition: selection
falsepositives:
- Unknown
#Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
level: low
rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml
+5 -5
View File
@@ -23,8 +23,8 @@ detection:
EventID: 18456
filter_main_local_ips:
Data|contains:
- 'CLIENT: 10.' #filter_range_IP: 10.0.0.0/8
- 'CLIENT: 172.16.' #filter_range_IP: 172.16.0.0/12
- 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
- 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
- 'CLIENT: 172.17.'
- 'CLIENT: 172.18.'
- 'CLIENT: 172.19.'
@@ -40,9 +40,9 @@ detection:
- 'CLIENT: 172.29.'
- 'CLIENT: 172.30.'
- 'CLIENT: 172.31.'
- 'CLIENT: 192.168.' #filter_range_IP: 192.168.0.0/16
- 'CLIENT: 127.' #filter_loop_back: 127.0.0.0/8
- 'CLIENT: 169.254.' #fileter_link-local_addressing: 169.254.0.0/16
- 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
- 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
- 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml
+1 -1
View File
@@ -14,7 +14,7 @@ logsource:
service: appxdeployment-server
detection:
selection:
EventID:
EventID:
- 441
- 442
- 453
rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml
+5 -5
View File
@@ -44,9 +44,9 @@ detection:
- 'https://9'
filter_optional_local_networks:
RemoteName|contains:
- '://10.' #10.0.0.0/8
- '://192.168.' #192.168.0.0/16
- '://172.16.' #172.16.0.0/12
- '://10.' # 10.0.0.0/8
- '://192.168.' # 192.168.0.0/16
- '://172.16.' # 172.16.0.0/12
- '://172.17.'
- '://172.18.'
- '://172.19.'
@@ -62,8 +62,8 @@ detection:
- '://172.29.'
- '://172.30.'
- '://172.31.'
- '://127.' #127.0.0.0/8
- '://169.254.' #169.254.0.0/16
- '://127.' # 127.0.0.0/8
- '://169.254.' # 169.254.0.0/16
filter_optional_seven_zip:
RemoteName|contains:
# For https://7-zip.org/
rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml
+7 -7
View File
@@ -22,15 +22,15 @@ detection:
Action: 2
filter_main_installations:
- ApplicationPath|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- ModifyingApplication|startswith: 'C:\Windows\WinSxS\' # TiWorker.exe
- ModifyingApplication:
- 'C:\Windows\System32\oobe\Setup.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\dllhost.exe'
- 'C:\Program Files\Windows Defender\MsMpEng.exe'
- 'C:\Windows\System32\oobe\Setup.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\dllhost.exe'
- 'C:\Program Files\Windows Defender\MsMpEng.exe'
filter_optional_msmpeng:
ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ModifyingApplication|endswith: '\MsMpEng.exe'

Some files were not shown because too many files have changed in this diff Show More