From d42e87edd741dd646db946f30964f331f92f50e6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 30 Jan 2020 17:26:09 +0100 Subject: [PATCH] fix: fixed casing and long rule titles --- rules/application/appframework_django_exceptions.yml | 2 +- .../appframework_ruby_on_rails_exceptions.yml | 2 +- rules/application/appframework_spring_exceptions.yml | 2 +- rules/apt/apt_gallium.yml | 2 +- rules/linux/auditd/lnx_auditd_alter_bash_profile.yml | 4 ++-- rules/linux/auditd/lnx_auditd_masquerading_crond.yml | 2 +- rules/linux/auditd/lnx_auditd_susp_cmds.yml | 6 +++--- rules/linux/lnx_susp_failed_logons_single_source.yml | 2 +- rules/network/net_susp_dns_txt_exec_strings.yml | 2 +- rules/proxy/proxy_cobalt_amazon.yml | 2 +- rules/proxy/proxy_cobalt_onedrive.yml | 2 +- ...eb_multiple_suspicious_resp_codes_single_source.yml | 2 +- rules/windows/builtin/win_GPO_scheduledtasks.yml | 2 +- rules/windows/builtin/win_atsvc_task.yml | 2 +- rules/windows/builtin/win_impacket_secretdump.yml | 2 +- rules/windows/builtin/win_lm_namedpipe.yml | 2 +- rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml | 2 +- rules/windows/builtin/win_rdp_localhost_login.yml | 2 +- .../builtin/win_rdp_potential_cve-2019-0708.yml | 2 +- .../builtin/win_susp_failed_logons_single_source.yml | 2 +- rules/windows/builtin/win_susp_psexec.yml | 2 +- .../builtin/win_susp_raccess_sensitive_fext.yml | 2 +- rules/windows/builtin/win_svcctl_remote_service.yml | 2 +- rules/windows/builtin/win_user_creation.yml | 2 +- rules/windows/powershell/powershell_exe_calling_ps.yml | 2 +- .../process_creation/win_attrib_hiding_files.yml | 2 +- .../process_creation/win_exploit_cve_2017_11882.yml | 2 +- ...l_and_3rd_party_drivers_exploits_token_stealing.yml | 4 ++-- rules/windows/process_creation/win_lethalhta.yml | 4 ++-- .../process_creation/win_plugx_susp_exe_locations.yml | 4 ++-- .../process_creation/win_silenttrinity_stage_use.yml | 2 +- rules/windows/process_creation/win_susp_bcdedit.yml | 2 +- rules/windows/process_creation/win_susp_bginfo.yml | 2 +- rules/windows/process_creation/win_susp_cdb.yml | 2 +- .../process_creation/win_susp_cmd_http_appdata.yml | 2 +- .../process_creation/win_susp_comsvcs_procdump.yml | 2 +- .../process_creation/win_susp_dctask64_proc_inject.yml | 4 ++-- .../process_creation/win_susp_devtoolslauncher.yml | 2 +- rules/windows/process_creation/win_susp_dnx.yml | 2 +- rules/windows/process_creation/win_susp_dxcap.yml | 2 +- .../process_creation/win_susp_eventlog_clear.yml | 4 ++-- .../windows/process_creation/win_susp_fsutil_usage.yml | 8 ++++---- rules/windows/process_creation/win_susp_msoffice.yml | 4 ++-- rules/windows/process_creation/win_susp_odbcconf.yml | 4 ++-- rules/windows/process_creation/win_susp_openwith.yml | 2 +- .../win_susp_powershell_hidden_b64_cmd.yml | 2 +- .../win_susp_powershell_parent_combo.yml | 2 +- .../win_susp_psr_capture_screenshots.yml | 4 ++-- .../process_creation/win_susp_renamed_dctask64.yml | 2 +- .../process_creation/win_susp_svchost_no_cli.yml | 4 ++-- .../process_creation/win_susp_wmi_execution.yml | 2 +- .../process_creation/win_sysmon_driver_unload.yml | 2 +- .../process_creation/win_win10_sched_task_0day.yml | 2 +- rules/windows/sysmon/sysmon_dhcp_calloutdll.yml | 4 ++-- rules/windows/sysmon/sysmon_invoke_phantom.yml | 2 +- rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml | 4 ++-- .../sysmon/sysmon_registry_persistence_key_linking.yml | 4 ++-- rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml | 5 ++--- .../sysmon/sysmon_susp_file_characteristics.yml | 4 ++-- ...ll_load.yml => sysmon_susp_winword_wmidll_load.yml} | 2 +- .../sysmon/sysmon_tsclient_filewrite_startup.yml | 2 +- rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml | 2 +- .../windows/sysmon/sysmon_webshell_creation_detect.yml | 10 +++++----- 63 files changed, 87 insertions(+), 88 deletions(-) rename rules/windows/sysmon/{win_susp_winword_wmidll_load.yml => sysmon_susp_winword_wmidll_load.yml} (93%) diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/appframework_django_exceptions.yml index 69ca84e71..d01324f26 100644 --- a/rules/application/appframework_django_exceptions.yml +++ b/rules/application/appframework_django_exceptions.yml @@ -1,4 +1,4 @@ -title: Django framework exceptions +title: Django Framework Exceptions id: fd435618-981e-4a7c-81f8-f78ce480d616 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts author: Thomas Patzke diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/appframework_ruby_on_rails_exceptions.yml index 5899a054d..6002ff432 100644 --- a/rules/application/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/appframework_ruby_on_rails_exceptions.yml @@ -1,4 +1,4 @@ -title: Ruby on Rails framework exceptions +title: Ruby on Rails Framework Exceptions id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts author: Thomas Patzke diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/appframework_spring_exceptions.yml index f71aef60b..e051726f3 100644 --- a/rules/application/appframework_spring_exceptions.yml +++ b/rules/application/appframework_spring_exceptions.yml @@ -1,4 +1,4 @@ -title: Spring framework exceptions +title: Spring Framework Exceptions id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts author: Thomas Patzke diff --git a/rules/apt/apt_gallium.yml b/rules/apt/apt_gallium.yml index 6f628c892..ce7aa99ed 100644 --- a/rules/apt/apt_gallium.yml +++ b/rules/apt/apt_gallium.yml @@ -1,5 +1,5 @@ action: global -title: GALLIUM artefacts +title: GALLIUM Artefacts id: 440a56bf-7873-4439-940a-1c8a671073c2 status: experimental description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index d1a937009..9094ded86 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -1,4 +1,4 @@ -title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems +title: Edit of .bash_profile and .bashrc id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 status: experimental description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. @@ -18,7 +18,7 @@ detection: type: 'PATH' name: - '/home/*/.bashrc' - - '/home/*/.bash_profile' + - '/home/*/.bash_profile' - '/home/*/.profile' - '/etc/profile' - '/etc/shells' diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index 54563bf9b..2b28bb7a2 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -1,4 +1,4 @@ -title: Masquerading as Linux crond process +title: Masquerading as Linux Crond Process id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0 status: experimental description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index db4ca9053..01dec32c1 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -1,4 +1,4 @@ -title: Detects Suspicious Commands on Linux systems +title: Suspicious Commands Linux id: 1543ae20-cbdf-4ec1-8d12-7664d667a825 status: experimental description: Detects relevant commands often related to malware or hacking activity @@ -18,7 +18,7 @@ detection: type: 'EXECVE' a0: 'chmod' a1: 'u+s' - cmd3: + cmd3: type: 'EXECVE' a0: 'cp' a1: '/bin/ksh' @@ -29,4 +29,4 @@ detection: condition: 1 of them falsepositives: - Admin activity -level: medium \ No newline at end of file +level: medium diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/lnx_susp_failed_logons_single_source.yml index b82c88975..8a5b02277 100644 --- a/rules/linux/lnx_susp_failed_logons_single_source.yml +++ b/rules/linux/lnx_susp_failed_logons_single_source.yml @@ -1,4 +1,4 @@ -title: Multiple Failed Logins with Different Accounts from Single Source System +title: Failed Logins with Different Accounts from Single Source System id: fc947f8e-ea81-4b14-9a7b-13f888f94e18 author: Florian Roth date: 2017/02/16 diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 4a9cc7a6b..42ee5e22f 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -1,4 +1,4 @@ -title: DNS TXT Answer with possible execution strings +title: DNS TXT Answer with Possible Execution Strings id: 8ae51330-899c-4641-8125-e39f2e07da72 status: experimental description: Detects strings used in command execution in DNS TXT Answer diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 82e45d3f0..84afdfacb 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -1,4 +1,4 @@ -title: CobaltStrike Malleable Amazon browsing traffic profile +title: CobaltStrike Malleable Amazon Browsing Traffic Profile id: 953b895e-5cc9-454b-b183-7f3db555452e status: experimental description: Detects Malleable Amazon Profile diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 6f4ed367f..175ecf6ce 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -1,4 +1,4 @@ -title: CobaltStrike Malleable OneDrive browsing traffic profile +title: CobaltStrike Malleable OneDrive Browsing Traffic Profile id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc status: experimental description: Detects Malleable OneDrive Profile diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml index 9617bbe07..ea48353b1 100644 --- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml +++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml @@ -1,4 +1,4 @@ -title: Multiple suspicious Response Codes caused by Single Client +title: Multiple Suspicious Resp Codes Caused by Single Client id: 6fdfc796-06b3-46e8-af08-58f3505318af description: Detects possible exploitation activity or bugs in a web application author: Thomas Patzke diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index 0cfaf8b19..c2b61966c 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -1,4 +1,4 @@ -title: Persistence and Execution at scale via GPO scheduled task +title: Persistence and Execution at Scale via GPO Scheduled Task id: a8f29a7b-b137-4446-80a0-b804272f3da2 description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale author: Samir Bousseaden diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index 63acfa186..e896b3bc4 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -1,4 +1,4 @@ -title: Remote Task Creation via ATSVC named pipe +title: Remote Task Creation via ATSVC Named Pipe id: f6de6525-4509-495a-8a82-1f8b0ed73a00 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe author: Samir Bousseaden diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index 4d358a4d1..14d5060e0 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -1,4 +1,4 @@ -title: Possible Impacket SecretDump remote activity +title: Possible Impacket SecretDump Remote Activity id: 252902e3-5830-4cf6-bf21-c22083dfd5cf description: Detect AD credential dumping using impacket secretdump HKTL author: Samir Bousseaden diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index 85d7e5ed1..90dca9c10 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -1,4 +1,4 @@ -title: First time seen remote named pipe +title: First Time Seen Remote Named Pipe id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml index 9a3266c06..431a01fca 100644 --- a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -1,4 +1,4 @@ -title: Scanner PoC for CVE-2019-0708 RDP RCE vuln +title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln id: 8400629e-79a9-4737-b387-5db940ab2367 description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep references: diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml index cdc99f440..3f269fe72 100644 --- a/rules/windows/builtin/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -1,4 +1,4 @@ -title: RDP Login from localhost +title: RDP Login from Localhost id: 51e33403-2a37-4d66-a574-1fda1782cc31 description: RDP login with localhost source address may be a tunnelled login references: diff --git a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml index ae02e2af0..65ccc20c4 100644 --- a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml +++ b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml @@ -1,4 +1,4 @@ -title: Potential RDP exploit CVE-2019-0708 +title: Potential RDP Exploit CVE-2019-0708 id: aaa5b30d-f418-420b-83a0-299cb6024885 description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 references: diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index d3941c305..d8727c314 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,4 +1,4 @@ -title: Multiple Failed Logins with Different Accounts from Single Source System +title: Failed Logins with Different Accounts from Single Source System id: e98374a6-e2d9-4076-9b5c-11bdb2569995 description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index 27aa7dc1f..f48f593b6 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -1,4 +1,4 @@ -title: Suspicious PsExec execution +title: Suspicious PsExec Execution id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml index dbd7063bc..a513873b2 100644 --- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml @@ -1,4 +1,4 @@ -title: Suspicious access to sensitive file extensions +title: Suspicious Access to Sensitive File Extensions id: 91c945bc-2ad1-4799-a591-4d00198a1215 description: Detects known sensitive file extensions author: Samir Bousseaden diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index 3395df59e..eaffe17d1 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -1,4 +1,4 @@ -title: Remote Service Activity Detected via SVCCTL named pipe +title: Remote Service Activity via SVCCTL Named Pipe id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 description: Detects remote remote service activity via remote access to the svcctl named pipe author: Samir Bousseaden diff --git a/rules/windows/builtin/win_user_creation.yml b/rules/windows/builtin/win_user_creation.yml index f639370f6..5b617eda7 100644 --- a/rules/windows/builtin/win_user_creation.yml +++ b/rules/windows/builtin/win_user_creation.yml @@ -1,4 +1,4 @@ -title: Detects local user creation +title: Local User Creation id: 66b6be3d-55d0-4f47-9855-d69df21740ea description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs. diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index 531404d2e..28448cc58 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -1,4 +1,4 @@ -title: PowerShell called from an Executable Version Mismatch +title: PowerShell Called from an Executable Version Mismatch id: c70e019b-1479-4b65-b0cc-cd0c6093a599 status: experimental description: Detects PowerShell called from an executable by the version mismatch method diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index f6aebbc9a..ec753dcfd 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -1,4 +1,4 @@ -title: Hiding files with attrib.exe +title: Hiding Files with Attrib.exe id: 4281cb20-2994-4580-aa63-c8b86d019934 status: experimental description: Detects usage of attrib.exe to hide files from users. diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index bcd419372..2f0d8d08f 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -1,4 +1,4 @@ -title: Droppers exploiting CVE-2017-11882 +title: Droppers Exploiting CVE-2017-11882 id: 678eb5f4-8597-4be6-8be7-905e4234b53a status: experimental description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe diff --git a/rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index 7af780f68..c945f4093 100644 --- a/rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -1,4 +1,4 @@ -title: Windows Kernel and 3rd-party drivers exploits. Token stealing +title: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing id: 8065b1b4-1778-4427-877f-6bf948b26d38 description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level references: @@ -23,4 +23,4 @@ falsepositives: level: critical enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x - - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l \ No newline at end of file + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index 8c1f14011..80496bc9c 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -1,7 +1,7 @@ -title: MSHTA spwaned by SVCHOST as seen in LethalHTA +title: MSHTA Spwaned by SVCHOST id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471 status: experimental -description: Detects MSHTA.EXE spwaned by SVCHOST described in report +description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report references: - https://codewhitesec.blogspot.com/2018/07/lethalhta.html tags: diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 52b2847e3..5d8a80358 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -1,4 +1,4 @@ -title: Executable used by PlugX in Uncommon Location - Sysmon Version +title: Executable Used by PlugX in Uncommon Location id: aeab5ec5-be14-471a-80e8-e344418305c2 status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location @@ -59,7 +59,7 @@ detection: selection_msseces: Image: '*\msseces.exe' filter_msseces: - Image: + Image: - '*\Microsoft Security Center\\*' - '*\Microsoft Security Client\\*' - '*\Microsoft Security Essentials\\*' diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index d81bcd385..a59e26e4a 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -1,5 +1,5 @@ action: global -title: SILENTTRINITY stager execution +title: SILENTTRINITY Stager Execution id: 03552375-cc2c-4883-bbe4-7958d5a980be status: experimental description: Detects SILENTTRINITY stager use diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index f3fa6810f..3281b1610 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -1,4 +1,4 @@ -title: Possible Ransomware or unauthorized MBR modifications +title: Possible Ransomware or Unauthorized MBR Modifications id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429 status: experimental description: Detects, possibly, malicious unauthorized usage of bcdedit.exe diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml index 34f34a3db..03af5d086 100644 --- a/rules/windows/process_creation/win_susp_bginfo.yml +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -1,4 +1,4 @@ -title: Application whitelisting bypass via bginfo +title: Application Whitelisting Bypass via Bginfo id: aaf46cdc-934e-4284-b329-34aa701e3771 status: experimental description: Execute VBscript code that is referenced within the *.bgi file. diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml index 4e61d1445..ff05f42fa 100644 --- a/rules/windows/process_creation/win_susp_cdb.yml +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -1,4 +1,4 @@ -title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner +title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 status: experimental description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index 8b07ae043..92445f877 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -1,4 +1,4 @@ -title: Command Line Execution with suspicious URL and AppData Strings +title: Command Line Execution with Suspicious URL and AppData Strings id: 1ac8666b-046f-4201-8aba-1951aaec03a3 status: experimental description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index 29cb98008..bcab5a8ec 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -1,4 +1,4 @@ -title: Process dump via comsvcs DLL +title: Process Dump via Comsvcs DLL id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c status: experimental description: Detects process memory dump via comsvcs.dll and rundll32 diff --git a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml index 24eaed4cf..17da01c08 100644 --- a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml +++ b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml @@ -1,7 +1,7 @@ -title: ZOHO dctask64 Process Injection +title: ZOHO Dctask64 Process Injection id: 6345b048-8441-43a7-9bed-541133633d7a status: experimental -description: Detects suspicious process injection using ZOHO's dctask64.exe +description: Detects suspicious process injection using ZOHO's dctask64.exe references: - https://twitter.com/gN3mes1s/status/1222088214581825540 - https://twitter.com/gN3mes1s/status/1222095963789111296 diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml index 63e0d0db7..157a42c4b 100644 --- a/rules/windows/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/windows/process_creation/win_susp_devtoolslauncher.yml @@ -1,4 +1,4 @@ -title: Devtoolslauncher.exe executes specified binary +title: Devtoolslauncher.exe Executes Specified Binary id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 status: experimental description: The Devtoolslauncher.exe executes other binary diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index ce4a9c751..b2c7a11c9 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -1,4 +1,4 @@ -title: Application Whitelisting bypass via dnx.exe +title: Application Whitelisting Bypass via Dnx.exe id: 81ebd28b-9607-4478-bf06-974ed9d53ed7 status: experimental description: Execute C# code located in the consoleapp folder diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index db1d01df6..d853cdc0a 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -1,4 +1,4 @@ -title: Application Whitelisting bypass via dxcap.exe +title: Application Whitelisting Bypass via Dxcap.exe id: 60f16a96-db70-42eb-8f76-16763e333590 status: experimental description: Detects execution of of Dxcap.exe diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 72382b5af..6209f756d 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,4 +1,4 @@ -title: Suspicious eventlog clear or configuration using wevtutil +title: Suspicious Eventlog Clear or Configuration Using Wevtutil id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 description: Detects clearing or configuration of eventlogs uwing wevtutil. Might be used by ransomwares during the attack (seen by NotPetya and others) author: Ecco @@ -25,7 +25,7 @@ detection: selection_disable_2: CommandLine: '* set-log *' condition: (1 of selection_binary_*) and (1 of selection_clear_* or 1 of selection_disable_*) - + falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index 3312175fa..c4370c631 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,4 +1,4 @@ -title: Fsutil suspicious invocation +title: Fsutil Suspicious Invocation id: add64136-62e5-48ea-807e-88638d02df1e description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) @@ -16,12 +16,12 @@ detection: binary_2: OriginalFileName: 'fsutil.exe' selection: - CommandLine: + CommandLine: - '* deletejournal *' # usn deletejournal ==> generally ransomware or attacker - '* createjournal *' # usn createjournal ==> can modify config to set it to a tiny size - + condition: (1 of binary_*) and selection - + falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index a830ada81..857f51c59 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -1,4 +1,4 @@ -title: Malicious payload download via Office binaries +title: Malicious Payload Download via Office Binaries id: 0c79148b-118e-472b-bdb7-9b57b444cc19 status: experimental description: Downloads payload from remote server @@ -18,7 +18,7 @@ logsource: product: windows detection: selection: - Image|endswith: + Image|endswith: - '\powerpnt.exe' - '\winword.exe' - '\excel.exe' diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index df649d2c4..80de862ff 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -1,4 +1,4 @@ -title: Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe +title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe id: 65d2be45-8600-4042-b4c0-577a1ff8a60e description: Detects defence evasion attempt via odbcconf.exe execution to load DLL status: experimental @@ -18,7 +18,7 @@ logsource: detection: selection_1: Image|endswith: '\odbcconf.exe' - CommandLine|contains: + CommandLine|contains: - '-f' - 'regsvr' selection_2: diff --git a/rules/windows/process_creation/win_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml index 9598b80dd..5bde74f67 100644 --- a/rules/windows/process_creation/win_susp_openwith.yml +++ b/rules/windows/process_creation/win_susp_openwith.yml @@ -1,4 +1,4 @@ -title: OpenWith.exe executes specified binary +title: OpenWith.exe Executes Specified Binary id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f status: experimental description: The OpenWith.exe executes other binary diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 4476b047d..7da4d36d5 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -1,4 +1,4 @@ -title: Malicious Base64 encoded PowerShell Keywords in command lines +title: Malicious Base64 Encoded PowerShell Keywords in Command Lines id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0 status: experimental description: Detects base64 encoded strings used in hidden malicious PowerShell command lines diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 6ffb5b18c..32e9e2969 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Invocation based on Parent Process +title: Suspicious PowerShell Invocation Based on Parent Process id: 95eadcb2-92e4-4ed1-9031-92547773a6db status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs diff --git a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml index dd0801cf5..f72593ed8 100644 --- a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml +++ b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml @@ -1,4 +1,4 @@ -title: psr.exe capture screenshots +title: Psr.exe Capture Screenshots id: 2158f96f-43c2-43cb-952a-ab4580f32382 status: experimental description: The psr.exe captures desktop screenshots and saves them on the local machine @@ -19,6 +19,6 @@ detection: selection: Image|endswith: '\Psr.exe' CommandLine|contains: '/start' - condition: selection + condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_renamed_dctask64.yml b/rules/windows/process_creation/win_susp_renamed_dctask64.yml index ff5b95735..53a3ea172 100644 --- a/rules/windows/process_creation/win_susp_renamed_dctask64.yml +++ b/rules/windows/process_creation/win_susp_renamed_dctask64.yml @@ -1,4 +1,4 @@ -title: Renamed ZOHO dctask64 +title: Renamed ZOHO Dctask64 id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b status: experimental description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation diff --git a/rules/windows/process_creation/win_susp_svchost_no_cli.yml b/rules/windows/process_creation/win_susp_svchost_no_cli.yml index 3fc9143c8..e4829b14d 100644 --- a/rules/windows/process_creation/win_susp_svchost_no_cli.yml +++ b/rules/windows/process_creation/win_susp_svchost_no_cli.yml @@ -1,4 +1,4 @@ -title: Suspect svchost Activity +title: Suspect Svchost Activity id: 16c37b52-b141-42a5-a3ea-bbe098444397 status: experimental description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. @@ -26,4 +26,4 @@ fields: - ParentCommandLine falsepositives: - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index dd9091e4d..b57efa6c4 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -1,4 +1,4 @@ -title: Suspicious WMI execution +title: Suspicious WMI Execution id: 526be59f-a573-4eea-b5f7-f0973207634d status: experimental description: Detects WMI executing suspicious commands diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml index 664a611bb..8989f4125 100644 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -1,4 +1,4 @@ -title: Sysmon driver unload +title: Sysmon Driver Unload id: 4d7cda18-1b12-4e52-b45c-d28653210df8 status: experimental author: Kirill Kiryanov, oscd.community diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 4b5ce21c6..60534f546 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -1,4 +1,4 @@ -title: Windows 10 scheduled task SandboxEscaper 0-day +title: Windows 10 Scheduled Task SandboxEscaper 0-day id: 931b6802-d6a6-4267-9ffa-526f57f22aaf status: experimental description: Detects Task Scheduler .job import arbitrary DACL write\par diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index 5e00f11f0..3432e7c23 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -1,4 +1,4 @@ -title: DHCP Callout DLL installation +title: DHCP Callout DLL Installation id: 9d3436ef-9476-4c43-acca-90ce06bdf33a status: experimental description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the @@ -19,7 +19,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: + TargetObject: - '*\Services\DHCPServer\Parameters\CalloutDlls' - '*\Services\DHCPServer\Parameters\CalloutEnabled' condition: selection diff --git a/rules/windows/sysmon/sysmon_invoke_phantom.yml b/rules/windows/sysmon/sysmon_invoke_phantom.yml index 622ad5aed..5ed1498c8 100644 --- a/rules/windows/sysmon/sysmon_invoke_phantom.yml +++ b/rules/windows/sysmon/sysmon_invoke_phantom.yml @@ -1,4 +1,4 @@ -title: Suspect svchost memory access +title: Suspect Svchost Memory Asccess id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde status: experimental description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml index c93237652..ee2e85eac 100644 --- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml @@ -1,4 +1,4 @@ -title: RDP over Reverse SSH Tunnel +title: RDP Over Reverse SSH Tunnel id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 status: experimental description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 @@ -19,7 +19,7 @@ detection: EventID: 3 Image: '*\svchost.exe' Initiated: 'true' - SourcePort: 3389 + SourcePort: 3389 DestinationIp: - '127.*' - '::1' diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml index bb32eae49..3ee5decf1 100644 --- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml @@ -1,4 +1,4 @@ -title: Windows Registry Persistence - COM key linking +title: Windows Registry Persistence COM Key Linking id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 status: experimental description: Detects COM object hijacking via TreatAs subkey @@ -20,6 +20,6 @@ detection: TargetObject|contains: '_Classes\CLSID\' TargetObject|endswith: '\TreatAs' condition: selection -falsepositives: +falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compability level: medium diff --git a/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml b/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml index 191a95728..b98841dbe 100644 --- a/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml +++ b/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml @@ -1,4 +1,4 @@ -title: Security Support Provider (SSP) added to LSA configuration +title: Security Support Provider (SSP) Added to LSA Configuration id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc status: experimental description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. @@ -16,7 +16,7 @@ logsource: detection: selection_registry: EventID: 13 - TargetObject: + TargetObject: - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages' - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' exclusion_images: @@ -26,4 +26,3 @@ detection: falsepositives: - Unlikely level: critical - diff --git a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml b/rules/windows/sysmon/sysmon_susp_file_characteristics.yml index 277994a1b..27359b185 100644 --- a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml +++ b/rules/windows/sysmon/sysmon_susp_file_characteristics.yml @@ -1,4 +1,4 @@ -title: Suspicious File Characteristics due to Missing Fields +title: Suspicious File Characteristics Due to Missing Fields id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43 description: Detects Executables without FileVersion,Description,Product,Company likely created with py2exe status: experimental @@ -24,7 +24,7 @@ detection: Product: '\?' selection3: Description: '\?' - Company: '\?' + Company: '\?' condition: 1 of them fields: - CommandLine diff --git a/rules/windows/sysmon/win_susp_winword_wmidll_load.yml b/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml similarity index 93% rename from rules/windows/sysmon/win_susp_winword_wmidll_load.yml rename to rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml index f49e531e4..38914687d 100644 --- a/rules/windows/sysmon/win_susp_winword_wmidll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml @@ -1,4 +1,4 @@ -title: Suspicious Windows Mangement Instrumentation DLL Loaded Via Microsoft Word +title: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word id: a457f232-7df9-491d-898f-b5aabd2cbe2f status: experimental description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands diff --git a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml b/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml index 419380dd6..c26821f2c 100644 --- a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml +++ b/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml @@ -1,4 +1,4 @@ -title: Hijack legit RDP session to move laterally +title: Hijack Legit RDP Session to Move Laterally id: 52753ea4-b3a0-4365-910d-36cff487b789 status: experimental description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 2bc390154..12b73f3a0 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -1,4 +1,4 @@ -title: UAC Bypass via sdclt +title: UAC Bypass via Sdclt id: 5b872a46-3b90-45c1-8419-f675db8053aa status: experimental description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index 67fc600d9..6973e0193 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -1,4 +1,4 @@ -title: Windows webshell creation +title: Windows Webshell Creation id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 status: experimental description: Posible webshell file creation on a static web site @@ -19,12 +19,12 @@ detection: EventID: 11 selection_2: TargetFilename|contains: '\inetpub\wwwroot\' - selection_3: + selection_3: TargetFilename|contains: - '.asp' - '.ashx' - '.ph' - selection_4: + selection_4: TargetFilename|contains: - '\www\' - '\htdocs\' @@ -32,10 +32,10 @@ detection: selection_5: TargetFilename|contains: '.ph' selection_6: - - TargetFilename|contains|all: + - TargetFilename|contains|all: - '\' - '.jsp' - - TargetFilename|contains|all: + - TargetFilename|contains|all: - '\cgi-bin\' - '.pl' condition: selection_1 and ( selection_2 and selection_3 ) or