Merge branch 'SigmaHQ:master' into master
This commit is contained in:
mlp1515
@@ -0,0 +1,23 @@
|
||||
title: SVCHOST Credential Dump
|
||||
id: 174afcfa-6e40-4ae9-af64-496546389294
|
||||
description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials
|
||||
date: 2021/04/30
|
||||
author: Florent Labouyrie
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_access
|
||||
tags:
|
||||
- attack.t1548
|
||||
detection:
|
||||
selection_process:
|
||||
TargetImage|endswith: '\svchost.exe'
|
||||
selection_memory:
|
||||
GrantedAccess: '0x143a'
|
||||
filter_trusted_process_access:
|
||||
SourceImage|endswith:
|
||||
- '*\services.exe'
|
||||
- '*\msiexec.exe'
|
||||
condition: selection_process and selection_memory and not filter_trusted_process_access
|
||||
falsepositives:
|
||||
- Non identified legit exectubale
|
||||
level: critical
|
||||
@@ -1,32 +1,38 @@
|
||||
action: global
|
||||
title: Sysmon Configuration Modification
|
||||
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
|
||||
description: Someone try to hide from Sysmon
|
||||
status: experimental
|
||||
author: frack113
|
||||
date: 2021/06/04
|
||||
modified: 2021/06/10
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
|
||||
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1564
|
||||
falsepositives:
|
||||
- legitimate administrative action
|
||||
level: high
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
category: sysmon_status
|
||||
detection:
|
||||
selection_stop:
|
||||
EventID: 4
|
||||
State: Stopped
|
||||
selection_conf:
|
||||
EventID: 16
|
||||
message|startswith:
|
||||
- 'Sysmon config state changed'
|
||||
condition: selection_stop or selection_conf
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
category: sysmon_error
|
||||
detection:
|
||||
selection_error:
|
||||
EventID: 255
|
||||
Description|contains:
|
||||
- 'Failed to open service configuration with error'
|
||||
- 'Failed to connect to the driver to update configuration'
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- legitimate administrative action
|
||||
level: high
|
||||
condition: selection_error
|
||||
@@ -3,6 +3,7 @@ id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
|
||||
description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
|
||||
status: experimental
|
||||
date: 2021/04/12
|
||||
modified: 2021/06/10
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.persistence
|
||||
@@ -10,10 +11,9 @@ references:
|
||||
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
category: dns_query
|
||||
detection:
|
||||
selection:
|
||||
EventID: 22
|
||||
QueryName|contains: servicebus.windows.net
|
||||
Image|contains: HybridConnectionManager
|
||||
condition: selection
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
action: global
|
||||
title: Wmiprvse Wbemcomn DLL Hijack
|
||||
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
|
||||
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
|
||||
status: experimental
|
||||
date: 2020/10/12
|
||||
modified: 2021/06/10
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.execution
|
||||
@@ -11,19 +13,24 @@ tags:
|
||||
- attack.t1021.002
|
||||
references:
|
||||
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection_one:
|
||||
EventID: 11
|
||||
Image: System
|
||||
TargetFilename|endswith: '\wbem\wbemcomn.dll'
|
||||
selection_two:
|
||||
EventID: 7
|
||||
Image|endswith: '\wmiprvse.exe'
|
||||
ImageLoaded|endswith: '\wbem\wbemcomn.dll'
|
||||
condition: selection_one or selection_two
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
level: critical
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
category: file_event
|
||||
detection:
|
||||
selection:
|
||||
Image: System
|
||||
TargetFilename|endswith: '\wbem\wbemcomn.dll'
|
||||
condition: selection
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
category: image_load
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: '\wmiprvse.exe'
|
||||
ImageLoaded|endswith: '\wbem\wbemcomn.dll'
|
||||
condition: selection
|
||||
|
||||
Reference in New Issue
Block a user