security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into master

Browse Source
This commit is contained in:
mvelazco
2021-06-03 14:54:41 -07:00
parent 50d734a17a b26eece20d
commit f53675f41a
211 changed files with 2479 additions and 552 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/sigma-test.yml
+1
View File
@@ -23,6 +23,7 @@ jobs:
run: |
python -m pip install --upgrade pip
pip install pipenv
pipenv lock
pipenv install --dev --deploy
- name: Test Sigma Tools and Rules
run: |
Pipfile
+2 -2
View File
@@ -15,8 +15,8 @@ stix2 = "*"
attackcti = "*"
[packages]
requests = "~=2.23"
urllib3 = "~=1.25"
requests = "~=2.25"
urllib3 = "~=1.26"
progressbar2 = "~=3.47"
pymisp = "~=2.4.123"
PyYAML = "~=5.1"
Pipfile.lock
Generated
+32 -54
View File
@@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "6f2116e6d1b332715efdc61c59a958c9226831cb7e19fcd4cea3f4c569d90687"
"sha256": "9d6e50bfd41bb3de5ebbae350555fe4b67c24e2c186aac053905a7740a69e8b2"
},
"pipfile-spec": 6,
"requires": {
@@ -18,25 +18,23 @@
"default": {
"attrs": {
"hashes": [
"sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
"sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.3.0"
"version": "==21.2.0"
},
"certifi": {
"hashes": [
"sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
"sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
],
"version": "==2020.12.5"
"version": "==2021.5.30"
},
"chardet": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
},
"deprecated": {
@@ -44,7 +42,6 @@
"sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771",
"sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.2.12"
},
"idna": {
@@ -52,7 +49,6 @@
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.10"
},
"jsonschema": {
@@ -82,7 +78,6 @@
"hashes": [
"sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e"
],
"markers": "python_version >= '3.5'",
"version": "==0.17.3"
},
"python-dateutil": {
@@ -90,7 +85,6 @@
"sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
"sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.8.1"
},
"python-utils": {
@@ -145,19 +139,18 @@
},
"six": {
"hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
"sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
"sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.15.0"
"version": "==1.16.0"
},
"urllib3": {
"hashes": [
"sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
"sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
"sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
"sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
],
"index": "pypi",
"version": "==1.26.4"
"version": "==1.26.5"
},
"wrapt": {
"hashes": [
@@ -207,7 +200,6 @@
"sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a",
"sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95"
],
"markers": "python_version >= '3.6'",
"version": "==3.7.4.post0"
},
"antlr4-python3-runtime": {
@@ -222,7 +214,6 @@
"sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
"sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
],
"markers": "python_full_version >= '3.5.3'",
"version": "==3.0.1"
},
"attackcti": {
@@ -235,25 +226,23 @@
},
"attrs": {
"hashes": [
"sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
"sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.3.0"
"version": "==21.2.0"
},
"certifi": {
"hashes": [
"sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
"sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
],
"version": "==2020.12.5"
"version": "==2021.5.30"
},
"chardet": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
},
"colorama": {
@@ -343,16 +332,14 @@
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.10"
},
"more-itertools": {
"hashes": [
"sha256:5652a9ac72209ed7df8d9c15daf4e1aa0e3d2ccd3c87f8265a0673cd9cbc9ced",
"sha256:c5d6da9ca3ff65220c3bfd2a8db06d698f05d4d2b9be57e1deb2be5a45019713"
"sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d",
"sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a"
],
"markers": "python_version >= '3.5'",
"version": "==8.7.0"
"version": "==8.8.0"
},
"multidict": {
"hashes": [
@@ -394,7 +381,6 @@
"sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
"sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
],
"markers": "python_version >= '3.6'",
"version": "==5.1.0"
},
"packaging": {
@@ -402,7 +388,6 @@
"sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5",
"sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.9"
},
"pathspec": {
@@ -417,7 +402,6 @@
"sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
"sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==0.13.1"
},
"py": {
@@ -425,7 +409,6 @@
"sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
"sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.10.0"
},
"pyparsing": {
@@ -433,7 +416,6 @@
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
},
"pytest": {
@@ -542,16 +524,14 @@
"sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06",
"sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb"
],
"markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==3.17.2"
},
"six": {
"hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
"sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
"sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.15.0"
"version": "==1.16.0"
},
"stix2": {
"hashes": [
@@ -577,20 +557,19 @@
},
"typing-extensions": {
"hashes": [
"sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918",
"sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c",
"sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f"
"sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
"sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
"sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
],
"markers": "python_version < '3.8'",
"version": "==3.7.4.3"
"version": "==3.10.0.0"
},
"urllib3": {
"hashes": [
"sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
"sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
"sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
"sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
],
"index": "pypi",
"version": "==1.26.4"
"version": "==1.26.5"
},
"wcwidth": {
"hashes": [
@@ -647,7 +626,6 @@
"sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
"sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
],
"markers": "python_version >= '3.6'",
"version": "==1.6.3"
}
}
rules/cloud/aws_snapshot_backup_exfiltration.yml
+24
View File
@@ -0,0 +1,24 @@
title: AWS Snapshot Backup Exfiltration
id: abae8fec-57bd-4f87-aff6-6e3db989843d
status: test
description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
author: Darin Smith
date: 2021/05/17
references:
- https://www.justice.gov/file/1080281/download
- https://attack.mitre.org/techniques/T1537/
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: cloudtrail.amazonaws.com
events:
- eventName:
- ModifySnapshotAttribute
condition: selection_source AND events
falsepositives:
- Valid change to a snapshot's permissions
level: medium
tags:
- attack.exfiltration
- attack.t1537
rules/compliance/cleartext_protocols.yml
+1 -1
View File
@@ -81,7 +81,7 @@ detection:
condition: selection
---
logsource:
product: firewall
category: firewall
detection:
selection1:
destination.port:
rules/compliance/host_without_firewall.yml
+2 -1
View File
@@ -4,12 +4,13 @@ status: stable
description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
author: Alexandr Yampolskyi, SOC Prime
date: 2019/03/19
modified: 2021/05/30
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
logsource:
product: Qualys
product: qualys
detection:
selection:
event.category: Security Policy
rules/linux/lnx_ldso_preload_injection.yml
+17
View File
@@ -0,0 +1,17 @@
title: Code Injection by ld.so Preload
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
status: experimental
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
author: Christian Burkard
date: 2021/05/05
references:
- https://man7.org/linux/man-pages/man8/ld.so.8.html
logsource:
product: linux
detection:
keyword:
- '/etc/ld.so.preload'
condition: keyword
falsepositives:
- rare temporary workaround for library misconfiguration
level: high
rules/linux/lnx_shellshock.yml
+8 -4
View File
@@ -4,14 +4,18 @@ status: experimental
description: Detects shellshock expressions in log files
author: Florian Roth
date: 2017/03/14
modified: 2021/04/28
references:
- http://rubular.com/r/zxBfjWfFYs
- https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
logsource:
product: linux
detection:
expression:
- /\(\)\s*\t*\{.*;\s*\}\s*;/
condition: expression
keyword:
- '(){:;};'
- '() {:;};'
- '() { :;};'
- '() { :; };'
condition: keyword
falsepositives:
- Unknown
level: high
rules/linux/lnx_symlink_etc_passwd.yml
+18
View File
@@ -0,0 +1,18 @@
title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: experimental
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
author: Florian Roth
date: 2019/04/05
references:
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
logsource:
product: linux
detection:
keywords:
- 'ln -s -f /etc/passwd'
- 'ln -s /etc/passwd'
condition: keywords
falsepositives:
- Unknown
level: high
rules/linux/lnx_system_info_discovery.yml
+3 -2
View File
@@ -5,6 +5,7 @@ status: stable
description: Detects system information discovery commands
author: Ömer Günal, oscd.community
date: 2020/10/08
modified: 2020/05/30
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
falsepositives:
@@ -16,7 +17,7 @@ tags:
---
logsource:
product: linux
categories: process_creation
category: process_creation
detection:
selection:
Image|endswith:
@@ -31,7 +32,7 @@ detection:
---
logsource:
product: linux
categories: auditd
service: auditd
detection:
selection:
type: 'PATH'
rules/linux/macos_change_file_time_attr.yml
+1 -1
View File
@@ -1,5 +1,5 @@
title: 'File Time Attribute Change'
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: experimental
description: 'Detect file time attribute change to hide new or changes to existing files.'
# For this rule to work you must enable audit of process execution in OpenBSM, see
rules/linux/macos_find_cred_in_files.yml
+1 -1
View File
@@ -1,5 +1,5 @@
title: 'Credentials In Files'
id: df3fcaea-2715-4214-99c5-0056ea59eb35
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: experimental
description: 'Detecting attempts to extract passwords with grep and laZagne'
# For this rule to work you must enable audit of process execution in OpenBSM, see
rules/linux/macos_remote_system_discovery.yml
+1 -1
View File
@@ -1,5 +1,5 @@
title: Macos Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
id: 10227522-8429-47e6-a301-f2b2d014e7ad
status: experimental
description: Detects the enumeration of other remote systems.
author: Alejandro Ortuno, oscd.community
rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
+68
View File
@@ -0,0 +1,68 @@
title: Suspicious DNS Z Flag Bit Set
id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
date: 2021/05/04
modified: 2021/05/24
references:
- 'https://twitter.com/neu5ron/status/1346245602502443009'
- 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma'
- 'https://tools.ietf.org/html/rfc2929#section-2.1'
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
author: '@neu5ron, SOC Prime Team, Corelight'
tags:
- attack.t1094
- attack.t1043
- attack.command_and_control
logsource:
product: zeek
service: dns
detection:
z_flag_unset:
Z: '0'
most_probable_valid_domain:
query|contains: '.'
exclude_tlds:
query|endswith:
- '.arpa'
- '.local'
- '.ultradns.net'
- '.twtrdns.net'
- '.azuredns-prd.info'
- '.azure-dns.com'
- '.azuredns-ff.info'
- '.azuredns-ff.org'
- '.azuregov-dns.org'
exclude_query_types:
qtype_name:
- 'NS'
- 'ns'
exclude_responses:
answers|endswith: '\\x00'
exclude_netbios:
id.resp_p:
- '137'
- '138'
- '139'
condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios)
falsepositives:
- 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
- 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
level: medium
fields:
- ts
- id.orig_h
- id.orig_p
- id.resp_h
- id.resp_p
- proto
- qtype_name
- qtype
- query
- answers
- rcode
- rcode_name
- trans_id
- qtype
- ttl
- AA
- uid
rules/proxy/proxy_cobalt_malformed_uas.yml
+25
View File
@@ -0,0 +1,25 @@
title: CobaltStrike Malformed UAs in Malleable Profiles
id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
status: experimental
description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
author: Florian Roth
date: 2021/05/06
references:
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
logsource:
category: proxy
detection:
selection:
c-useragent:
- "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"
- "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )"
- "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
rules/web/web_cve_2021_26814_wzuh_rce.yml
+25
View File
@@ -0,0 +1,25 @@
title: Exploitation of CVE-2021-26814 in Wazuh
id: b9888738-29ed-4c54-96a4-f38c57b84bb3
status: experimental
description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
author: Florian Roth
date: 2021/05/22
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814
- https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py
logsource:
category: webserver
detection:
selection:
c-uri|contains: '/manager/files?path=etc/lists/../../../../..'
condition: selection
fields:
- c-ip
- c-dns
falsepositives:
- None
level: high
tags:
- attack.initial_access
- attack.t1190
- cve.2021-21978
rules/web/web_expl_exchange_cve_2021_28480.yml
+23
View File
@@ -0,0 +1,23 @@
title: Exchange Exploitation CVE-2021-28480
id: a2a9d722-0acb-4096-bccc-daaf91a5037b
status: experimental
description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480
references:
- https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
author: Florian Roth
date: 2021/05/14
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
c-uri|contains: '/owa/calendar/a'
cs-method: 'POST'
filter:
sc-status: 503
condition: selection and not filter
falsepositives:
- Unknown
level: critical
rules/web/web_nginx_core_dump.yml
+20
View File
@@ -0,0 +1,20 @@
title: Nginx Core Dump
id: 59ec40bb-322e-40ab-808d-84fa690d7e56
description: Detects a core dump of a creashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts
author: Florian Roth
date: 2021/05/31
references:
- https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
- https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
logsource:
product: apache
detection:
keywords:
- 'exited on signal 6 (core dumped)'
condition: keywords
falsepositives:
- Serious issues with a configuration or plugin
level: high
tags:
- attack.impact
- attack.t1499.004
rules/windows/builtin/win_GPO_scheduledtasks.yml
+3 -1
View File
@@ -20,7 +20,9 @@ detection:
EventID: 5145
ShareName: \\*\SYSVOL
RelativeTargetName|endswith: 'ScheduledTasks.xml'
Accesses|contains: 'WriteData'
Accesses|contains:
- 'WriteData'
- '%%4417'
condition: selection
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
rules/windows/builtin/win_ad_object_writedac_access.yml
+1 -1
View File
@@ -5,7 +5,7 @@ status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
tags:
- attack.defense_evasion
- attack.t1222 # an old one
rules/windows/builtin/win_ad_replication_non_machine_account.yml
+1 -1
View File
@@ -6,7 +6,7 @@ date: 2019/07/26
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
tags:
- attack.credential_access
- attack.t1003 # an old one
rules/windows/builtin/win_cobaltstrike_service_installs.yml
+34
View File
@@ -0,0 +1,34 @@
title: CobaltStrike Service Installations
id: 5a105d34-05fc-401e-8553-272b45c1522d
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
author: Florian Roth, Wojciech Lesicki
references:
- https://www.sans.org/webcasts/119395
date: 2021/05/26
modified: 2021/06/03
tags:
- attack.execution
- attack.privilege_escalation
- attack.lateral_movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection1:
EventID: 7045
selection2:
ServiceFileName|contains|all:
- 'ADMIN$'
- '.exe'
selection3:
ServiceFileName|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
condition: selection1 and (selection2 or selection3)
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_dcsync.yml
+1
View File
@@ -34,5 +34,6 @@ detection:
condition: selection and not filter1 and not filter2 and not filter3
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
level: high
rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
+1 -1
View File
@@ -5,7 +5,7 @@ status: experimental
date: 2019/06/20
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
tags:
- attack.credential_access
- attack.t1003 # an old one
rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
+1 -1
View File
@@ -5,7 +5,7 @@ status: experimental
date: 2019/08/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
tags:
- attack.credential_access
- attack.t1003 # an old one
rules/windows/builtin/win_global_catalog_enumeration.yml
+4 -2
View File
@@ -3,14 +3,16 @@ description: Detects enumeration of the global catalog (that can be performed us
author: Chakib Gzenayi (@Chak092), Hosni Mribah
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
date: 2020/05/11
modified: 2020/08/23
modified: 2021/06/01
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
tags:
- attack.discovery
- attack.t1087 # an old one
- attack.t1087.002
logsource:
product: windows
service: system
service: security
definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
detection:
selection:
rules/windows/builtin/win_hidden_user_creation.yml
+25
View File
@@ -0,0 +1,25 @@
title: Hidden Local User Creation
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
status: experimental
tags:
- attack.persistence
- attack.t1136.001
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
author: Christian Burkard
date: 2021/05/03
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
TargetUserName|endswith: '$'
condition: selection
fields:
- EventCode
- AccountName
falsepositives:
- unkown
level: high
rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell
status: experimental
author: Jonathan Cheong, oscd.community
date: 2020/10/13
modified: 2020/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
+1 -1
View File
@@ -31,7 +31,7 @@ detection:
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
EventID: 6
rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell
status: experimental
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe
status: experimental
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status: experimental
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- unknown
level: medium
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
status: experimental
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- Unknown
level: medium
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
date: 2020/10/12
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml → rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
+12 -11
View File
@@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/05/27
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
tags:
@@ -16,27 +17,27 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
+11 -11
View File
@@ -16,27 +16,27 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
condition: selection and selection_1
condition: selection and selection_eventid
---
logsource:
product: windows
service: system
detection:
selection:
selection_eventid:
EventID: 7045
---
logsource:
product: windows
service: sysmon
category: driver_load
detection:
selection:
selection_eventid:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
logsource:
product: windows
service: security
detection:
selection_eventid:
EventID: 4697
rules/windows/builtin/win_lsass_access_non_system_account.yml
+1 -1
View File
@@ -6,7 +6,7 @@ date: 2019/06/20
modified: 2021/03/17
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html
tags:
- attack.credential_access
- attack.t1003 # an old one
rules/windows/builtin/win_mal_creddumper.yml
+3 -6
View File
@@ -21,7 +21,7 @@ tags:
- attack.t1569.002
- attack.s0005
detection:
selection_1:
selection:
- ServiceName|contains:
- 'fgexec'
- 'wceservice'
@@ -39,7 +39,7 @@ detection:
- 'gsecdump'
- 'servpw'
- 'pwdump'
condition: selection and selection_1
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
@@ -53,10 +53,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows
rules/windows/builtin/win_mal_service_installs.yml
+2 -2
View File
@@ -1,9 +1,9 @@
title: Malicious Service Installations
id: 5a105d34-05fc-401e-8553-272b45c1522d
id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
date: 2017/03/27
modified: 2019/11/01
modified: 2021/05/27
tags:
- attack.persistence
- attack.privilege_escalation
rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+11 -8
View File
@@ -2,9 +2,9 @@ action: global
title: Meterpreter or Cobalt Strike Getsystem Service Installation
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
author: Teymur Kheirkhabarov, Ecco
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
modified: 2020/08/23
modified: 2021/05/20
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
@@ -14,7 +14,7 @@ tags:
- attack.t1134.001
- attack.t1134.002
detection:
selection_1:
selection:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
@@ -27,12 +27,18 @@ detection:
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd.exe'
- '/c'
- 'echo'
- '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection and selection_1
condition: selection
fields:
- ComputerName
- SubjectDomainName
@@ -51,10 +57,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows
rules/windows/builtin/win_moriya_rootkit.yml
+34
View File
@@ -0,0 +1,34 @@
action: global
title: Moriya Rootkit
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
status: experimental
author: Bhabesh Raj
date: 2021/05/06
modified: 2021/05/12
level: critical
falsepositives:
- None
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
---
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ServiceName: ZzNetSvc
condition: selection
---
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
condition: selection
rules/windows/builtin/win_net_ntlm_downgrade.yml
+1 -2
View File
@@ -20,10 +20,9 @@ level: critical
---
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection1:
EventID: 13
TargetObject|contains|all:
- 'SYSTEM\'
- 'ControlSet'
rules/windows/builtin/win_powershell_script_installed_as_service.yml
+3 -1
View File
@@ -5,6 +5,7 @@ description: Detects powershell script installed as a Service
status: experimental
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2021/05/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
tags:
@@ -16,7 +17,8 @@ detection:
- 'powershell'
- 'pwsh'
condition: service_creation and powershell_as_service
falsepositives: Unknown
falsepositives:
- Unknown
level: high
---
logsource:
rules/windows/builtin/win_protected_storage_service_access.yml
+2 -2
View File
@@ -6,7 +6,7 @@ date: 2019/08/10
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
tags:
- attack.lateral_movement
- attack.t1021 # an old one
@@ -22,4 +22,4 @@ detection:
condition: selection
falsepositives:
- Unknown
level: critical
level: critical
rules/windows/builtin/win_remote_powershell_session.yml
+4 -3
View File
@@ -1,11 +1,12 @@
title: Remote PowerShell Sessions
title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
status: experimental
date: 2019/09/12
modified: 2021/05/21
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
- attack.execution
- attack.t1086 # an old one
rules/windows/builtin/win_sam_registry_hive_handle_request.yml
+1 -1
View File
@@ -6,7 +6,7 @@ date: 2019/08/12
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md
- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html
tags:
- attack.discovery
- attack.t1012
rules/windows/builtin/win_scm_database_handle_failure.yml
+3 -2
View File
@@ -5,7 +5,7 @@ status: experimental
date: 2019/08/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
tags:
- attack.discovery
logsource:
@@ -17,8 +17,9 @@ detection:
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
Keywords: "Audit Failure"
filter:
SubjectLogonId: "0x3e4"
condition: selection
condition: selection and not filter
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_scm_database_privileged_operation.yml
+3 -2
View File
@@ -5,7 +5,7 @@ status: experimental
date: 2019/08/15
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
logsource:
product: windows
service: security
@@ -15,8 +15,9 @@ detection:
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
PrivilegeList: 'SeTakeOwnershipPrivilege'
filter:
SubjectLogonId: "0x3e4"
condition: selection
condition: selection and not filter
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_susp_proceshacker.yml
+24
View File
@@ -0,0 +1,24 @@
title: ProcessHacker Privilege Elevation
id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
description: Detects a ProcessHacker tool that elevated privileges to a very high level
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth
date: 2021/05/27
tags:
- attack.execution
- attack.privilege_escalation
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ServiceName|startswith: 'ProcessHacker'
AccountName: 'LocalSystem'
condition: selection
falsepositives:
- Unlikely
level: high
rules/windows/builtin/win_susp_time_modification.yml
+1
View File
@@ -6,6 +6,7 @@ author: '@neu5ron'
references:
- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
- Live environment caused by malware
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
date: 2019/02/05
modified: 2020/01/27
tags:
rules/windows/builtin/win_tap_driver_installation.yml
+3 -6
View File
@@ -12,9 +12,9 @@ falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium
detection:
selection_1:
selection:
ImagePath|contains: 'tap0901'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@@ -25,10 +25,7 @@ detection:
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
category: driver_load
---
logsource:
product: windows
rules/windows/sysmon/sysmon_cactustorch.yml → rules/windows/create_remote_thread/sysmon_cactustorch.yml
+1 -1
View File
@@ -10,7 +10,7 @@ date: 2019/02/01
modified: 2020/08/28
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8
rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml → rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
+1 -2
View File
@@ -14,10 +14,9 @@ date: 2018/11/30
modified: 2020/08/28
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8
TargetProcessAddress|endswith:
- '0B80'
- '0C7C'
rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml → rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
+2 -3
View File
@@ -6,17 +6,16 @@ date: 2019/08/11
modified: 2020/08/28
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
tags:
- attack.defense_evasion
- attack.t1055 # an old one
- attack.t1055.001
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8
StartModule|endswith: '\kernel32.dll'
StartFunction: 'LoadLibraryA'
condition: selection
rules/windows/sysmon/sysmon_password_dumper_lsass.yml → rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml
+1 -2
View File
@@ -9,10 +9,9 @@ date: 2017/02/19
modified: 2021/04/01
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8
TargetImage: 'C:\Windows\System32\lsass.exe'
StartModule: ''
condition: selection
rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml → rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml
+1 -1
View File
@@ -8,7 +8,7 @@ references:
date: 2018/06/25
logsource:
product: windows
service: sysmon
category: create_remote_thread
detection:
selection:
EventID: 8
rules/windows/sysmon/sysmon_suspicious_remote_thread.yml → rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
+1 -2
View File
@@ -14,14 +14,13 @@ references:
- https://lolbas-project.github.io
logsource:
product: windows
service: sysmon
category: create_remote_thread
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1055
detection:
selection:
EventID: 8
SourceImage|endswith:
- '\bash.exe'
- '\cvtres.exe'
rules/windows/sysmon/sysmon_ads_executable.yml → rules/windows/create_stream_hash/sysmon_ads_executable.yml
+2 -4
View File
@@ -14,16 +14,14 @@ date: 2018/06/03
modified: 2020/08/26
logsource:
product: windows
service: sysmon
category: create_stream_hash
definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
selection:
EventID: 15
filter1:
Imphash: '00000000000000000000000000000000'
filter2:
Imphash: null
condition: selection and not 1 of filter*
condition: not 1 of filter*
fields:
- TargetFilename
- Image
rules/windows/sysmon/sysmon_regedit_export_to_ads.yml → rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml
+1 -2
View File
@@ -12,10 +12,9 @@ author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020/10/07
logsource:
product: windows
service: sysmon
category: create_stream_hash
detection:
selection:
EventID: 15
Image|endswith: '\regedit.exe'
condition: selection
fields:
rules/windows/dns_query/dns_mega_nz.yml
+22
View File
@@ -0,0 +1,22 @@
title: DNS Query for MEGA.io Upload Domain
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
description: Detects DNS queries for subdomains used for upload to MEGA.io
status: experimental
date: 2021/05/26
author: Aaron Greetham (@beardofbinary) - NCC Group
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
tags:
- attack.exfiltration
- attack.t1567.002
falsepositives:
- Legitimate Mega upload
level: high
logsource:
product: windows
category: dns_query
detection:
dns_request:
EventID: 22
QueryName|contains: userstorage.mega.co.nz
condition: dns_request
rules/windows/sysmon/sysmon_possible_dns_rebinding.yml → rules/windows/dns_query/sysmon_possible_dns_rebinding.yml
+1 -2
View File
@@ -12,10 +12,9 @@ tags:
- attack.t1189
logsource:
product: windows
service: sysmon
category: dns_query
detection:
dns_answer:
EventID: 22
QueryName: '*'
QueryStatus: '0'
filter_int_ip:
rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml
+30
View File
@@ -0,0 +1,30 @@
title: Vulnerable Dell BIOS Update Driver Load
id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
author: Florian Roth
date: 2021/05/05
references:
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
logsource:
category: driver_load
product: windows
tags:
- cve.2021-21551
detection:
selection_image:
ImageLoaded|contains: '\DBUtil_2_3.Sys'
selection_hash:
Hashes|contains:
- '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
- 'c948ae14761095e4d76b55d9de86412258be7afd'
- 'c996d7971c49252c582171d9380360f2'
- 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
- '10b30bdee43b3a2ec4aa63375577ade650269d25'
- 'd2fd132ab7bbc6bbb87a84f026fa0244'
condition: selection_image or selection_hash
falsepositives:
- legitimate BIOS driver updates (should be rare)
level: high
rules/windows/sysmon/sysmon_sysinternals_sdelete_file_deletion.yml → rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
+1 -2
View File
@@ -12,10 +12,9 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
logsource:
product: windows
service: sysmon
category: file_delete
detection:
selection:
EventID: 23
TargetFilename|endswith:
- '.AAA'
- '.ZZZ'
rules/windows/file_event/sysmon_creation_system_file.yml
+3 -1
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects the creation of a executable with a system process name in a suspicious folder
author: Sander Wiebing
date: 2020/05/26
modified: 2020/08/23
modified: 2021/05/16
tags:
- attack.defense_evasion
- attack.t1036 # an old one
@@ -48,6 +48,8 @@ detection:
- 'C:\Windows\winsxs\'
- 'C:\Windows\WinSxS\'
- '\SystemRoot\System32\'
Image|endswith:
- '\Windows\System32\dism.exe'
condition: selection and not filter
fields:
- Image
rules/windows/file_event/sysmon_pcre_net_temp_file.yml
+2
View File
@@ -3,6 +3,7 @@ id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
description: Detects processes creating temp files related to PCRE.NET package
status: experimental
date: 2020/10/29
modified: 2021/05/21
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.execution
@@ -18,4 +19,5 @@ detection:
- TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/sysmon/sysmon_startup_folder_file_write.yml → rules/windows/file_event/sysmon_startup_folder_file_write.yml
+1 -2
View File
@@ -12,10 +12,9 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
logsource:
product: windows
service: sysmon
category: file_event
detection:
selection:
EventID: 11
TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'
condition: selection
falsepositives:
rules/windows/sysmon/sysmon_susp_pfx_file_creation.yml → rules/windows/file_event/sysmon_susp_pfx_file_creation.yml
+1 -2
View File
@@ -12,10 +12,9 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
logsource:
product: windows
service: sysmon
category: file_event
detection:
selection:
EventID: 11
TargetFilename|endswith: '.pfx'
condition: selection
falsepositives:
rules/windows/file_event/win_outlook_c2_macro_creation.yml
+24
View File
@@ -0,0 +1,24 @@
title: Outlook C2 Macro Creation
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
status: experimental
description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
tags:
- attack.persistence
- command_and_control
- attack.t1137
- attack.t1008
- attack.t1546
date: 2021/04/05
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinly creates a VB Macro for their email
level: medium
rules/windows/file_event/win_rclone_exec_file.yml
+23
View File
@@ -0,0 +1,23 @@
title: Rclone Config File Creation
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
description: Detects Rclone config file being created
status: experimental
date: 2021/05/26
author: Aaron Greetham (@beardofbinary) - NCC Group
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
tags:
- attack.exfiltration
- attack.t1567.002
falsepositives:
- Legitimate Rclone usage (rare)
level: high
logsource:
product: windows
category: file_event
detection:
file_selection:
EventID: 11
TargetFilename:
- 'C:\Users\*\.config\rclone\*'
condition: file_selection
rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
+4 -3
View File
@@ -3,6 +3,7 @@ id: fe6e002f-f244-4278-9263-20e4b593827f
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/09/12
modified: 2021/05/12
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.execution
@@ -11,11 +12,11 @@ references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
logsource:
product: windows
service: image_load
category: image_load
detection:
selection:
Description: 'system.management.automation'
ImageLoaded|contains: 'system.management.automation'
Description: 'System.Management.Automation'
ImageLoaded|contains: 'System.Management.Automation'
filter:
Image|endswith: '\powershell.exe'
condition: selection and not filter
rules/windows/image_load/sysmon_pcre_net_load.yml
+2
View File
@@ -3,6 +3,7 @@ id: 84b0a8f3-680b-4096-a45b-e9a89221727c
description: Detects processes loading modules related to PCRE.NET package
status: experimental
date: 2020/10/29
modified: 2021/05/21
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.execution
@@ -18,4 +19,5 @@ detection:
- ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
+3 -3
View File
@@ -6,7 +6,7 @@ date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
tags:
- attack.execution
- attack.t1086 # an old one
@@ -16,8 +16,8 @@ logsource:
product: windows
detection:
selection:
Description: 'system.management.automation'
ImageLoaded|contains: 'system.management.automation'
Description: 'System.Management.Automation'
ImageLoaded|contains: 'System.Management.Automation'
condition: selection
fields:
- ComputerName
rules/windows/image_load/sysmon_susp_python_image_load.yml
+2 -1
View File
@@ -3,6 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83
description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
status: experimental
date: 2020/05/03
modified: 2021/05/12
author: Patrick St. John, OTR (Open Threat Research)
tags:
- attack.defense_evasion
@@ -12,7 +13,7 @@ references:
- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
logsource:
product: windows
service: image_load
category: image_load
detection:
selection:
Description: 'Python Core'
rules/windows/sysmon/sysmon_susp_system_drawing_load.yml → rules/windows/image_load/sysmon_susp_system_drawing_load.yml
+1 -1
View File
@@ -12,7 +12,7 @@ references:
- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
logsource:
product: windows
service: image_load
category: image_load
detection:
selection:
ImageLoaded|endswith: '\System.Drawing.ni.dll'
rules/windows/image_load/sysmon_wmi_module_load.yml
+1 -1
View File
@@ -6,7 +6,7 @@ date: 2019/08/10
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
tags:
- attack.execution
- attack.t1047
rules/windows/malware/av_relevant_files.yml
+30 -4
View File
@@ -2,27 +2,37 @@ title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
date: 2018/09/09
modified: 2019/10/04
author: Florian Roth
modified: 2021/05/09
author: Florian Roth, Arnim Rupp
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
logsource:
product: antivirus
detection:
selection:
- FileName|startswith:
- 'C:\Windows\Temp\'
- 'C:\Windows\'
- 'C:\Temp\'
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
- 'C:\Users\Default\'
- FileName|contains:
- '\Client\'
- '\tsclient\'
- '\inetpub\'
- '/www/'
- 'apache'
- 'tomcat'
- 'nginx'
- 'weblogic'
selection2:
Filename|endswith:
- '.ps1'
- '.psm1'
- '.vbs'
- '.bat'
- '.cmd'
- '.sh'
- '.chm'
- '.xml'
- '.txt'
@@ -30,8 +40,18 @@ detection:
- '.jspx'
- '.asp'
- '.aspx'
- '.ashx'
- '.asax'
- '.asmx'
- '.php'
- '.cfm'
- '.py'
- '.pyc'
- '.pl'
- '.rb'
- '.cgi'
- '.war'
- '.ear'
- '.hta'
- '.lnk'
- '.scf'
@@ -39,6 +59,12 @@ detection:
- '.vbe'
- '.wsf'
- '.wsh'
- '.gif'
- '.png'
- '.jpg'
- '.jpeg'
- '.svg'
- '.dat'
condition: selection or selection2
fields:
- Signature
rules/windows/malware/av_webshell.yml
+37 -10
View File
@@ -1,14 +1,19 @@
title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
description: Detects a highly relevant Antivirus alert that reports a web shell
description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
date: 2018/09/09
modified: 2001/01/07
modified: 2021/05/08
author: Florian Roth, Arnim Rupp
references:
- https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
tags:
- attack.persistence
- attack.t1100
@@ -18,26 +23,48 @@ logsource:
detection:
selection:
- Signature|startswith:
- "PHP/Backdoor"
- "JSP/Backdoor"
- "ASP/Backdoor"
- "Backdoor.PHP"
- "Backdoor.JSP"
- "Backdoor.ASP"
- "Backdoor?Java"
- "PHP/"
- "JSP/"
- "ASP/"
- "Perl/"
- "PHP."
- "JSP."
- "ASP."
- "Perl."
- "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops
- "IIS/BackDoor"
- "JAVA/Backdoor"
- "Troj/ASP"
- "Troj/PHP"
- "Troj/JSP"
- Signature|contains:
- "Webshell"
- "Chopper"
- "SinoChoper"
- "ASPXSpy"
- "Aspdoor"
- "filebrowser"
- "PHP_"
- "JSP_"
- "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops
- "PHP:"
- "JSP:"
- "ASP:"
- "Perl:"
- "PHPShell"
- "Trojan.PHP"
- "Trojan.ASP"
- "Trojan.JSP"
- "Trojan.VBS"
- "PHP?Agent"
- "ASP?Agent"
- "JSP?Agent"
- "VBS?Agent"
- "Backdoor?PHP"
- "Backdoor?JSP"
- "Backdoor?ASP"
- "Backdoor?VBS"
- "Backdoor?Java"
condition: selection
fields:
- FileName
rules/windows/malware/mal_azorult_reg.yml
+1 -1
View File
@@ -11,7 +11,7 @@ tags:
- attack.t1112
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID:
rules/windows/malware/win_mal_blue_mockingbird.yml
+1 -2
View File
@@ -37,9 +37,8 @@ detection:
---
logsource:
product: windows
service: sysmon
category: registry_event
detection:
mod_reg:
EventID: 13
TargetObject|endswith:
- '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
rules/windows/malware/win_mal_darkside.yml
+28
View File
@@ -0,0 +1,28 @@
title: DarkSide Ransomware Pattern
id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
author: Florian Roth
date: 2021/05/14
description: Detects DarkSide Ransomware and helpers
status: experimental
references:
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- "=[char][byte]('0x'+"
- ' -work worker0 -path '
selection2:
ParentCommandLine|contains:
- 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
Image|contains:
- '\AppData\Local\Temp\'
condition: 1 of them
falsepositives:
- Unknown
- UAC bypass method used by other malware
level: critical
rules/windows/malware/win_mal_flowcloud.yml
+1 -1
View File
@@ -11,7 +11,7 @@ tags:
date: 2020/06/09
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID:
rules/windows/malware/win_mal_octopus_scanner.yml
+3 -5
View File
@@ -11,15 +11,13 @@ author: NVISO
date: 2020/06/09
logsource:
product: windows
service: sysmon
category: file_event
detection:
filecreate:
EventID: 11
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
condition: filecreate and selection
condition: selection
falsepositives:
- Unknown
level: high
level: high
rules/windows/malware/win_mal_ursnif.yml
+1 -2
View File
@@ -12,10 +12,9 @@ author: megan201296
date: 2019/02/13
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID: 13
TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\'
condition: selection
falsepositives:
rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
+1 -1
View File
@@ -4,7 +4,7 @@ description: Detects a possible remote connections to Silenttrinity c2
references:
- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
tags:
- attack.execution # example MITRE ATT&CK category
- attack.execution
- attack.t1127.001
status: experimental
author: Kiran kumar s, oscd.community
rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://twitter.com/SBousseaden/status/1096148422984384514
author: Samir Bousseaden
date: 2019/02/16
modified: 2020/08/24
modified: 2021/05/11
tags:
- attack.command_and_control
- attack.t1572
@@ -25,7 +25,7 @@ detection:
selection2:
- DestinationIp|startswith:
- '127.'
- DestinationIP:
- DestinationIp:
- '::1'
condition: selection and selection2
falsepositives:
rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
+1 -1
View File
@@ -6,7 +6,7 @@ date: 2019/09/12
modified: 2020/08/24
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
tags:
- attack.execution
- attack.t1059.001
rules/windows/other/win_defender_history_delete.yml
+3 -2
View File
@@ -6,12 +6,13 @@ author: Cian Heasley
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
date: 2020/08/13
modified: 2021/05/30
tags:
- attack.defense_evasion
- attack.t1070.001
logsource:
category: windows
product: windef
product: windows
service: windefend
detection:
selection:
EventID: 1013
rules/windows/other/win_lateral_movement_condrv.yml
+28
View File
@@ -0,0 +1,28 @@
title: Lateral Movement Indicator ConDrv
id: 29d31aee-30f4-4006-85a9-a4a02d65306c
status: stable
description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
author: Janantha Marasinghe
date: 2021/04/27
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
tags:
- attack.lateral_movement
- attack.execution
- attack.t1021
- attack.t1059
logsource:
product: windows
service: security
definition:
detection:
selection:
EventID: 4674
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName: '\Device\ConDrv'
condition: selection
falsepositives:
- Penetration tests where lateral movement has occured. This event will be created on the target host.
level: high
rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml
+2 -1
View File
@@ -4,13 +4,14 @@ status: stable
description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
references:
- https://www.secura.com/blog/zero-logon
- https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
date: 2020/10/13
modified: 2021/05/30
tags:
- attack.t1210
- attack.lateral_movement
logsource:
category: other
service: system
product: windows
detection:
rules/windows/other/win_tool_psexec.yml
+17 -1
View File
@@ -5,7 +5,7 @@ status: experimental
description: Detects PsExec service installation and execution events (service and Sysmon)
author: Thomas Patzke
date: 2017/06/12
modified: 2020/08/23
modified: 2021/05/16
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
@@ -22,6 +22,8 @@ fields:
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFileName
- PipeName
falsepositives:
- unknown
level: low
@@ -45,3 +47,17 @@ detection:
sysmon_processcreation:
Image|endswith: '\PSEXESVC.exe'
User: 'NT AUTHORITY\SYSTEM'
---
logsource:
category: pipe_created
product: windows
detection:
sysmon_pipecreated:
PipeName: '\PSEXESVC'
---
logsource:
category: file_event
product: windows
detection:
sysmon_filecreation:
TargetFileName|endswith: '\PSEXESVC.exe'
rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml → rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
+2 -3
View File
@@ -6,17 +6,16 @@ date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
tags:
- attack.execution
- attack.t1086 # an old one
- attack.t1059.001
logsource:
product: windows
service: sysmon
category: pipe_created
detection:
selection:
EventID: 17
PipeName|startswith: '\PSHost'
filter:
Image|endswith:
rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml → rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml
+1 -4
View File
@@ -10,13 +10,10 @@ tags:
author: Markus Neis
logsource:
product: windows
service: sysmon
category: pipe_created
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
selection:
EventID:
- 17
- 18
PipeName:
- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
- '\userpipe' # ruag apt case
rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml → rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml
+1 -2
View File
@@ -15,10 +15,9 @@ tags:
- attack.t1003.005
logsource:
product: windows
service: sysmon
category: pipe_created
detection:
selection:
EventID: 17
PipeName|contains:
- '\lsadump'
- '\cachedump'
rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
+36
View File
@@ -0,0 +1,36 @@
title: CobaltStrike Named Pipe
id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
status: experimental
description: Detects the creation of a named pipe as used by CobaltStrike
references:
- https://twitter.com/d4rksystem/status/1357010969264873472
- https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
- https://github.com/Neo23x0/sigma/issues/253
- https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
date: 2021/05/25
author: Florian Roth, Wojciech Lesicki
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
detection:
selection_MSSE:
PipeName|contains|all:
- '\MSSE-'
- '-server'
selection_postex:
PipeName|startswith: '\postex_'
selection_postex_ssh:
PipeName|startswith: '\postex_ssh_'
selection_status:
PipeName|startswith: '\status_'
selection_msagent:
PipeName|startswith: '\msagent_'
condition: 1 of them
falsepositives:
- Unknown
level: critical
rules/windows/sysmon/sysmon_mal_namedpipes.yml → rules/windows/pipe_created/sysmon_mal_namedpipes.yml
+9 -7
View File
@@ -5,16 +5,13 @@ description: Detects the creation of a named pipe used by known APT malware
references:
- Various sources
date: 2017/11/06
author: Florian Roth
author: Florian Roth, blueteam0ps
logsource:
product: windows
service: sysmon
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
category: pipe_created
definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'
detection:
selection:
EventID:
- 17
- 18
PipeName:
- '\isapi_http' # Uroburos Malware Named Pipe
- '\isapi_dg' # Uroburos Malware Named Pipe
@@ -29,9 +26,14 @@ detection:
- '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
- '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
- '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
- '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
- '\gruntsvc' # Covenant default named pipe
# - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
- '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/
- '\svcctl' #Crackmapexec smbexec default named pipe
- '\Posh*' #PoshC2 default
- '\jaccdpqnvbrrxlaf' #PoshC2 default
- '\csexecsvc' #CSEXEC default
condition: selection
tags:
- attack.defense_evasion
rules/windows/sysmon/sysmon_powershell_execution_pipe.yml → rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml
+1 -2
View File
@@ -11,10 +11,9 @@ references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
logsource:
product: windows
service: sysmon
category: pipe_created
detection:
selection:
EventID: 17
PipeName|startswith: '\PSHost'
condition: selection
falsepositives:
rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml → rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml
+1 -4
View File
@@ -11,13 +11,10 @@ tags:
- attack.t1021.002
logsource:
product: windows
service: sysmon
category: pipe_created
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
selection:
EventID:
- 17
- 18
PipeName|startswith:
- 'psexec'
- 'paexec'
rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
+3 -1
View File
@@ -4,6 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
status: experimental
author: oscd.community, Natalia Shornikova
date: 2020/10/14
modified: 2021/05/21
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
@@ -20,5 +21,6 @@ detection:
- 'CL_Invocation.ps1'
- 'SyncInvoke'
condition: selection
falsepositives: Unknown
falsepositives:
- Unknown
level: high

Some files were not shown because too many files have changed in this diff Show More