diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml index ac4a5241d..1120cebf7 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml @@ -4,14 +4,9 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/11/30 +modified: 2022/03/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows service: system @@ -19,8 +14,17 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + ImagePath|contains|all: + - 'rundll32.exe' + - 'shell32.dll' + - 'shellexec_rundll' + - 'powershell' condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml index 6dd90eb21..22ba3b190 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -4,14 +4,9 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/11/30 +modified: 2022/03/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows service: system @@ -19,8 +14,22 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + ImagePath|contains|all: + - '&&' + - 'rundll32' + - 'shell32.dll' + - 'shellexec_rundll' + ImagePath|contains: + - 'value' + - 'invoke' + - 'comspec' + - 'iex' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index 43ca7ebd5..5bfdf1b38 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -21,8 +21,14 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + Payload|contains|all: + - 'new-object' + - 'text.encoding]::ascii' + Payload|contains: + - 'system.io.compression.deflatestream' + - 'system.io.streamreader' + Payload|endswith: 'readtoend' condition: selection_4103 falsepositives: - unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index eb78f9ac3..e92b64016 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -7,22 +7,28 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2021/10/16 +modified: 2022/03/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: ps_module definition: PowerShell Module Logging must be enabledd detection: selection_4103: - Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + Payload|contains|all: + - 'set' + - '&&' + - 'mshta' + - 'vbscript:createobject' + - '.run' + - '(window.close)' condition: selection_4103 falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index 87a4ae6dc..2a4bc5673 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -4,22 +4,28 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2021/10/16 +modified: 2022/03/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + ScriptBlockText|contains|all: + - 'set' + - '&&' + - 'mshta' + - 'vbscript:createobject' + - '.run' + - '(window.close)' condition: selection_4104 falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml index 756bb5720..ccd852955 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml @@ -6,13 +6,19 @@ author: Timur Zinniatullin, oscd.community references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) date: 2020/10/18 -modified: 2021/11/27 +modified: 2022/03/07 logsource: category: process_creation product: windows detection: selection: - CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + CommandLine|contains|all: + - 'new-object' + - 'text.encoding]::ascii' + CommandLine|contains: + - 'system.io.compression.deflatestream' + - 'system.io.streamreader' + CommandLine|endswith: 'readtoend' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml index f59b098e3..ab5ea537f 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml @@ -6,13 +6,17 @@ author: Timur Zinniatullin, oscd.community references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) date: 2020/10/18 -modified: 2021/11/27 +modified: 2022/03/07 logsource: category: process_creation product: windows detection: selection: - CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + CommandLine|contains|all: + - 'rundll32.exe' + - 'shell32.dll' + - 'shellexec_rundll' + - 'powershell' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml index c06734aac..bae3fad54 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml @@ -6,17 +6,16 @@ references: - https://dtm.uk/wuauclt/ author: Sreeman date: 2020/10/29 -modified: 2021/06/11 -tags: - - attack.defense_evasion - - attack.execution - - attack.t1218.011 +modified: 2022/03/07 logsource: product: windows category: process_creation detection: selection: - CommandLine|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver' + CommandLine|contains|all: + - 'wuauclt.exe' + - '/UpdateDeploymentProvider' + - '/Runhandlercomserver' filter: CommandLine|contains: - 'wuaueng.dll' @@ -27,3 +26,7 @@ falsepositives: fields: - CommandLine level: medium +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.011 diff --git a/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml b/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml index 01c24de68..e8a4fbe36 100644 --- a/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml +++ b/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml @@ -4,10 +4,7 @@ description: BITS will allow you to schedule a command to execute after a succes status: experimental author: Sreeman date: 2020/10/29 -modified: 2021/07/15 -tags: - - attack.defense_evasion - - attack.t1197 +modified: 2022/03/07 references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html @@ -17,12 +14,28 @@ logsource: category: process_creation detection: selection_1: - CommandLine|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*' + CommandLine|contains|all: + - 'bitsadmin' + - '/SetNotifyCmdLine' + CommandLine|contains: + - '%COMSPEC%' + - 'cmd.exe' + - 'regsvr32.exe' selection_2: - CommandLine|re: '(?i).*bitsadmin.*\/Addfile.*(http|https|ftp|ftps):.*' - condition: selection_1 or selection_2 + CommandLine|contains|all: + - 'bitsadmin' + - '/Addfile' + CommandLine|contains: + - 'http:' + - 'https:' + - 'ftp:' + - 'ftps:' + condition: 1 of selection_* falsepositives: - None observed yet. fields: - CommandLine -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1197 diff --git a/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml index 68cbe07d6..163e8d4f2 100644 --- a/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml @@ -4,17 +4,24 @@ description: Looks for changes to registry to disable any write-protect property status: experimental author: Sreeman date: 2021/06/11 -modified: 2021/06/11 -tags: - - attack.defense_evasion - - attack.t1562 +modified: 2022/03/07 logsource: product: windows category: process_creation detection: selection: - CommandLine|re: '(?i).*reg add.*hklm\\\\system\\\\currentcontrolset\\\\control.*(storage|storagedevicepolicies).*write protection.*0.*' + CommandLine|contains|all: + - 'reg add' + - 'hklm\system\currentcontrolset\control' + - 'write protection' + - '0' + CommandLine|contains: + - 'storage' + - 'storagedevicepolicies' condition: selection falsepositives: - none observed -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1562