Nasreddine Bencherchali
313578eeaa
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Filter out additional Microsoft IP block and moved to the threat hunting folder due to large amount of matches based on VT data fix: Forest Blizzard APT - File Creation Activity - Fix typo in filename fix: New RUN Key Pointing to Suspicious Folder - Enhance filter to fix new false positive found in testing new: COM Object Hijacking Via Modification Of Default System CLSID Default Value new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 new: DPAPI Backup Keys And Certificate Export Activity IOC new: DSInternals Suspicious PowerShell Cmdlets new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock new: HackTool - RemoteKrbRelay Execution new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators new: HackTool - SharpDPAPI Execution new: Hypervisor Enforced Paging Translation Disabled new: PDF File Created By RegEdit.EXE new: Periodic Backup For System Registry Hives Enabled new: Renamed Microsoft Teams Execution new: Windows LAPS Credential Dump From Entra ID remove: Potential Persistence Via COM Hijacking From Suspicious Locations - Deprecated because of incorrect logic, replaced by "790317c0-0a36-4a6a-a105-6e576bf99a14" update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted. update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers. update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers. update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers. update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers. update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers. update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers. update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers. update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon". update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage. update: Suspicious Electron Application Child Processes - Remove unnecessary filters update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data update: System File Execution Location Anomaly - Enhance filters update: Uncommon Child Process Of Setres.EXE - Update logic and metadata update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata update: Windows Defender Threat Detection Service Disabled - Add french keyword for "stopped" to increase coverage for windows os that uses the french language --------- Thanks: cY83rR0H1t Thanks: CTI-Driven Thanks: BIitzkrieg Thanks: DFIR-jwedd Thanks: Snp3r
587 lines
17 KiB
YAML
587 lines
17 KiB
YAML
title: THOR
|
|
order: 20
|
|
backends:
|
|
- thor
|
|
# this configuration differs from other configurations and can not be used
|
|
# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.
|
|
logsources:
|
|
# log source configurations for generic sigma rules
|
|
process_creation_1:
|
|
category: process_creation
|
|
product: windows
|
|
conditions:
|
|
EventID: 1
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_creation_2:
|
|
category: process_creation
|
|
product: windows
|
|
conditions:
|
|
EventID: 4688
|
|
rewrite:
|
|
product: windows
|
|
service: security
|
|
fieldmappings:
|
|
Image: NewProcessName
|
|
ParentImage: ParentProcessName
|
|
network_connection:
|
|
category: network_connection
|
|
product: windows
|
|
conditions:
|
|
EventID: 3
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
sysmon_status1:
|
|
category: sysmon_status
|
|
product: windows
|
|
conditions:
|
|
EventID: 4
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
sysmon_status2:
|
|
category: sysmon_status
|
|
product: windows
|
|
conditions:
|
|
EventID: 16
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_terminated:
|
|
category: process_termination
|
|
product: windows
|
|
conditions:
|
|
EventID: 5
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
driver_loaded:
|
|
category: driver_load
|
|
product: windows
|
|
conditions:
|
|
EventID: 6
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
image_loaded:
|
|
category: image_load
|
|
product: windows
|
|
conditions:
|
|
EventID: 7
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
create_remote_thread:
|
|
category: create_remote_thread
|
|
product: windows
|
|
conditions:
|
|
EventID: 8
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
raw_access_thread:
|
|
category: raw_access_thread
|
|
product: windows
|
|
conditions:
|
|
EventID: 9
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_access:
|
|
category: process_access
|
|
product: windows
|
|
conditions:
|
|
EventID: 10
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_creation:
|
|
category: file_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 11
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_event1:
|
|
category: registry_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 12
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_event2:
|
|
category: registry_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 13
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_event3:
|
|
category: registry_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 14
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_add:
|
|
category: registry_add
|
|
product: windows
|
|
conditions:
|
|
EventID: 12
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_delete:
|
|
category: registry_delete
|
|
product: windows
|
|
conditions:
|
|
EventID: 12
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_set:
|
|
category: registry_set
|
|
product: windows
|
|
conditions:
|
|
EventID: 13
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
registry_rename:
|
|
category: registry_rename
|
|
product: windows
|
|
conditions:
|
|
EventID: 14
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
create_stream_hash:
|
|
category: create_stream_hash
|
|
product: windows
|
|
conditions:
|
|
EventID: 15
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
pipe_created1:
|
|
category: pipe_created
|
|
product: windows
|
|
conditions:
|
|
EventID: 17
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
pipe_created2:
|
|
category: pipe_created
|
|
product: windows
|
|
conditions:
|
|
EventID: 18
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
wmi_event1:
|
|
category: wmi_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 19
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
wmi_event2:
|
|
category: wmi_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 20
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
wmi_event3:
|
|
category: wmi_event
|
|
product: windows
|
|
conditions:
|
|
EventID: 21
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
dns_query:
|
|
category: dns_query
|
|
product: windows
|
|
conditions:
|
|
EventID: 22
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_delete:
|
|
category: file_delete
|
|
product: windows
|
|
conditions:
|
|
EventID: 23
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
clipboard_change:
|
|
category: clipboard_change
|
|
product: windows
|
|
conditions:
|
|
EventID: 24
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
process_tampering:
|
|
category: process_tampering
|
|
product: windows
|
|
conditions:
|
|
EventID: 25
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_delete_detected:
|
|
category: file_delete_detected
|
|
product: windows
|
|
conditions:
|
|
EventID: 26
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_block_executable:
|
|
category: file_block_executable
|
|
product: windows
|
|
conditions:
|
|
EventID: 27
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_block_shredding:
|
|
category: file_block_shredding
|
|
product: windows
|
|
conditions:
|
|
EventID: 28
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
file_executable_detected:
|
|
category: file_executable_detected
|
|
product: windows
|
|
conditions:
|
|
EventID: 29
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
sysmon_error:
|
|
category: sysmon_error
|
|
product: windows
|
|
conditions:
|
|
EventID: 255
|
|
rewrite:
|
|
product: windows
|
|
service: sysmon
|
|
# PowerShell Operational
|
|
ps_module:
|
|
category: ps_module
|
|
product: windows
|
|
conditions:
|
|
EventID: 4103
|
|
rewrite:
|
|
product: windows
|
|
service: powershell
|
|
ps_script:
|
|
category: ps_script
|
|
product: windows
|
|
conditions:
|
|
EventID: 4104
|
|
rewrite:
|
|
product: windows
|
|
service: powershell
|
|
# Powershell "classic" channel
|
|
ps_classic_start:
|
|
category: ps_classic_start
|
|
product: windows
|
|
conditions:
|
|
EventID: 400
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic
|
|
ps_classic_provider_start:
|
|
category: ps_classic_provider_start
|
|
product: windows
|
|
conditions:
|
|
EventID: 600
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic
|
|
ps_classic_script:
|
|
category: ps_classic_script
|
|
product: windows
|
|
conditions:
|
|
EventID: 800
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic
|
|
# target system configurations
|
|
windows-application:
|
|
product: windows
|
|
service: application
|
|
sources:
|
|
- "WinEventLog:Application"
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
sources:
|
|
- "WinEventLog:Security"
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
sources:
|
|
- "WinEventLog:System"
|
|
windows-ntlm:
|
|
product: windows
|
|
service: ntlm
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-NTLM/Operational"
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-Sysmon/Operational"
|
|
windows-powershell:
|
|
product: windows
|
|
service: powershell
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-PowerShell/Operational"
|
|
- "WinEventLog:PowerShellCore/Operational"
|
|
windows-classicpowershell:
|
|
product: windows
|
|
service: powershell-classic
|
|
sources:
|
|
- "WinEventLog:Windows PowerShell"
|
|
windows-taskscheduler:
|
|
product: windows
|
|
service: taskscheduler
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-TaskScheduler/Operational"
|
|
windows-wmi:
|
|
product: windows
|
|
service: wmi
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-WMI-Activity/Operational"
|
|
windows-dhcp:
|
|
product: windows
|
|
service: dhcp
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-DHCP-Server/Operational"
|
|
windows-printservice-admin:
|
|
product: windows
|
|
service: printservice-admin
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-PrintService/Admin"
|
|
windows-smbclient-security:
|
|
product: windows
|
|
service: smbclient-security
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-SmbClient/Security"
|
|
windows-smbclient-connectivity:
|
|
product: windows
|
|
service: smbclient-connectivity
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-SmbClient/Connectivity"
|
|
windows-printservice-operational:
|
|
product: windows
|
|
service: printservice-operational
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-PrintService/Operational"
|
|
windows-terminalservices-localsessionmanager-operational:
|
|
product: windows
|
|
service: terminalservices-localsessionmanager
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
|
|
windows-codeintegrity-operational:
|
|
product: windows
|
|
service: codeintegrity-operational
|
|
sources:
|
|
- "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
|
|
windows-applocker:
|
|
product: windows
|
|
service: applocker
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
|
|
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
|
|
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
|
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
|
|
windows-msexchange-management:
|
|
product: windows
|
|
service: msexchange-management
|
|
sources:
|
|
- 'WinEventLog:MSExchange Management'
|
|
windows-defender:
|
|
product: windows
|
|
service: windefend
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'
|
|
windows-defender-antivirus-mapping:
|
|
category: antivirus
|
|
conditions:
|
|
EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
|
|
- 1006
|
|
- 1007
|
|
- 1008
|
|
- 1009
|
|
- 1010
|
|
- 1011
|
|
- 1012
|
|
- 1017
|
|
- 1018
|
|
- 1019
|
|
- 1115
|
|
- 1116
|
|
rewrite:
|
|
product: windows
|
|
service: windefend
|
|
fieldmappings:
|
|
Signature: ThreatName
|
|
Filename: Path
|
|
windows-firewall-advanced-security:
|
|
product: windows
|
|
service: firewall-as
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
|
|
windows-bits-client:
|
|
product: windows
|
|
service: bits-client
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'
|
|
windows-security-mitigations:
|
|
product: windows
|
|
service: security-mitigations
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'
|
|
- 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'
|
|
windows-diagnosis:
|
|
product: windows
|
|
service: diagnosis-scripted
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'
|
|
windows-shell-core:
|
|
product: windows
|
|
service: shell-core
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
|
|
windows-openssh:
|
|
product: windows
|
|
service: openssh
|
|
sources:
|
|
- 'WinEventLog:OpenSSH/Operational'
|
|
windows-ldap-debug:
|
|
product: windows
|
|
service: ldap_debug
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
|
|
windows-bitlocker:
|
|
product: windows
|
|
service: bitlocker
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
|
|
windows-vhdmp:
|
|
product: windows
|
|
service: vhdmp
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
|
|
windows-appxdeployment-server:
|
|
product: windows
|
|
service: appxdeployment-server
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
|
|
windows-lsa-server:
|
|
product: windows
|
|
service: lsa-server
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-LSA/Operational'
|
|
windows-appxpackaging-om:
|
|
product: windows
|
|
service: appxpackaging-om
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'
|
|
windows-dns-client:
|
|
product: windows
|
|
service: dns-client
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'
|
|
windows-appmodel-runtime:
|
|
product: windows
|
|
service: appmodel-runtime
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'
|
|
windows-capi2:
|
|
product: windows
|
|
service: capi2
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-CAPI2/Operational'
|
|
windows-certificateservicesclient-lifecycle:
|
|
product: windows
|
|
service: certificateservicesclient-lifecycle-system
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'
|
|
windows-kernel-shimengine:
|
|
product: windows
|
|
service: kernel-shimengine
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Operational'
|
|
- 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Diagnostic'
|
|
windows-application-experience:
|
|
product: windows
|
|
service: application-experience
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Telemetry'
|
|
- 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'
|
|
windows-ntfs:
|
|
product: windows
|
|
service: ntfs
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Ntfs/Operational'
|
|
windows-hyper-v-worker:
|
|
product: windows
|
|
service: hyper-v-worker
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Hyper-V-Worker'
|
|
windows-kernel-event-tracing:
|
|
product: windows
|
|
service: kernel-event-tracing
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-Kernel-EventTracing'
|
|
windows-sense:
|
|
product: windows
|
|
service: sense
|
|
sources:
|
|
- 'WinEventLog:Microsoft-Windows-SENSE/Operational'
|
|
apache:
|
|
category: webserver
|
|
sources:
|
|
- "File:/var/log/apache/*.log"
|
|
- "File:/var/log/apache2/*.log"
|
|
- "File:/var/log/httpd/*.log"
|
|
linux-auth:
|
|
product: linux
|
|
service: auth
|
|
sources:
|
|
- "File:/var/log/auth.log"
|
|
- "File:/var/log/auth.log.?"
|
|
linux-syslog:
|
|
product: linux
|
|
service: syslog
|
|
sources:
|
|
- "File:/var/log/syslog"
|
|
- "File:/var/log/syslog.?"
|
|
logfiles:
|
|
category: logfile
|
|
sources:
|
|
- "File:*.log"
|
|
logfiles-appliances:
|
|
category: appliance
|
|
sources:
|
|
- "File:*.log"
|