security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New] Detonate LNK TOP Rules (#4058)

Browse Source 
* [New] Detonate LNK TOP Rules

the following two rules are the top ones matching on TPs from detonate for LNK files, converting them to SIEM rules compatible with Sysmon/Winlogbeat, SentinelOne and M365 Defender :

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution.toml#L8

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml#L8

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update rules/windows/execution_windows_cmd_shell_susp_args.toml

* Update rules/windows/execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Samirbous
2024-09-15 10:49:17 +01:00
committed by GitHub
parent bb9a772870
commit 9255dafe53
2 changed files with 246 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/execution_windows_cmd_shell_susp_args.toml
+123
View File
@@ -0,0 +1,123 @@
[metadata]
creation_date = "2024/09/06"
integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
updated_date = "2024/09/06"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is
often observed during malware installation.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-windows.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Windows Command Shell Arguments"
risk_score = 73
rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: System",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.name : "cmd.exe" and
(
process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
"*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*", "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
"* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
"*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
"*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
"*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or
(process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or
process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or
(process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or
(process.parent.name : "explorer.exe" and
process.command_line :
("*&&S^eT *",
"*&& set *&& set *&& set *&& set *&& set *&& call*",
"**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or
(process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
) and
/* false positives */
not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
not process.parent.executable :
("?:\\Perl64\\bin\\perl.exe",
"?:\\Program Files\\nodejs\\node.exe",
"?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
"?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
"?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
"?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
"?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
"D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
"?:\\Program Files\\Microsoft VS Code\\Code.exe",
"?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
"?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
"?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
"?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
"?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
"?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
"?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
"?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
"?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
"?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
"?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
"?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
"?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
"?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
not (process.args : "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
not process.args :
("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
"?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
"https://auth.axis.com/oauth2/oauth-authorize*") and
not process.command_line :
("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
"?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and
not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/windows/execution_windows_powershell_susp_args.toml
+123
View File
@@ -0,0 +1,123 @@
[metadata]
creation_date = "2024/09/06"
integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
updated_date = "2024/09/06"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware
installation leveraging PowerShell.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-windows.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Windows Powershell Arguments"
risk_score = 73
rule_id = "83bf249e-4348-47ba-9741-1202a09556ad"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: System",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.name : "powershell.exe" and
(
process.command_line :
(
"*^*^*^*^*^*^*^*^*^*",
"*`*`*`*`*",
"*+*+*+*+*+*+*",
"*[char[]](*)*-join*",
"*Base64String*",
"*[*Convert]*",
"*.Compression.*",
"*-join($*",
"*.replace*",
"*MemoryStream*",
"*WriteAllBytes*",
"* -enc *",
"* -ec *",
"* /e *",
"* /enc *",
"* /ec *",
"*WebClient*",
"*DownloadFile*",
"*DownloadString*",
"* iex*",
"* iwr*",
"*Reflection.Assembly*",
"*Assembly.GetType*",
"*$env:temp\\*start*",
"*powercat*",
"*nslookup -q=txt*",
"*$host.UI.PromptForCredential*",
"*Net.Sockets.TCPClient*",
"*curl *;Start*",
"powershell.exe \"<#*",
"*ssh -p *",
"*http*|iex*",
"*@SSL\\DavWWWRoot\\*.ps1*",
"*.lnk*.Seek(0x*",
"*[string]::join(*",
"*[Array]::Reverse($*",
"* hidden $(gc *",
"*=wscri& set*",
"*http'+'s://*",
"*.content|i''Ex*",
"*//:sptth*",
"*//:ptth*",
"*$*=Get-Content*AppData*.SubString(*$*",
"*=cat *AppData*.substring(*);*$*"
) or
(process.args : "-c" and process.args : "&{'*") or
(process.args : "-Outfile" and process.args : "Start*") or
(process.args : "-bxor" and process.args : "0x*") or
process.args : "$*$*;set-alias" or
(process.parent.name : ("explorer.exe", "cmd.exe") and
process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"