paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-01 20:33:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
SOCFortress
2022-08-08 22:22:39 -05:00
committed by GitHub
parent b7c72ef452
commit d96e93a66d
99 changed files with 3311 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
Windows Chainsaw/sigma rules/proc_creation_win_rdp_hijack_shadowing.yml Normal file
View File

@@ -0,0 +1,25 @@
title: MSTSC Shadowing
id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
status: test
description: Detects RDP session hijacking by using MSTSC shadowing
author: Florian Roth
references:
- https://twitter.com/kmkz_security/status/1220694202301976576
- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet
date: 2020/01/24
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'noconsentprompt'
- 'shadow:'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.lateral_movement
- attack.t1563.002

31
Windows Chainsaw/sigma rules/proc_creation_win_redmimicry_winnti_proc.yml Normal file
View File

@@ -0,0 +1,31 @@
title: RedMimicry Winnti Playbook Execute
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
author: Alexander Rausch
references:
- https://redmimicry.com
date: 2020/06/24
modified: 2021/11/27
logsource:
product: windows
category: process_creation
detection:
selection:
Image|contains:
- rundll32.exe
- cmd.exe
CommandLine|contains:
- gthread-3.6.dll
- \Windows\Temp\tmp.bat
- sigcmm-2.4.dll
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.defense_evasion
- attack.t1106
- attack.t1059.003
- attack.t1218.011

32
Windows Chainsaw/sigma rules/proc_creation_win_reg_defender_tampering.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Registry Defender Tampering
id: 452bce90-6fb0-43cc-97a5-affc283139b3
status: experimental
description: Detects reg command lines that disable certain important features of Microsoft Defender
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
author: Florian Roth
date: 2022/03/22
modified: 2022/05/09
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: \reg.exe
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\'
- 'SOFTWARE\Policies\Microsoft\Windows Defender\'
CommandLine|contains|all:
- ' add '
- ' /d 0'
selection_target:
CommandLine|contains:
- 'Real-Time Protection'
- 'TamperProtection'
condition: selection and selection_target
falsepositives:
- Legitimate use
level: high
tags:
- attack.defense_evasion
- attack.t1562.001

26
Windows Chainsaw/sigma rules/proc_creation_win_reg_dump_sam.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Registry Dump of SAM Creds and Secrets
id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
status: experimental
description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
date: 2022/01/05
logsource:
category: process_creation
product: windows
detection:
selection_reg:
CommandLine|contains: ' save '
selection_key:
CommandLine|contains:
- HKLM\sam
- HKLM\system
- HKLM\security
condition: all of selection_*
falsepositives:
- Unknown
level: high
tags:
- attack.credential_access
- attack.t1003.002

45
Windows Chainsaw/sigma rules/proc_creation_win_reg_enable_rdp.yml Normal file
View File

@@ -0,0 +1,45 @@
title: Enabling RDP Service via Reg.exe
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: experimental
description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
date: 2022/02/12
modified: 2022/03/15
logsource:
product: windows
category: process_creation
detection:
selection1:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- ' add '
- '\SYSTEM\CurrentControlSet\Control\Terminal Server'
- 'REG_DWORD'
- ' /f'
selection2:
CommandLine|contains|all:
- 'Licensing Core'
- 'EnableConcurrentSessions'
selection3:
CommandLine|contains:
- 'WinStations\RDP-Tcp'
- 'MaxInstanceCount'
- 'fEnableWinStation'
- 'TSUserEnabled'
- 'TSEnabled'
- 'TSAppCompat'
- 'IdleWinStationPoolCount'
- 'TSAdvertise'
- 'AllowTSConnections'
- 'fSingleSessionPerUser'
condition: selection1 and (selection2 or selection3)
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.lateral_movement
- attack.t1021.001
- attack.t1112

31
Windows Chainsaw/sigma rules/proc_creation_win_reg_lsass_ppl.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Registry Disabling LSASS PPL
id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
status: experimental
description: Detects reg command lines that disables PPL on the LSA process
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
author: Florian Roth
date: 2022/03/22
modified: 2022/05/09
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: \reg.exe
CommandLine|contains: 'SYSTEM\CurrentControlSet\Control\Lsa'
CommandLine|contains|all:
- ' add '
- ' /d 0'
- ' /v RunAsPPL '
selection_target:
CommandLine|contains:
- 'Real-Time Protection'
- 'TamperProtection'
condition: selection and selection_target
falsepositives:
- Unlikely
level: high
tags:
- attack.defense_evasion
- attack.t1562.010

36
Windows Chainsaw/sigma rules/proc_creation_win_regedit_export_critical_keys.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Exports Critical Registry Keys To a File
id: 82880171-b475-4201-b811-e9c826cd5eaa
status: test
description: Detects the export of a crital Registry key to a file.
author: Oddvar Moe, Sander Wiebing, oscd.community
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
date: 2020/10/12
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
CommandLine|contains: ' /E '
selection_2:
CommandLine|contains:
- 'hklm'
- 'hkey_local_machine'
selection_3:
CommandLine|endswith:
- '\system'
- '\sam'
- '\security'
condition: selection and selection_2 and selection_3
fields:
- ParentImage
- CommandLine
falsepositives:
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high
tags:
- attack.exfiltration
- attack.t1012

36
Windows Chainsaw/sigma rules/proc_creation_win_regedit_export_keys.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Exports Registry Key To a File
id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
status: test
description: Detects the export of the target Registry key to a file.
author: Oddvar Moe, Sander Wiebing, oscd.community
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
date: 2020/10/07
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
CommandLine|contains: ' /E '
filter_1: # filters to avoid intersection with critical keys rule
CommandLine|contains:
- 'hklm'
- 'hkey_local_machine'
filter_2:
CommandLine|endswith:
- '\system'
- '\sam'
- '\security'
condition: selection and not (filter_1 and filter_2)
fields:
- ParentImage
- CommandLine
falsepositives:
- Legitimate export of keys
level: low
tags:
- attack.exfiltration
- attack.t1012

36
Windows Chainsaw/sigma rules/proc_creation_win_regedit_import_keys_ads.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Imports Registry Key From an ADS
id: 0b80ade5-6997-4b1d-99a1-71701778ea61
status: test
description: Detects the import of a alternate datastream to the registry with regedit.exe.
author: Oddvar Moe, Sander Wiebing, oscd.community
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
date: 2020/10/12
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
CommandLine|contains:
- ' /i '
- '.reg'
selection_2:
CommandLine|re: ':[^ \\\\]'
filter:
CommandLine|contains:
- ' /e '
- ' /a '
- ' /c '
condition: selection and selection_2 and not filter
fields:
- ParentImage
- CommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.t1112
- attack.defense_evasion

30
Windows Chainsaw/sigma rules/proc_creation_win_regini_ads.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Modifies the Registry From a ADS
id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
status: experimental
description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
tags:
- attack.t1112
- attack.defense_evasion
author: Eli Salem, Sander Wiebing, oscd.community
date: 2020/10/12
modified: 2022/05/09
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\regini.exe'
- OriginalFileName: 'REGINI.EXE'
selection_re:
CommandLine|re: ':[^ \\\\]'
condition: selection and selection_re
fields:
- ParentImage
- CommandLine
falsepositives:
- Unknown
level: high

52
Windows Chainsaw/sigma rules/proc_creation_win_renamed_binary_highly_relevant.yml Normal file
View File

@@ -0,0 +1,52 @@
title: Highly Relevant Renamed Binary
id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
author: Matthew Green - @mgreen27, Florian Roth
references:
- https://attack.mitre.org/techniques/T1036/
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
date: 2019/06/15
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'powershell.exe'
- 'powershell_ise.exe'
- 'psexec.exe'
- 'psexec.c' # old versions of psexec (2016 seen)
- 'cscript.exe'
- 'wscript.exe'
- 'mshta.exe'
- 'regsvr32.exe'
- 'wmic.exe'
- 'certutil.exe'
- 'rundll32.exe'
- 'cmstp.exe'
- 'msiexec.exe'
filter:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\psexec.exe'
- '\psexec64.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\wmic.exe'
- '\certutil.exe'
- '\rundll32.exe'
- '\cmstp.exe'
- '\msiexec.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: high
tags:
- attack.defense_evasion
- attack.t1036.003

23
Windows Chainsaw/sigma rules/proc_creation_win_renamed_browsercore.yml Normal file
View File

@@ -0,0 +1,23 @@
title: Process Creation with Renamed BrowserCore.exe
id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559
status: experimental
description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
author: Max Altgelt
date: 2022/06/02
references:
- https://twitter.com/mariuszbit/status/1531631015139102720
tags:
- attack.t1528
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: BrowserCore.exe
filter_realbrowsercore:
Image|endswith: '\BrowserCore.exe'
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: high

27
Windows Chainsaw/sigma rules/proc_creation_win_renamed_jusched.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Renamed jusched.exe
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
status: test
description: Detects renamed jusched.exe used by cobalt group
author: Markus Neis, Swisscom
references:
- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
date: 2019/06/04
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection1:
Description: Java Update Scheduler
selection2:
Description: Java(TM) Update Scheduler
filter:
Image|endswith: '\jusched.exe'
condition: (selection1 or selection2) and not filter
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.defense_evasion
- attack.t1036.003

27
Windows Chainsaw/sigma rules/proc_creation_win_renamed_megasync.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Renamed MegaSync
id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
status: experimental
description: Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
references:
- https://redcanary.com/blog/rclone-mega-extortion/
author: Sittikorn S
date: 2021/06/22
tags:
- attack.defense_evasion
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection_proc:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: 'C:\Windows\Temp\meg.exe'
selection_orig:
OriginalFileName: 'meg.exe'
filter:
Image|endswith: '\meg.exe'
condition: selection_proc or ( selection_orig and not filter )
falsepositives:
- Software that illegaly integrates MegaSync in a renamed form
- Administrators that have renamed MegaSync
level: high

23
Windows Chainsaw/sigma rules/proc_creation_win_renamed_msdt.yml Normal file
View File

@@ -0,0 +1,23 @@
title: Renamed Msdt.exe
id: bd1c6866-65fc-44b2-be51-5588fcff82b9
status: experimental
description: Detects process creation with a renamed Msdt.exe
author: pH-T
date: 2022/06/03
references:
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
tags:
- attack.defense_evasion
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'msdt.exe'
filter_realmsdt:
Image|endswith: '\msdt.exe'
condition: selection and not 1 of filter*
falsepositives:
- Unlikely
level: high

31
Windows Chainsaw/sigma rules/proc_creation_win_renamed_powershell.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Renamed PowerShell
id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
status: test
description: Detects the execution of a renamed PowerShell often used by attackers or malware
references:
- https://twitter.com/christophetd/status/1164506034720952320
author: Florian Roth, frack113
date: 2019/08/22
modified: 2021/07/03
tags:
- car.2013-05-009
- attack.defense_evasion
- attack.t1036.003
logsource:
product: windows
category: process_creation
detection:
selection:
Description|startswith:
- 'Windows PowerShell'
- 'pwsh'
Company: 'Microsoft Corporation'
filter:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high

35
Windows Chainsaw/sigma rules/proc_creation_win_renamed_procdump.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Renamed ProcDump
id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
status: test
description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth
date: 2019/11/18
modified: 2021/08/16
tags:
- attack.defense_evasion
- attack.t1036.003
logsource:
product: windows
category: process_creation
detection:
selection1:
OriginalFileName: 'procdump'
selection2:
CommandLine|contains|all:
- ' -ma '
- ' -accepteula '
selection3:
CommandLine|contains|all:
- ' -ma '
- '.dmp'
filter:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
condition: ( selection1 or selection2 or selection3 ) and not filter
falsepositives:
- Procdump illegaly bundled with legitimate software
- Weird admins who renamed binaries
level: high

29
Windows Chainsaw/sigma rules/proc_creation_win_renamed_psexec.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Renamed PsExec
id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
status: test
description: Detects the execution of a renamed PsExec often used by attackers or malware
author: Florian Roth
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
date: 2019/05/21
modified: 2021/11/27
logsource:
product: windows
category: process_creation
detection:
selection:
Description: 'Execute processes remotely'
Product: 'Sysinternals PsExec'
filter:
Image|endswith:
- '\PsExec.exe'
- '\PsExec64.exe'
condition: selection and not filter
falsepositives:
- Software that illegaly integrates PsExec in a renamed form
- Administrators that have renamed PsExec and no one knows why
level: high
tags:
- car.2013-05-009
- attack.defense_evasion
- attack.t1036.003

20
Windows Chainsaw/sigma rules/proc_creation_win_renamed_rundll32.yml Normal file
View File

@@ -0,0 +1,20 @@
title: Renamed Rundll32.exe Execution
id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2
status: experimental
description: Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection
references:
- https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
author: Florian Roth
date: 2022/06/08
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'RUNDLL32.EXE'
filter:
Image|endswith: '\rundll32.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high

25
Windows Chainsaw/sigma rules/proc_creation_win_renamed_whoami.yml Normal file
View File

@@ -0,0 +1,25 @@
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
status: experimental
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth
date: 2021/08/12
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'whoami.exe'
filter:
Image|endswith: '\whoami.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical

26
Windows Chainsaw/sigma rules/proc_creation_win_rpcss_anomalies.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Remote Procedure Call Service Anomaly
id: a7cd7306-df8b-4398-b711-6f3e4935cf16
status: experimental
description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
author: Florian Roth
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
- https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html
- https://twitter.com/cyb3rops/status/1514217991034097664
date: 2022/04/13
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|startswith: 'C:\WINDOWS\system32\svchost.exe -k RPCSS'
condition: selection
falsepositives:
- Unknown
- Some cases in which the service spawned a werfault.exe process
level: high
tags:
- attack.initial_access
- attack.t1190
- attack.execution
- attack.t1569.002

36
Windows Chainsaw/sigma rules/proc_creation_win_run_executable_invalid_extension.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Rundll32 Execution Without DLL File
id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
status: experimental
description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file
references:
- https://twitter.com/mrd0x/status/1481630810495139841?s=12
author: Tim Shelton, Florian Roth
date: 2022/01/13
modified: 2022/03/20
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
filter_empty:
CommandLine: null
filter:
- CommandLine|contains: '.dll'
- CommandLine: ''
filter_iexplorer:
ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe'
CommandLine|contains: '.cpl'
filter_msiexec_syswow64:
ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe'
CommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding'
filter_msiexec_system32:
ParentImage|endswith: ':\Windows\System32\msiexec.exe'
CommandLine|startswith: 'C:\Windows\system32\MsiExec.exe -Embedding'
condition: selection and not 1 of filter*
fields:
- Image
- CommandLine
falsepositives:
- Unknown
level: high

26
Windows Chainsaw/sigma rules/proc_creation_win_run_powershell_script_from_ads.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Run PowerShell Script from ADS
id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
status: test
description: Detects PowerShell script execution from Alternate Data Stream (ADS)
author: Sergey Soldatov, Kaspersky Lab, oscd.community
references:
- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1
date: 2019/10/30
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\powershell.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- 'Get-Content'
- '-Stream'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1564.004

26
Windows Chainsaw/sigma rules/proc_creation_win_run_powershell_script_from_input_stream.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Run PowerShell Script from Redirected Input Stream
id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
status: test
description: Detects PowerShell script execution via input stream redirect
author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml
- https://twitter.com/Moriarty_Meng/status/984380793383370752
date: 2020/10/17
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
powershell_started:
Image|endswith: '\powershell.exe'
redirect_to_input_stream:
CommandLine|re: '\s-\s*<'
condition: powershell_started and redirect_to_input_stream
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059

29
Windows Chainsaw/sigma rules/proc_creation_win_rundll32_registered_com_objects.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Rundll32 Registered COM Objects
id: f1edd233-30b5-4823-9e6a-c4171b24d316
status: experimental
description: load malicious registered COM objects
references:
- https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022/02/13
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: \rundll32.exe
CommandLine|contains:
- '-sta '
- 'localserver '
CommandLine|contains|all:
- '{'
- '}'
condition: selection
falsepositives:
- Legitimate use
level: high
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1546.015

30
Windows Chainsaw/sigma rules/proc_creation_win_rundll32_without_parameters.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Rundll32 Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: experimental
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
author: Bartlomiej Czyz, Relativity
date: 2021/01/31
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: 'rundll32.exe'
condition: selection
fields:
- ComputerName
- SubjectUserName
- CommandLine
- Image
- ParentImage
falsepositives:
- Unknown
level: high

29
Windows Chainsaw/sigma rules/proc_creation_win_schtasks_appdata_local_system.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Suspicious Schtasks Execution AppData Folder
id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
status: experimental
description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
author: 'pH-T'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
date: 2022/03/15
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/RU "NT AUT'
- '/TR'
- 'C:\Users\'
- '\AppData\Local\'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001

35
Windows Chainsaw/sigma rules/proc_creation_win_schtasks_powershell_windowsapps_execution.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Suspicious Powershell No File or Command
id: b66474aa-bd92-4333-a16c-298155b120df
status: experimental
description: Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)
author: 'pH-T, Florian Roth'
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
date: 2022/04/08
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|endswith:
- ' -windowstyle hidden"'
- ' -windowstyle hidden'
- " -windowstyle hidden'"
- ' -w hidden"'
- ' -w hidden'
- " -w hidden'"
- ' -ep bypass"'
- ' -ep bypass'
- " -ep bypass'"
- ' -noni"'
- ' -noni'
- " -noni'"
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001

35
Windows Chainsaw/sigma rules/proc_creation_win_schtasks_reg_loader.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Scheduled Task Executing Powershell Encoded Payload from Registry
id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
status: experimental
description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
date: 2022/02/12
modified: 2022/03/15
logsource:
product: windows
category: process_creation
detection:
selection1:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/SC'
- 'FromBase64String'
- 'Get-ItemProperty'
selection2:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- 'HKEY_'
condition: selection1 and selection2
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001

25
Windows Chainsaw/sigma rules/proc_creation_win_screenconnect_anomaly.yml Normal file
View File

@@ -0,0 +1,25 @@
title: ScreenConnect Backstage Mode Anomaly
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode
status: experimental
references:
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
tags:
- attack.command_and_control
- attack.t1219
author: Florian Roth
date: 2022/02/25
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: 'ScreenConnect.ClientService.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
condition: selection
falsepositives:
- Case in which administrators are allowed to use ScreenConnect's Backstage mode
level: high

37
Windows Chainsaw/sigma rules/proc_creation_win_script_event_consumer_spawn.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Script Event Consumer Spawning Process
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
status: experimental
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
references:
- https://redcanary.com/blog/child-processes/
- https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
author: Sittikorn S
date: 2021/06/21
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\scrcons.exe'
Image|endswith:
- '\svchost.exe'
- '\dllhost.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\msbuild.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high

26
Windows Chainsaw/sigma rules/proc_creation_win_sdbinst_shim_persistence.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Possible Shim Database Persistence via sdbinst.exe
id: 517490a7-115a-48c6-8862-1a481504d5a8
status: experimental
description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.011
author: Markus Neis
date: 2019/01/16
modified: 2021/08/14
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sdbinst.exe'
CommandLine|contains: '.sdb'
filter:
CommandLine|contains: 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
condition: selection and not filter
falsepositives:
- Unknown
level: high

30
Windows Chainsaw/sigma rules/proc_creation_win_sdiagnhost_susp_child.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: experimental
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
author: Nextron Systems
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
date: 2022/06/01
tags:
- attack.defense_evasion
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sdiagnhost.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\taskkill.exe'
condition: selection
falsepositives:
- Unknown
level: high

64
Windows Chainsaw/sigma rules/proc_creation_win_shadow_copies_deletion.yml Normal file
View File

@@ -0,0 +1,64 @@
title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019/10/22
modified: 2022/05/16
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://github.com/Neo23x0/Raccine#the-process
- https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
- https://redcanary.com/blog/intelligence-insights-october-2021/
tags:
- attack.defense_evasion
- attack.impact
- attack.t1070
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection1_img:
- Image|endswith:
- '\powershell.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- '\diskshadow.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'wmic.exe'
- 'VSSADMIN.EXE'
- 'diskshadow.exe'
selection1_cli:
CommandLine|contains|all:
- shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
- delete
selection2_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection2_cli:
CommandLine|contains|all:
- delete
- catalog
- quiet # will match -quiet or /quiet
selection3_img:
- Image|endswith: '\vssadmin.exe'
- OriginalFileName: 'VSSADMIN.EXE'
selection3_cli:
CommandLine|contains|all:
- resize
- shadowstorage
- unbounded
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
- LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high

56
Windows Chainsaw/sigma rules/proc_creation_win_shell_spawn_susp_program.yml Normal file
View File

@@ -0,0 +1,56 @@
title: Windows Shell Spawning Suspicious Program
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects a suspicious child process of a Windows shell
author: Florian Roth, Tim Shelton
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
date: 2018/04/06
modified: 2022/03/08
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
# - '*\cmd.exe' # too many false positives
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
falsepositives_1:
CurrentDirectory|contains: '\ccmcache\'
falsepositives_2:
ParentCommandLine|contains:
# FP - Amazon Workspaces
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
- '\nessus_' # Tenable/Nessus VA Scanner
falsepositives_3:
CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
condition: selection and not 1 of falsepositives*
fields:
- CommandLine
- ParentCommandLine
- CurrentDirectory
- Image
- ParentImage
falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059.005
- attack.t1059.001
- attack.t1218

22
Windows Chainsaw/sigma rules/proc_creation_win_silenttrinity_stage_use.yml Normal file
View File

@@ -0,0 +1,22 @@
title: SILENTTRINITY Stager Execution
id: 03552375-cc2c-4883-bbe4-7958d5a980be
status: experimental
description: Detects SILENTTRINITY stager use
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019/10/22
modified: 2021/09/19
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection:
Description|contains: 'st2stager'
condition: selection
falsepositives:
- Unknown
level: high

27
Windows Chainsaw/sigma rules/proc_creation_win_sqlcmd_veeam_dump.yml Normal file
View File

@@ -0,0 +1,27 @@
title: VeeamBackup Database Credentials Dump
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: experimental
author: frack113
date: 2021/12/20
description: Detects dump of credentials in VeeamBackup dbo
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith: '\sqlcmd.exe'
selection_query:
CommandLine|contains|all:
- 'SELECT'
- 'TOP'
- '[VeeamBackup].[dbo].[Credentials]'
condition: all of selection*
falsepositives:
- Unknown
level: high

24
Windows Chainsaw/sigma rules/proc_creation_win_sqlite_firefox_cookies.yml Normal file
View File

@@ -0,0 +1,24 @@
title: SQLite Firefox Cookie DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: experimental
description: Detect use of sqlite binary to query the Firefox cookies.sqlite database and steal the cookie data contained within it
author: frack113
date: 2022/04/08
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith: '\sqlite.exe'
selection_firefox:
CommandLine|contains: 'cookies.sqlite'
condition: all of selection_*
falsepositives:
- Unknown
level: high
tags:
- attack.credential_access
- attack.t1539

37
Windows Chainsaw/sigma rules/proc_creation_win_stickykey_like_backdoor.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Sticky Key Like Backdoor Usage
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
related:
- id: baca5663-583c-45f9-b5dc-ea96a22ce542
type: derived
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
screen
status: test
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018/03/15
modified: 2021/09/12
logsource:
category: process_creation
product: windows
detection:
selection_process:
ParentImage|endswith: '\winlogon.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'Magnify.exe'
- 'Narrator.exe'
- 'DisplaySwitch.exe'
condition: selection_process
falsepositives:
- Unlikely
level: critical

30
Windows Chainsaw/sigma rules/proc_creation_win_stordiag_execution.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: experimental
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
tags:
- attack.defense_evasion
- attack.t1218
author: Austin Songer (@austinsonger)
date: 2021/10/21
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\stordiag.exe'
Image|endswith:
- '\schtasks.exe'
- '\systeminfo.exe'
- '\fltmc.exe'
filter:
ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
- 'c:\windows\system32\'
- 'c:\windows\syswow64\'
condition: selection and not filter
falsepositives:
- Legitimate usage of stordiag.exe.
level: high

28
Windows Chainsaw/sigma rules/proc_creation_win_sus_auditpol_usage.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Suspicious Auditpol Usage
id: 0a13e132-651d-11eb-ae93-0242ac130002
description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status: experimental
author: Janantha Marasinghe (https://github.com/blueteam0ps)
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
date: 2021/02/02
modified: 2021/02/02
tags:
- attack.defense_evasion
- attack.t1562.002
level: high
logsource:
category: process_creation
product: windows
detection:
selection_auditpol_binary:
Image|endswith: '\auditpol.exe'
selection_auditpol_command:
CommandLine|contains:
- 'disable' # disables a specific audit policy
- 'clear' # delete or clears audit policy
- 'remove' # removes an audit policy
- 'restore' # restores an audit policy
condition: selection_auditpol_binary and selection_auditpol_command
falsepositives:
- Admin activity

31
Windows Chainsaw/sigma rules/proc_creation_win_susp_add_user_remote_desktop.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Suspicious Add User to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
status: experimental
description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group
author: Florian Roth
date: 2021/12/06
references:
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
tags:
- attack.persistence
- attack.t1133
- attack.t1136.001
- attack.lateral_movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'net '
- 'localgroup'
- 'Remote Desktop Users'
- '/add'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative activity
level: high

35
Windows Chainsaw/sigma rules/proc_creation_win_susp_advancedrun_priv_user.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Suspicious AdvancedRun Runas Priv User
id: fa00b701-44c6-4679-994d-5a18afa8a707
status: experimental
description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
references:
- https://twitter.com/splinter_code/status/1483815103279603714
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth
date: 2022/01/20
modified: 2022/05/05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '/EXEFilename'
- '/CommandLine'
selection_runas:
- CommandLine|contains:
- ' /RunAs 8 '
- ' /RunAs 4 '
- ' /RunAs 10 '
- ' /RunAs 11 '
- CommandLine|endswith:
- '/RunAs 8'
- '/RunAs 4'
- '/RunAs 10'
- '/RunAs 11'
condition: all of selection*
falsepositives:
- Unknown
level: high

46
Windows Chainsaw/sigma rules/proc_creation_win_susp_base64_invoke.yml Normal file
View File

@@ -0,0 +1,46 @@
title: Suspicious Base64 Encoded Powershell Invoke
id: 6385697e-9f1b-40bd-8817-f4a91f40508e
status: test
description: Detects base64 encoded powershell 'Invoke-' call
author: pH-T
related:
- id: fd6e2919-3936-40c9-99db-0aa922c356f7
type: similar
date: 2022/05/20
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# Invoke-
- 'SQBuAHYAbwBrAGUALQ'
- 'kAbgB2AG8AawBlAC0A'
- 'JAG4AdgBvAGsAZQAtA'
filter_other_rule: # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7
CommandLine|contains:
# Invoke-BloodHound
- 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
- 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
- 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
# Invoke-Mimikatz
- 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
- 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
- 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
# Invoke-WMIExec
- 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
- 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
- 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
condition: selection and not 1 of filter*
fields:
- CommandLine
falsepositives:
- Unlikely
level: high

54
Windows Chainsaw/sigma rules/proc_creation_win_susp_base64_load.yml Normal file
View File

@@ -0,0 +1,54 @@
title: Suspicious Encoded Obfuscated LOAD String
id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
status: test
description: Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load
author: pH-T
related:
- id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
type: similar
date: 2022/03/01
modified: 2022/05/20
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027
references:
- https://github.com/Neo23x0/Raccine/blob/main/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# ::("L"+"oad")
- 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
- 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
- '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
# ::("Lo"+"ad")
- 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
- 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
- '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
# ::("Loa"+"d")
- 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
- 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
- '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
# ::('L'+'oad')
- 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
- 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
- '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
# ::('Lo'+'ad')
- 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
- 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
- '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
# ::('Loa'+'d')
- 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
- 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
- '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
condition: selection
fields:
- CommandLine
falsepositives:
- Unlikely
level: high

26
Windows Chainsaw/sigma rules/proc_creation_win_susp_calc.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Suspicious Calculator Usage
id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
status: test
description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
author: Florian Roth
references:
- https://twitter.com/ItsReallyNick/status/1094080242686312448
date: 2019/02/09
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: '\calc.exe '
selection2:
Image|endswith: '\calc.exe'
filter2:
Image|contains: '\Windows\Sys'
condition: selection1 or ( selection2 and not filter2 )
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1036

54
Windows Chainsaw/sigma rules/proc_creation_win_susp_certutil_command.yml Normal file
View File

@@ -0,0 +1,54 @@
title: Suspicious Certutil Command
id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
status: experimental
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with
the built-in certutil utility
author: Florian Roth, juju4, keepwatch
date: 2019/01/16
modified: 2021/04/23
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
logsource:
category: process_creation
product: windows
detection:
parameters:
CommandLine|contains:
- ' -decode '
- ' -decodehex '
- ' -urlcache '
- ' -verifyctl '
- ' -encode '
- ' /decode '
- ' /decodehex '
- ' /urlcache '
- ' /verifyctl '
- ' /encode '
certutil:
Image|endswith: '\certutil.exe'
CommandLine|contains:
- 'URL'
- 'ping'
condition: parameters or certutil
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.t1140
- attack.command_and_control
- attack.t1105
- attack.s0160
- attack.g0007
- attack.g0010
- attack.g0045
- attack.g0049
- attack.g0075
- attack.g0096
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high

30
Windows Chainsaw/sigma rules/proc_creation_win_susp_char_in_cmd.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Obfuscated Command Line Using Special Unicode Characters
id: e0552b19-5a83-4222-b141-b36184bb8d79
status: experimental
description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
author: frack113
references:
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
date: 2022/01/15
logsource:
category: process_creation
product: windows
detection:
selection:
#find the sysmon event
CommandLine|contains:
- 'â'
- '€'
- '£'
- '¯'
- '®'
- 'µ'
- '¶'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1027

39
Windows Chainsaw/sigma rules/proc_creation_win_susp_child_process_as_system_.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Suspicious Child Process Created as System
id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
status: test
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://github.com/antonioCoco/RogueWinRM
- https://twitter.com/Cyb3rWard0g/status/1453123054243024897
date: 2019/10/26
modified: 2021/11/27
logsource:
category: process_creation
product: windows
definition: ParentUser field needs sysmon >= 13.30
detection:
selection:
ParentUser:
- 'NT AUTHORITY\NETWORK SERVICE'
- 'NT AUTHORITY\LOCAL SERVICE'
- 'AUTORITE NT\' # French language settings
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|endswith: # System
- '\SYSTEM'
- '\СИСТЕМА'
IntegrityLevel: 'System'
rundllexception:
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'DavSetCookie'
condition: selection and not rundllexception
falsepositives:
- Unknown
level: high
tags:
- attack.privilege_escalation
- attack.t1134.002

32
Windows Chainsaw/sigma rules/proc_creation_win_susp_codepage_lookup.yml Normal file
View File

@@ -0,0 +1,32 @@
title: CHCP CodePage Locale Lookup
id: 7090adee-82e2-4269-bd59-80691e7c6338
status: experimental
description: Detects use of chcp to look up the system locale value as part of host discovery
author: '_pete_0, TheDFIRReport'
references:
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
date: 2022/02/21
modified: 2022/04/21
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains: ' /c '
Image|endswith: '\chcp.com'
CommandLine|endswith:
- 'chcp'
- 'chcp '
- 'chcp '
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.discovery
- attack.t1614.001

29
Windows Chainsaw/sigma rules/proc_creation_win_susp_commandline_chars.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Suspicious Characters in CommandLine
id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
status: experimental
description: Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion
date: 2022/04/27
author: Florian Roth
references:
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
logsource:
product: windows
category: process_creation
detection:
selection_spacing_modifiers:
CommandLine|contains: # spacing modifier letters that get auto-replaced
- 'ˣ' # 0x02E3
- '˪' # 0x02EA
- 'ˢ' # 0x02E2
selection_unicode_slashes: # forward slash alternatives
CommandLine|contains:
- '' # 0x22FF
- '' # 0x206F
selection_unicode_hyphens: # hyphen alternatives
CommandLine|contains:
- '―' # 0x2015
- '—' # 0x2014
condition: 1 of selection*
falsepositives:
- Unknown
level: high

34
Windows Chainsaw/sigma rules/proc_creation_win_susp_compression_params.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Suspicious Compression Tool Parameters
id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
status: test
description: Detects suspicious command line arguments of common data compression tools
author: Florian Roth, Samir Bousseaden
references:
- https://twitter.com/SBousseaden/status/1184067445612535811
date: 2019/10/15
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- '7z*.exe'
- '*rar.exe'
- '*Command*Line*RAR*'
CommandLine|contains:
- ' -p'
- ' -ta'
- ' -tb'
- ' -sdel'
- ' -dw'
- ' -hp'
falsepositive:
ParentImage|startswith: 'C:\Program'
condition: selection and not falsepositive
falsepositives:
- Unknown
level: high
tags:
- attack.collection
- attack.t1560.001

35
Windows Chainsaw/sigma rules/proc_creation_win_susp_comsvcs_procdump.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Process Dump via Comsvcs DLL
id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
status: test
description: Detects process memory dump via comsvcs.dll and rundll32
author: Modexp (idea)
references:
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
- https://twitter.com/SBousseaden/status/1167417096374050817
date: 2019/09/02
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
rundll_image:
Image|endswith: '\rundll32.exe'
rundll_ofn:
OriginalFileName: 'RUNDLL32.EXE'
selection:
CommandLine|contains|all:
- 'comsvcs'
- 'MiniDump' #Matches MiniDump and MinidumpW
- 'full'
condition: (rundll_image or rundll_ofn) and selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1218.011
- attack.credential_access
- attack.t1003.001

32
Windows Chainsaw/sigma rules/proc_creation_win_susp_control_cve_2021_40444.yml Normal file
View File

@@ -0,0 +1,32 @@
title: CVE-2021-40444 Process Pattern
id: 894397c6-da03-425c-a589-3d09e7d1f750
description: Detects a suspicious process pattern found in CVE-2021-40444 exploitation
status: test
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://twitter.com/neonprimetime/status/1435584010202255375
- https://www.joesandbox.com/analysis/476188/1/iochtml
author: '@neonprimetime, Florian Roth'
date: 2021/09/08
modified: 2022/03/03
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith:
- '\winword.exe'
- '\powerpnt.exe'
- '\excel.exe'
filter:
CommandLine|endswith:
- '\control.exe input.dll'
- '\control.exe" input.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.t1059

28
Windows Chainsaw/sigma rules/proc_creation_win_susp_control_dll_load.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Suspicious Control Panel DLL Load
id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
status: test
description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
author: Florian Roth
references:
- https://twitter.com/rikvduijn/status/853251879320662017
date: 2017/04/15
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\System32\control.exe'
Image|endswith: '\rundll32.exe '
filter:
CommandLine|contains: 'Shell32.dll'
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1218.011

46
Windows Chainsaw/sigma rules/proc_creation_win_susp_copy_lateral_movement.yml Normal file
View File

@@ -0,0 +1,46 @@
title: Copy from Admin Share
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a suspicious copy command to or from an Admin share
author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
date: 2019/12/30
modified: 2022/01/07
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
selection2:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'copy'
selection3:
Image|contains: '\powershell'
CommandLine|contains:
- 'copy-item'
- 'copy'
- 'cpi '
- ' cp '
selection4:
CommandLine|contains|all:
- '\\\\'
- '$'
condition: (selection1 or selection2 or selection3) and selection4
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative scripts
level: high
tags:
- attack.lateral_movement
- attack.collection
- attack.exfiltration
- attack.t1039
- attack.t1048
- attack.t1021.002

35
Windows Chainsaw/sigma rules/proc_creation_win_susp_covenant.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Covenant Launcher Indicators
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
author: Florian Roth, Jonhnathan Ribeiro, oscd.community
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
date: 2020/06/04
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-Sta'
- '-Nop'
- '-Window'
- 'Hidden'
CommandLine|contains:
- '-Command'
- '-EncodedCommand'
selection2:
CommandLine|contains:
- 'sv o (New-Object IO.MemorySteam);sv d '
- 'mshta file.hta'
- 'GruntHTTP'
- '-EncodedCommand cwB2ACAAbwAgA'
condition: selection or selection2
level: high
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059.001
- attack.t1564.003

40
Windows Chainsaw/sigma rules/proc_creation_win_susp_crackmapexec_execution.yml Normal file
View File

@@ -0,0 +1,40 @@
title: CrackMapExec Command Execution
id: 058f4380-962d-40a5-afce-50207d36d7e2
status: stable
description: Detect various execution methods of the CrackMapExec pentesting framework
references:
- https://github.com/byt3bl33d3r/CrackMapExec
tags:
- attack.execution
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.s0106
author: Thomas Patzke
date: 2020/05/22
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|endswith:
# cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
- 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:109 (fileless output via share)
- 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:111 (fileless output via share)
- 'cmd.exe /C * > *\\Temp\\* 2>&1'
CommandLine|contains:
# cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
- 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
# cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)
- 'powershell.exe -noni -nop -w 1 -enc '
condition: selection
fields:
- ComputerName
- User
- CommandLine
falsepositives:
- Unknown
level: high

66
Windows Chainsaw/sigma rules/proc_creation_win_susp_crackmapexec_flags.yml Normal file
View File

@@ -0,0 +1,66 @@
title: CrackMapExec Command Line Flags
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: experimental
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
author: Florian Roth
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
date: 2022/02/25
logsource:
category: process_creation
product: windows
detection:
selection_special:
CommandLine|contains: ' -M pe_inject '
selection_execute:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -x '
selection_hash:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
- " -H 'NTHASH'"
selection_module_mssql:
CommandLine|contains|all:
- ' mssql '
- ' -u '
- ' -p '
- ' -M '
- ' -d '
selection_module_smb1:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -H '
- ' -M '
- ' -o '
selection_module_smb2:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -p '
- ' --local-auth'
part_localauth_1:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
part_localauth_2:
CommandLine|contains|all:
- ' 10.'
- ' 192.168.'
- '/24 '
condition: 1 of selection* or all of part_localauth*
fields:
- ComputerName
- User
- CommandLine
falsepositives:
- Unknown
level: high

38
Windows Chainsaw/sigma rules/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml Normal file
View File

@@ -0,0 +1,38 @@
title: CrackMapExec PowerShell Obfuscation
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
status: test
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
author: Thomas Patzke
references:
- https://github.com/byt3bl33d3r/CrackMapExec
- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
date: 2020/05/22
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
powershell_execution:
CommandLine|contains: 'powershell.exe'
snippets:
CommandLine|contains:
- 'join*split'
# Line 343ff
- '( $ShellId[1]+$ShellId[13]+''x'')'
- '( $PSHome[*]+$PSHOME[*]+'
- '( $env:Public[13]+$env:Public[5]+''x'')'
- '( $env:ComSpec[4,*,25]-Join'''')'
- '[1,3]+''x''-Join'''')'
condition: powershell_execution and snippets
fields:
- ComputerName
- User
- CommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1027.005

30
Windows Chainsaw/sigma rules/proc_creation_win_susp_csc.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Suspicious Parent of Csc.exe
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
author: Florian Roth
references:
- https://twitter.com/SBousseaden/status/1094924091256176641
date: 2019/02/11
modified: 2022/01/07
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csc.exe'
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- attack.defense_evasion
- attack.t1218.005
- attack.t1027.004

30
Windows Chainsaw/sigma rules/proc_creation_win_susp_dctask64_proc_inject.yml Normal file
View File

@@ -0,0 +1,30 @@
title: ZOHO Dctask64 Process Injection
id: 6345b048-8441-43a7-9bed-541133633d7a
status: test
description: Detects suspicious process injection using ZOHO's dctask64.exe
author: Florian Roth
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
date: 2020/01/28
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\dctask64.exe'
filter:
CommandLine|contains: 'DesktopCentral_Agent\agent'
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
- ParentImage
falsepositives:
- Unknown yet
level: high
tags:
- attack.defense_evasion
- attack.t1055.001

35
Windows Chainsaw/sigma rules/proc_creation_win_susp_desktopimgdownldr.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Suspicious Desktopimgdownldr Command
id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
status: test
description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
author: Florian Roth
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
date: 2020/07/03
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: ' /lockscreenurl:'
selection1_filter:
CommandLine|contains:
- '.jpg'
- '.jpeg'
- '.png'
selection_reg:
CommandLine|contains|all:
- 'reg delete'
- '\PersonalizationCSP'
condition: ( selection1 and not selection1_filter ) or selection_reg
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
tags:
- attack.command_and_control
- attack.t1105

24
Windows Chainsaw/sigma rules/proc_creation_win_susp_devinit_lolbin.yml Normal file
View File

@@ -0,0 +1,24 @@
title: DevInit Lolbin Download
id: 90d50722-0483-4065-8e35-57efaadd354d
status: experimental
description: Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system
references:
- https://twitter.com/mrd0x/status/1460815932402679809
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
author: Florian Roth
date: 2022/01/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' -t msi-install '
- ' -i http'
condition: selection
falsepositives:
- Unknown
level: high

24
Windows Chainsaw/sigma rules/proc_creation_win_susp_devtoolslauncher.yml Normal file
View File

@@ -0,0 +1,24 @@
title: Devtoolslauncher.exe Executes Specified Binary
id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
status: test
description: The Devtoolslauncher.exe executes other binary
author: Beyu Denis, oscd.community (rule), @_felamos (idea)
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml
- https://twitter.com/_felamos/status/1179811992841797632
date: 2019/10/12
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\devtoolslauncher.exe'
CommandLine|contains: 'LaunchForDeploy'
condition: selection
falsepositives:
- Legitimate use of devtoolslauncher.exe by legitimate user
level: high
tags:
- attack.defense_evasion
- attack.t1218

31
Windows Chainsaw/sigma rules/proc_creation_win_susp_disable_eventlog.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Disable or Delete Windows Eventlog
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: experimental
description: Detects command that is used to disable or delete Windows eventlog via logman Windows utility
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
- https://ss64.com/nt/logman.html
tags:
- attack.defense_evasion
- attack.t1562.001
- attack.t1070.001
author: Florian Roth
date: 2021/02/11
modified: 2021/12/02
logsource:
category: process_creation
product: windows
detection:
selection_tools:
CommandLine|contains: 'logman '
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains: EventLog-System
condition: all of selection*
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation
level: high

32
Windows Chainsaw/sigma rules/proc_creation_win_susp_disable_ie_features.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: test
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
author: Florian Roth
references:
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
date: 2020/06/19
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- ' -name IEHarden '
- ' -value 0 '
selection2:
CommandLine|contains|all:
- ' -name DEPOff '
- ' -value 1 '
selection3:
CommandLine|contains|all:
- ' -name DisableFirstRunCustomize '
- ' -value 2 '
condition: 1 of selection*
falsepositives:
- Unknown, maybe some security software installer disables these features temporarily
level: high
tags:
- attack.defense_evasion
- attack.t1562.001

34
Windows Chainsaw/sigma rules/proc_creation_win_susp_disable_raccine.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
status: experimental
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
references:
- https://github.com/Neo23x0/Raccine
tags:
- attack.defense_evasion
- attack.t1562.001
author: Florian Roth
date: 2021/01/21
modified: 2021/07/14
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- 'taskkill '
- 'RaccineSettings.exe'
selection2:
CommandLine|contains|all:
- 'reg.exe'
- 'delete'
- 'Raccine Tray'
selection3:
CommandLine|contains|all:
- 'schtasks'
- '/DELETE'
- 'Raccine Rules Updater'
condition: 1 of selection*
falsepositives:
- Legitimate deinstallation by administrative staff
level: high

29
Windows Chainsaw/sigma rules/proc_creation_win_susp_diskshadow.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Execution via Diskshadow.exe
id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2
status: test
description: Detects using Diskshadow.exe to execute arbitrary code in text file
author: Ivan Dyachkov, oscd.community
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
date: 2020/10/07
modified: 2021/11/27
logsource:
category: process_creation
product: windows
definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit must Include command line in process creation events'
detection:
selection:
Image|endswith: '\diskshadow.exe'
CommandLine|contains:
- '/s'
- '-s'
condition: selection
fields:
- CommandLine
falsepositives:
- False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts.
level: high
tags:
- attack.execution
- attack.t1218

25
Windows Chainsaw/sigma rules/proc_creation_win_susp_ditsnap.yml Normal file
View File

@@ -0,0 +1,25 @@
title: DIT Snapshot Viewer Use
id: d3b70aad-097e-409c-9df2-450f80dc476b
status: test
description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
author: 'Furkan Caliskan (@caliskanfurkan_)'
references:
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://github.com/yosqueoy/ditsnap
date: 2020/07/04
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ditsnap.exe'
selection2:
CommandLine|contains: 'ditsnap.exe'
condition: selection or selection2
falsepositives:
- Legitimate admin usage
level: high
tags:
- attack.credential_access
- attack.t1003.003

34
Windows Chainsaw/sigma rules/proc_creation_win_susp_double_extension.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Suspicious Double Extension
id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
status: stable
description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
author: Florian Roth (rule), @blu3_team (idea)
references:
- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
- https://twitter.com/blackorbird/status/1140519090961825792
date: 2019/06/26
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '.doc.exe'
- '.docx.exe'
- '.xls.exe'
- '.xlsx.exe'
- '.ppt.exe'
- '.pptx.exe'
- '.rtf.exe'
- '.pdf.exe'
- '.txt.exe'
- ' .exe'
- '______.exe'
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.initial_access
- attack.t1566.001

29
Windows Chainsaw/sigma rules/proc_creation_win_susp_download_office_domain.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Suspicious Download from Office Domain
id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
status: experimental
description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
author: Florian Roth
date: 2021/12/27
references:
- https://twitter.com/an0n_r0/status/1474698356635193346?s=12
- https://twitter.com/mrd0x/status/1475085452784844803?s=12
logsource:
product: windows
category: process_creation
detection:
selection_download:
- Image|endswith:
- '\curl.exe'
- '\wget.exe'
- CommandLine|contains:
- 'Start-BitsTransfer'
- '.DownloadFile('
- '.DownloadString('
selection_domains:
CommandLine|contains:
- 'https://attachment.outlook.live.net/owa/'
- 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
condition: selection_download and selection_domains
falsepositives:
- Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
level: high

24
Windows Chainsaw/sigma rules/proc_creation_win_susp_dtrace_kernel_dump.yml Normal file
View File

@@ -0,0 +1,24 @@
title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: experimental
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
author: Florian Roth
date: 2021/12/28
references:
- https://twitter.com/0gtweet/status/1474899714290208777?s=12
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
logsource:
product: windows
category: process_creation
detection:
selection_plain:
Image|endswith: '\dtrace.exe'
CommandLine|contains: 'lkd(0)'
selection_obfuscated:
CommandLine|contains|all:
- 'syscall:::return'
- 'lkd('
condition: 1 of selection*
falsepositives:
- Unknown
level: high

34
Windows Chainsaw/sigma rules/proc_creation_win_susp_emotet_rundll32_execution.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Emotet RunDLL32 Process Creation
id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9
description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
author: FPT.EagleEye
status: test
date: 2020/12/25
modified: 2021/11/17
references:
- https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html
- https://cyber.wtf/2021/11/15/guess-whos-back/
tags:
- attack.defense_evasion
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
CommandLine|endswith:
- ',RunDLL'
- ',Control_RunDLL'
# - ',#1' too generic - function load by ordinal is not Emotet specific
filter_legitimate_dll:
CommandLine|endswith:
- '.dll,Control_RunDLL'
- '.dll",Control_RunDLL'
- '.dll'',Control_RunDLL'
filter_ide:
ParentImage|endswith: '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe
condition: selection and not filter_ide and not filter_legitimate_dll
falsepositives:
- Unknown
level: critical

40
Windows Chainsaw/sigma rules/proc_creation_win_susp_eventlog_clear.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Suspicious Eventlog Clear or Configuration Using Wevtutil
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
status: stable
description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
author: Ecco, Daniil Yugoslavskiy, oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
date: 2019/09/26
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection_wevtutil_binary:
Image|endswith: '\wevtutil.exe'
selection_wevtutil_command:
CommandLine|contains:
- 'clear-log' # clears specified log
- ' cl ' # short version of 'clear-log'
- 'set-log' # modifies config of specified log. could be uset to set it to a tiny size
- ' sl ' # short version of 'set-log'
selection_other_ps:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Clear-EventLog'
- 'Remove-EventLog'
- 'Limit-EventLog'
selection_other_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains: ' ClearEventLog '
condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
level: high
tags:
- attack.defense_evasion
- attack.t1070.001
- car.2016-04-002

49
Windows Chainsaw/sigma rules/proc_creation_win_susp_execution_path.yml Normal file
View File

@@ -0,0 +1,49 @@
title: Execution from Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: experimental
description: Detects a suspicious execution from an uncommon folder
author: Florian Roth, Tim Shelton
date: 2019/01/16
modified: 2022/05/26
references:
- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
tags:
- attack.defense_evasion
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains:
- '\$Recycle.bin\'
- '\config\systemprofile\'
- '\Intel\Logs\'
- '\RSA\MachineKeys\'
- '\Users\All Users\'
- '\Users\Default\'
- '\Users\NetworkService\'
- '\Users\Public\'
- '\Windows\addins\'
- '\Windows\debug\'
- '\Windows\Fonts\'
- '\Windows\Help\'
- '\Windows\IME\'
- '\Windows\Media\'
- '\Windows\repair\'
- '\Windows\security\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- Image|startswith: 'C:\Perflogs\'
false_positive:
Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
condition: selection and not false_positive
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high

27
Windows Chainsaw/sigma rules/proc_creation_win_susp_explorer_nouaccheck.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Explorer NOUACCHECK Flag
id: 534f2ef7-e8a2-4433-816d-c91bccde289b
status: test
description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
author: Florian Roth
references:
- https://twitter.com/ORCA6665/status/1496478087244095491
date: 2022/02/23
modified: 2022/04/21
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\explorer.exe'
CommandLine|contains: '/NOUACCHECK'
filter_dc_logon:
- ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
- ParentImage: 'C:\Windows\System32\svchost.exe' # coarse filter needed for ID 4688 Events
condition: selection and not 1 of filter_*
falsepositives:
- Domain Controller User Logon
- Unknown how many legitimate software products use that method
level: high
tags:
- attack.defense_evasion
- attack.t1548.002

22
Windows Chainsaw/sigma rules/proc_creation_win_susp_findstr_385201.yml Normal file
View File

@@ -0,0 +1,22 @@
title: Suspicious Findstr 385201 Execution
id: 37db85d1-b089-490a-a59a-c7b6f984f480
status: experimental
description: Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
date: 2021/12/16
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: \findstr.exe
CommandLine|contains: ' 385201'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.discovery
- attack.t1518.001

23
Windows Chainsaw/sigma rules/proc_creation_win_susp_finger_usage.yml Normal file
View File

@@ -0,0 +1,23 @@
title: Finger.exe Suspicious Invocation
id: af491bca-e752-4b44-9c86-df5680533dbc
description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays
status: experimental
author: Florian Roth, omkar72, oscd.community
date: 2021/02/24
references:
- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
- http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
tags:
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Admin activity (unclear what they do nowadays with finger.exe)
level: high

29
Windows Chainsaw/sigma rules/proc_creation_win_susp_format.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Format.com FileSystem LOLBIN
id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
status: experimental
description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
author: Florian Roth
date: 2022/01/04
references:
- https://twitter.com/0gtweet/status/1477925112561209344
- https://twitter.com/wdormann/status/1478011052130459653?s=20
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\format.com'
CommandLine|contains: '/fs:'
filter:
CommandLine|contains:
- '/fs:FAT'
- '/fs:exFAT'
- '/fs:NTFS'
- '/fs:UDF'
- '/fs:ReFS'
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: high

31
Windows Chainsaw/sigma rules/proc_creation_win_susp_fsutil_usage.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
author: Ecco, E.M. Anhaus, oscd.community
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
date: 2019/09/26
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
binary_1:
Image|endswith: '\fsutil.exe'
binary_2:
OriginalFileName: 'fsutil.exe'
selection:
CommandLine|contains:
- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
condition: (1 of binary_*) and selection
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
level: high
tags:
- attack.defense_evasion
- attack.t1070

28
Windows Chainsaw/sigma rules/proc_creation_win_susp_gup.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Suspicious GUP Usage
id: 0a4f6091-223b-41f6-8743-f322ec84930b
status: test
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
author: Florian Roth
references:
- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
date: 2019/02/06
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\GUP.exe'
filter:
Image|endswith:
- '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'
- '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'
- '\Program Files\Notepad++\updater\GUP.exe'
- '\Program Files (x86)\Notepad++\updater\GUP.exe'
condition: selection and not filter
falsepositives:
- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
level: high
tags:
- attack.defense_evasion
- attack.t1574.002

28
Windows Chainsaw/sigma rules/proc_creation_win_susp_gup_download.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Download Files Using Notepad++ GUP Utility
id: 44143844-0631-49ab-97a0-96387d6b2d7c
status: experimental
description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
author: Nasreddine Bencherchali
references:
- https://twitter.com/nas_bench/status/1535322182863179776
date: 2022/06/10
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\GUP.exe'
- OriginalFileName: 'gup.exe'
selection_cli:
CommandLine|contains|all:
- ' -unzipTo '
- 'http'
filter:
ParentImage|endswith: '\notepad++.exe'
condition: all of selection* and not filter
falsepositives:
- Other parent processes other than notepad++ using GUP that are not currently identified
level: high
tags:
- attack.command_and_control
- attack.t1105

24
Windows Chainsaw/sigma rules/proc_creation_win_susp_gup_execution.yml Normal file
View File

@@ -0,0 +1,24 @@
title: Execute Arbitrary Binaries Using GUP Utility
id: d65aee4d-2292-4cea-b832-83accd6cfa43
status: experimental
description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
author: Nasreddine Bencherchali
references:
- https://twitter.com/nas_bench/status/1535322445439180803
date: 2022/06/10
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\gup.exe'
Image|endswith: '\explorer.exe'
filter:
Image|endswith: '\explorer.exe'
CommandLine|contains: '\Notepad++\notepad++.exe'
condition: selection and not filter
falsepositives:
- Other parent binaries using GUP not currently identified
level: high
tags:
- attack.execution

34
Windows Chainsaw/sigma rules/proc_creation_win_susp_image_missing.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Execution Of Non-Existing File
id: 71158e3f-df67-472b-930e-7d287acaa3e1
status: experimental
description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
author: Max Altgelt
date: 2021/12/09
modified: 2022/03/08
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
image_absolute_path:
Image|contains: '\'
filter_null:
Image: null
filter_empty:
Image:
- '-'
- ''
filter_4688:
- Image:
- 'Registry'
- 'MemCompression'
- CommandLine:
- 'Registry'
- 'MemCompression'
condition: not image_absolute_path and not 1 of filter*
falsepositives:
- Unknown
level: high

25
Windows Chainsaw/sigma rules/proc_creation_win_susp_lsass_clone.yml Normal file
View File

@@ -0,0 +1,25 @@
title: Suspicious LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: experimental
description: Detects a suspicious LSASS process process clone that could be a sign of process dumping activity
references:
- https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
- https://twitter.com/Hexacorn/status/1420053502554951689
- https://twitter.com/SBousseaden/status/1464566846594691073?s=20
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
author: Florian Roth, Samir Bousseaden
date: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Windows\System32\lsass.exe'
ParentImage|endswith: '\Windows\System32\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: critical

30
Windows Chainsaw/sigma rules/proc_creation_win_susp_mpiexec_lolbin.yml Normal file
View File

@@ -0,0 +1,30 @@
title: MpiExec Lolbin
id: 729ce0ea-5d8f-4769-9762-e35de441586d
status: experimental
description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1465058133303246867
- https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
author: Florian Roth
date: 2022/01/11
modified: 2022/03/04
logsource:
category: process_creation
product: windows
detection:
selection_binary:
- Image|endswith: '\mpiexec.exe'
- Imphash: 'd8b52ef6aaa3a81501bdfff9dbb96217'
- Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217'
selection_flags:
CommandLine|contains:
- ' /n 1 '
- ' -n 1 '
condition: all of selection*
falsepositives:
- Unknown
level: high

41
Windows Chainsaw/sigma rules/proc_creation_win_susp_mshta_execution.yml Normal file
View File

@@ -0,0 +1,41 @@
title: MSHTA Suspicious Execution 01
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
- https://twitter.com/mattifestation/status/1326228491302563846
date: 2019/02/22
modified: 2021/12/01
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'vbscript'
- '.jpg'
- '.png'
- '.lnk'
# - '.chm' # could be prone to false positives
- '.xls'
- '.doc'
- '.zip'
- '.dll'
- '.exe'
condition: selection1
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
tags:
- attack.defense_evasion
- attack.t1140
- attack.t1218.005
- attack.execution
- attack.t1059.007
- cve.2020.1599

48
Windows Chainsaw/sigma rules/proc_creation_win_susp_mshta_pattern.yml Normal file
View File

@@ -0,0 +1,48 @@
title: Suspicious MSHTA Process Patterns
id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
status: experimental
description: Detects suspicious mshta process patterns
references:
- https://en.wikipedia.org/wiki/HTML_Application
- https://www.echotrail.io/insights/search/mshta.exe
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
tags:
- attack.execution
- attack.t1106
author: Florian Roth
date: 2021/07/17
logsource:
category: process_creation
product: windows
detection:
# Binary Selector
selection_base:
Image|endswith: '\mshta.exe'
# Suspicious parents
selection1:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
# Suspicious folders
selection2:
CommandLine|contains:
- '\AppData\Local'
- 'C:\Windows\Temp'
- 'C:\Users\Public'
# Suspicious Execution Locations
filter3:
Image|contains:
- 'C:\Windows\System32'
- 'C:\Windows\SysWOW64'
# Suspicious extensions
filter4:
CommandLine|contains:
- '.htm'
- '.hta'
CommandLine|endswith:
- 'mshta.exe'
- 'mshta'
condition: selection_base and ( selection1 or selection2 ) or ( selection_base and not filter3 ) or ( selection_base and not filter4 )
falsepositives:
- Unknown
level: high

27
Windows Chainsaw/sigma rules/proc_creation_win_susp_msiexec_cwd.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Suspicious MsiExec Directory
id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
status: test
description: Detects suspicious msiexec process starts in an uncommon directory
author: Florian Roth
references:
- https://twitter.com/200_okay_/status/1194765831911215104
date: 2019/11/14
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msiexec.exe'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1036.005

28
Windows Chainsaw/sigma rules/proc_creation_win_susp_msoffice.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Malicious Payload Download via Office Binaries
id: 0c79148b-118e-472b-bdb7-9b57b444cc19
status: test
description: Downloads payload from remote server
author: Beyu Denis, oscd.community
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml
- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
- Reegun J (OCBC Bank)
date: 2019/10/26
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powerpnt.exe'
- '\winword.exe'
- '\excel.exe'
CommandLine|contains: 'http'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.command_and_control
- attack.t1105

32
Windows Chainsaw/sigma rules/proc_creation_win_susp_netsh_dll_persistence.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Suspicious Netsh DLL Persistence
id: 56321594-9087-49d9-bf10-524fe8479452
status: test
description: Detects persitence via netsh helper
author: Victor Sergeev, oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md
- https://attack.mitre.org/software/S0108/
date: 2019/10/25
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\netsh.exe'
CommandLine|contains|all:
- 'add'
- 'helper'
condition: selection
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.privilege_escalation
- attack.t1546.007
- attack.s0108

44
Windows Chainsaw/sigma rules/proc_creation_win_susp_ngrok_pua.yml Normal file
View File

@@ -0,0 +1,44 @@
title: Ngrok Usage
id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
status: experimental
references:
- https://ngrok.com/docs
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
- https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
- https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
- https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/.
author: Florian Roth
date: 2021/05/14
modified: 2021/06/07
tags:
- attack.command_and_control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- ' tcp 139'
- ' tcp 445'
- ' tcp 3389'
- ' tcp 5985'
- ' tcp 5986'
selection2:
CommandLine|contains|all:
- ' start '
- '--all'
- '--config'
- '.yml'
selection3:
Image|endswith: 'ngrok.exe'
CommandLine|contains:
- ' tcp '
- ' http '
- ' authtoken '
condition: 1 of selection*
falsepositives:
- Another tool that uses the command line switches of Ngrok
- Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
level: high

22
Windows Chainsaw/sigma rules/proc_creation_win_susp_nmap.yml Normal file
View File

@@ -0,0 +1,22 @@
title: Suspicious Nmap Execution
id: f6ecd1cf-19b8-4488-97f6-00f0924991a3
status: experimental
description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
author: frack113
references:
- https://nmap.org/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
date: 2021/12/10
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: nmap.exe
condition: selection
falsepositives:
- Network administator computeur
level: high
tags:
- attack.discovery
- attack.t1046

89
Windows Chainsaw/sigma rules/proc_creation_win_susp_non_exe_image.yml Normal file
View File

@@ -0,0 +1,89 @@
title: Execution of Suspicious File Type Extension
id: c09dad97-1c78-4f71-b127-7edb2b8e491a
status: experimental
description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
author: Max Altgelt
date: 2021/12/09
modified: 2022/06/20
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
known_image_extension:
Image|endswith:
- '.exe'
- '.tmp' # sadly many installers use this extension
filter_null:
Image: null
filter_image: # Windows utilities without extension
Image:
- 'Registry'
- 'MemCompression'
filter_empty:
Image:
- '-'
- ''
filter_starts:
Image|startswith: 'C:\Windows\Installer\MSI'
filter_pstarts:
ParentImage|startswith:
- 'C:\ProgramData\Avira\'
- 'C:\Windows\System32\DriverStore\FileRepository\'
filter_screensaver:
Image|endswith: '.scr'
filter_nvidia:
Image|contains: 'NVIDIA\NvBackend\'
Image|endswith: '.dat'
filter_com:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
Image|endswith: '.com'
filter_winscp:
Image|endswith: '\WinSCP.com'
filter_vscode:
Image|contains|all:
- 'C:\Users\'
- '\AppData\'
- '.tmp'
- 'CodeSetup'
filter_libreoffice:
Image|endswith: '\program\soffice.bin'
filter_emc_networker:
Image:
- 'C:\Program Files\EMC NetWorker\Management\GST\apache\cgi-bin\update_jnlp.cgi'
- 'C:\Program Files (x86)\EMC NetWorker\Management\GST\apache\cgi-bin\update_jnlp.cgi'
filter_winpakpro:
Image|startswith:
- 'C:\Program Files (x86)\WINPAKPRO\'
- 'C:\Program Files\WINPAKPRO\'
Image|endswith: '.ngn'
filter_myq_server:
Image:
- 'C:\Program Files (x86)\MyQ\Server\pcltool.dll'
- 'C:\Program Files\MyQ\Server\pcltool.dll'
filter_visualstudio:
Image|startswith:
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Program Files (x86)\Microsoft Visual Studio'
Image|endswith: '.com'
filter_msi_rollbackfiles:
Image|startswith: 'C:\Config.Msi\'
Image|endswith:
- '.rbf'
- '.rbs'
filter_wsl:
Image|contains|all:
- '\AppData\Local\Packages\'
- '\LocalState\rootfs\'
filter_lzma_exe:
Image|endswith: '\LZMA_EXE'
condition: not known_image_extension and not 1 of filter*
falsepositives:
- Unknown
level: high

28
Windows Chainsaw/sigma rules/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Suspicious NT Resource Kit Auditpol Usage
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status: experimental
author: Nasreddine Bencherchali @nas_bench
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
date: 2021/12/18
tags:
- attack.defense_evasion
- attack.t1562.002
level: high
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '/logon:none'
- '/system:none'
- '/sam:none'
- '/privilege:none'
- '/object:none'
- '/process:none'
- '/policy:none'
condition: selection
falsepositives:
- Unknown

24
Windows Chainsaw/sigma rules/proc_creation_win_susp_ntdll_type_redirect.yml Normal file
View File

@@ -0,0 +1,24 @@
title: Suspicious Ntdll Pipe Redirection
id: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2
status: experimental
description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection
references:
- https://www.x86matthew.com/view_post?id=ntdll_pipe
tags:
- attack.defense_evasion
author: Florian Roth
date: 2022/03/05
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'type %windir%\system32\ntdll.dll'
- 'type %systemroot%\system32\ntdll.dll'
- 'type c:\windows\system32\ntdll.dll'
- '\\ntdll.dll > \\\\.\\pipe\\'
condition: selection
falsepositives:
- Unknown
level: high

65
Windows Chainsaw/sigma rules/proc_creation_win_susp_ntds.yml Normal file
View File

@@ -0,0 +1,65 @@
title: Suspicious Process Patterns NTDS.DIT Exfil
id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
description: Detects suspicious process patterns used in NTDS.DIT exfiltration
status: experimental
author: Florian Roth
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1
- https://github.com/zcgonvh/NTDSDumpEx
- https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps1
date: 2022/03/11
tags:
- attack.credential_access
- attack.t1003.003
logsource:
product: windows
category: process_creation
detection:
selection_tool:
# https://github.com/zcgonvh/NTDSDumpEx
- Image|endswith:
- '\NTDSDump.exe'
- '\NTDSDumpEx.exe'
- CommandLine|contains|all:
# ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
- 'ntds.dit'
- 'system.hiv'
- CommandLine|contains: 'NTDSgrab.ps1'
selection_oneliner_1:
# powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
CommandLine|contains|all:
- 'ac i ntds'
- 'create full'
selection_onliner_2:
# cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
CommandLine|contains|all:
- '/c copy '
- '\windows\ntds\ntds.dit'
selection_powershell:
CommandLine|contains|all:
- 'powershell'
- 'ntds.dit'
set1_selection_ntds_dit:
CommandLine|contains: 'ntds.dit'
set1_selection_image_folder:
- ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
- Image|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: 1 of selection* or all of set1*
falsepositives:
- Unknown
level: high

30
Windows Chainsaw/sigma rules/proc_creation_win_susp_ntlmrelay.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Suspicious WebDav Client Execution
id: bb76d96b-821c-47cf-944b-7ce377864492
status: experimental
description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
author: Elastic (idea), Tobias Michalski
references:
- https://twitter.com/med0x2e/status/1520402518685200384
- https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
date: 2022/05/04
tags:
- attack.privilege_escalation
- attack.credential_access
- attack.t1212
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'C:\windows\system32\davclnt.dll,DavSetCookie'
- 'http'
CommandLine|contains:
- 'spoolss'
- 'srvsvc'
- '/print/pipe/'
condition: selection
falsepositives:
- Unknown
level: high