-
-
Notifications
You must be signed in to change notification settings - Fork 157
/
atc_es_index.json
914 lines (914 loc) · 777 KB
/
atc_es_index.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
{"index": {"_id": -1866501237119909792}}
{"date_created": "2017-02-19T00:00:00", "sigma_rule_path": "es/windows/builtin/win_av_relevant_match.yml", "date_modified": null, "description": "This detection method points out highly relevant Antivirus events", "references": "not defined", "customer": ["None"], "tactic": ["not defined"], "dr_id": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: keywords and not 1 of filters\n filters:\n Message:\n - '*Keygen*'\n - '*Crack*'\n keywords:\n Message:\n - '*HTool*'\n - '*Hacktool*'\n - '*ASP/Backdoor*'\n - '*JSP/Backdoor*'\n - '*PHP/Backdoor*'\n - '*Backdoor.ASP*'\n - '*Backdoor.JSP*'\n - '*Backdoor.PHP*'\n - '*Webshell*'\n - '*Portscan*'\n - '*Mimikatz*'\n - '*WinCred*'\n - '*PlugX*'\n - '*Korplug*'\n - '*Pwdump*'\n - '*Chopper*'\n - '*WmiExec*'\n - '*Xscan*'\n - '*Clearlog*'\n - '*ASPXSpy*'\n", "detection_rule_title": "Relevant Anti-Virus Event", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1025534765894300011}}
{"date_created": "2017-03-07T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_net_recon_activity.yml", "date_modified": null, "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", "references": ["https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "968eef52-9cff-4454-8992-1e74b9cbad6c", "technique": ["T1087: Account Discovery", "T1069: Permission Groups Discovery"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - AccessMask: '0x2d'\n EventID: 4661\n ObjectName: S-1-5-21-*-500\n ObjectType: SAM_USER\n - AccessMask: '0x2d'\n EventID: 4661\n ObjectName: S-1-5-21-*-512\n ObjectType: SAM_GROUP\n", "detection_rule_title": "Reconnaissance Activity", "detection_rule_author": "Florian Roth (rule), Jack Croock (method)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0029_4661_handle_to_an_object_was_requested"], "logging_policy": ["LP_0028_windows_audit_sam", "LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7458428010691563243}}
{"date_created": "2017-02-06T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_rc4_kerberos.yml", "date_modified": null, "description": "Detects service ticket requests using RC4 encryption type", "references": ["https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", "technique": ["T1208: Kerberoasting"], "raw_detection_rule": "detection:\n condition: selection and not reduction\n reduction:\n - ServiceName: $*\n selection:\n EventID: 4769\n TicketEncryptionType: '0x17'\n TicketOptions: '0x40810000'\n", "detection_rule_title": "Suspicious Kerberos RC4 Ticket Encryption", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0077_4769_kerberos_service_ticket_was_requested"], "logging_policy": ["LP_0106_windows_audit_kerberos_service_ticket_operations"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1920697638286182543}}
{"date_created": "2018-01-27T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_sam_dump.yml", "date_modified": null, "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", "references": "not defined", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "839dd1e8-eda8-4834-8145-01beeee33acd", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 16\n Message:\n - '*\\AppData\\Local\\Temp\\SAM-*.dmp *'\n", "detection_rule_title": "SAM Dump to AppData", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-Kernel-General"], "data_needed": ["DN_0083_16_access_history_in_hive_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2007768997693973271}}
{"date_created": "2019-02-05T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_time_modification.yml", "date_modified": null, "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", "references": ["Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "Live environment caused by malware"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "faa031b5-21ed-4e02-8881-2591f98d82ed", "technique": ["T1099: Timestomp"], "raw_detection_rule": "detection:\n condition: selection and not ( filter1 or filter2 or filter3 )\n filter1:\n ProcessName: C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\n filter2:\n ProcessName: C:\\Windows\\System32\\VBoxService.exe\n filter3:\n ProcessName: C:\\Windows\\System32\\svchost.exe\n SubjectUserSid: S-1-5-19\n selection:\n EventID: 4616\nmidified: 2020/01/27\n", "detection_rule_title": "Unauthorized System Time Modification", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0088_4616_system_time_was_changed"], "logging_policy": ["LP_0046_windows_audit_security_state_change"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6563372021179544322}}
{"date_created": "2019-11-20T00:00:00", "sigma_rule_path": "es/windows/builtin/win_external_device.yml", "date_modified": null, "description": "Detects external diskdrives or plugged in USB devices", "references": "not defined", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0001: Initial Access"], "dr_id": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", "technique": ["T1091: Replication Through Removable Media", "T1200: Hardware Additions"], "raw_detection_rule": "detection:\n condition: selection or selection2\n selection:\n DeviceClassName: DiskDrive\n EventID:\n - 6416\n selection2:\n DeviceDescription: USB Mass Storage Device\n", "detection_rule_title": "External Disk Drive or USB Storage Device", "detection_rule_author": "Keith Wright", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6056263518757416596}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_GPO_scheduledtasks.yml", "date_modified": null, "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", "references": ["https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0008: Lateral Movement"], "dr_id": "a8f29a7b-b137-4446-80a0-b804272f3da2", "technique": ["T1053: Scheduled Task"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Accesses: '*WriteData*'\n EventID: 5145\n RelativeTargetName: '*ScheduledTasks.xml'\n ShareName: \\\\*\\SYSVOL\n", "detection_rule_title": "Persistence and Execution at Scale via GPO Scheduled Task", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1004337004413062900}}
{"date_created": "2017-03-05T00:00:00", "sigma_rule_path": "es/windows/builtin/win_mal_creddumper.yml", "date_modified": "2019-11-01T00:00:00", "description": "Detects well-known credential dumping tools execution via service execution events", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0002: Execution"], "dr_id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "technique": ["T1003: Credential Dumping", "T1035: Service Execution"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection:\n EventID: 7045\n logsource:\n product: windows\n service: system\n- detection:\n selection:\n EventID: 6\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection:\n EventID: 4697\n logsource:\n product: windows\n service: security\ndetection:\n condition: selection and selection_1\n selection_1:\n - ServiceName|contains:\n - fgexec\n - wceservice\n - wce service\n - pwdump\n - gsecdump\n - cachedump\n - mimikatz\n - mimidrv\n - ImagePath|contains:\n - fgexec\n - dumpsvc\n - cachedump\n - mimidrv\n - gsecdump\n - servpw\n - pwdump\n - ImagePath|re: ((\\\\\\\\.*\\\\.*|.*\\\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\\.(exe|scr|cpl|bat|js|cmd|vbs).*)\n", "detection_rule_title": "Credential Dumping Tools Service Execution", "detection_rule_author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["System", "Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Service Control Manager", "Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0005_7045_windows_service_insatalled", "DN_0010_6_windows_sysmon_driver_loaded", "DN_0063_4697_service_was_installed_in_the_system"], "logging_policy": ["not defined", "LP_0100_windows_audit_security_system_extension"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6817949638575151205}}
{"date_created": "2019-08-12T00:00:00", "sigma_rule_path": "es/windows/builtin/win_scm_database_handle_failure.yml", "date_modified": null, "description": "Detects non-system users failing to get a handle of the SCM database.", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "13addce7-47b2-4ca0-a98f-1de964d1d669", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4656\n Keywords: Audit Failure\n ObjectName: servicesactive\n ObjectType: SC_MANAGER OBJECT\n SubjectLogonId: '0x3e4'\n", "detection_rule_title": "SCM Database Handle Failure", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8567352504438681013}}
{"date_created": "2017-03-31T00:00:00", "sigma_rule_path": "es/windows/builtin/win_apt_carbonpaper_turla.yml", "date_modified": null, "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", "references": ["https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "technique": ["T1050: New Service"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7045\n ServiceName:\n - srservice\n - ipvpn\n - hkmsvc\n", "detection_rule_title": "Turla Service Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8629468713001704047}}
{"date_created": "2019-08-12T00:00:00", "sigma_rule_path": "es/windows/builtin/win_syskey_registry_access.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", "references": ["https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "technique": ["T1012: Query Registry"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 4656\n - 4663\n ObjectName|endswith:\n - lsa\\JD\n - lsa\\GBG\n - lsa\\Skew1\n - lsa\\Data\n ObjectType: key\n", "detection_rule_title": "SysKey Registry Keys Access", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested", "DN_0062_4663_attempt_was_made_to_access_an_object"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -350533212002960599}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/builtin/win_remote_powershell_session.yml", "date_modified": null, "description": "Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n DestPort:\n - 5985\n - 5986\n EventID: 5156\n LayerRTID: 44\n", "detection_rule_title": "Remote PowerShell Sessions", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0087_5156_windows_filtering_platform_has_permitted_connection"], "logging_policy": ["LP_0045_windows_audit_filtering_platform_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4687968083510177625}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml", "date_modified": "2019-11-13T00:00:00", "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 4720\n - 4781\n UserName|contains: $\nfields:\n- EventID\n- UserName\n- SubjectAccountName\n", "detection_rule_title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'.", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0086_4720_user_account_was_created"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3108418118429537437}}
{"date_created": "2017-02-19T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_failed_logon_reasons.yml", "date_modified": "2019-03-01T00:00:00", "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "references": ["https://twitter.com/SBousseaden/status/1101431884540710913"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "9eb99343-d336-4020-a3cd-67f3819e68ee", "technique": ["T1078: Valid Accounts"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 4625\n - 4776\n Status:\n - '0xC0000072'\n - '0xC000006F'\n - '0xC0000070'\n - '0xC0000413'\n - '0xC000018C'\n - '0xC000015B'\n", "detection_rule_title": "Account Tampering - Suspicious Failed Logon Reasons", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0107_windows_audit_credential_validation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6362609418734802457}}
{"date_created": "2018-06-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_dcsync.yml", "date_modified": "2019-10-08T00:00:00", "description": "Detects Mimikatz DC sync security events", "references": ["https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection and not filter1 and not filter2\n filter1:\n SubjectDomainName: Window Manager\n filter2:\n SubjectUserName:\n - NT AUTHORITY*\n - '*$'\n selection:\n EventID: 4662\n Properties:\n - '*Replicating Directory Changes All*'\n - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'\n", "detection_rule_title": "Mimikatz DC Sync", "detection_rule_author": "Benjamin Delpy, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0030_4662_operation_was_performed_on_an_object"], "logging_policy": ["LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1915964839401523658}}
{"date_created": "2019-01-28T00:00:00", "sigma_rule_path": "es/windows/builtin/win_rdp_localhost_login.yml", "date_modified": "2019-01-29T00:00:00", "description": "RDP login with localhost source address may be a tunnelled login", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "51e33403-2a37-4d66-a574-1fda1782cc31", "technique": ["T1076: Remote Desktop Protocol"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4624\n LogonType: 10\n SourceNetworkAddress:\n - ::1\n - 127.0.0.1\n", "detection_rule_title": "RDP Login from Localhost", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5374125411768955492}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_svcctl_remote_service.yml", "date_modified": null, "description": "Detects remote remote service activity via remote access to the svcctl named pipe", "references": ["https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0003: Persistence"], "dr_id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Accesses: '*WriteData*'\n EventID: 5145\n RelativeTargetName: svcctl\n ShareName: \\\\*\\IPC$\n", "detection_rule_title": "Remote Service Activity via SVCCTL Named Pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6817522241370348371}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_account_discovery.yml", "date_modified": null, "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", "references": ["https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "technique": ["T1087: Account Discovery"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4661\n ObjectName:\n - '*-512'\n - '*-502'\n - '*-500'\n - '*-505'\n - '*-519'\n - '*-520'\n - '*-544'\n - '*-551'\n - '*-555'\n - '*admin*'\n ObjectType:\n - SAM_USER\n - SAM_GROUP\n", "detection_rule_title": "AD Privileged Users or Groups Reconnaissance", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0029_4661_handle_to_an_object_was_requested"], "logging_policy": ["LP_0028_windows_audit_sam", "LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1959214206295592193}}
{"date_created": "2017-06-14T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_sdelete.yml", "date_modified": null, "description": "Detects renaming of file while deletion with SDelete tool", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "39a80702-d7ca-4a83-b776-525b1f86a36d", "technique": ["T1107: File Deletion", "T1066: Indicator Removal from Tools"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 4656\n - 4663\n - 4658\n ObjectName:\n - '*.AAA'\n - '*.ZZZ'\n", "detection_rule_title": "Secure Deletion with SDelete", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0060_4658_handle_to_an_object_was_closed", "DN_0058_4656_handle_to_an_object_was_requested", "DN_0062_4663_attempt_was_made_to_access_an_object"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry", "LP_0042_windows_audit_handle_manipulation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7779450129744560967}}
{"date_created": "2019-06-14T00:00:00", "sigma_rule_path": "es/windows/builtin/win_pass_the_hash_2.yml", "date_modified": null, "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "references": ["https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", "technique": ["T1075: Pass the Hash"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n AccountName: ANONYMOUS LOGON\n selection:\n - EventID: 4624\n KeyLength: '0'\n LogonProcessName: NtLmSsp\n LogonType: '3'\n SubjectUserSid: S-1-0-0\n - EventID: 4624\n LogonProcessName: seclogo\n LogonType: '9'\n", "detection_rule_title": "Pass the Hash Activity 2", "detection_rule_author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "production", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6928510988720134885}}
{"date_created": "2017-04-13T00:00:00", "sigma_rule_path": "es/windows/builtin/win_alert_ad_user_backdoors.yml", "date_modified": null, "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", "references": ["https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/"], "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0003: Persistence"], "dr_id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "technique": ["T1098: Account Manipulation"], "raw_detection_rule": "detection:\n condition: (selection1 and not 1 of filter*) or selection2 or selection3 or selection4\n filter1:\n AllowedToDelegateTo:\n - null\n - '-'\n selection1:\n EventID: 4738\n selection2:\n AttributeLDAPDisplayName: msDS-AllowedToDelegateTo\n EventID: 5136\n selection3:\n AttributeLDAPDisplayName: servicePrincipalName\n EventID: 5136\n ObjectClass: user\n selection4:\n AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity\n EventID: 5136\n", "detection_rule_title": "Active Directory User Backdoors", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0026_5136_windows_directory_service_object_was_modified", "DN_0027_4738_user_account_was_changed"], "logging_policy": ["not defined", "LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8893108409078717090}}
{"date_created": "2017-05-15T00:00:00", "sigma_rule_path": "es/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml", "date_modified": "2019-11-13T00:00:00", "description": "Detects QuarksPwDump clearing access history in hive", "references": "not defined", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 16\n HiveName|contains: \\AppData\\Local\\Temp\\SAM\n HiveName|endswith: .dmp\n", "detection_rule_title": "QuarksPwDump Clearing Access History", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-Kernel-General"], "data_needed": ["DN_0083_16_access_history_in_hive_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1393288483138220769}}
{"date_created": "2017-02-19T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_add_sid_history.yml", "date_modified": null, "description": "An attacker can use the SID history attribute to gain additional privileges.", "references": ["https://adsecurity.org/?p=1772"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", "technique": ["T1178: SID-History Injection"], "raw_detection_rule": "detection:\n condition: selection1 or (selection2 and not selection3)\n selection1:\n EventID:\n - 4765\n - 4766\n selection2:\n EventID: 4738\n selection3:\n SidHistory:\n - '-'\n - '%%1793'\n", "detection_rule_title": "Addition of SID History to Active Directory Object", "detection_rule_author": "Thomas Patzke, @atc_project (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0074_4765_sid_history_was_added_to_an_account", "DN_0027_4738_user_account_was_changed", "DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 964614452652615831}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "references": ["https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", "technique": ["T1134: Access Token Manipulation"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection:\n EventID: 7045\n logsource:\n product: windows\n service: system\n- detection:\n selection:\n EventID: 6\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection:\n EventID: 4697\n logsource:\n product: windows\n service: security\ndetection:\n condition: selection\n selection:\n - ServiceFileName|contains:\n - cmd\n - comspec\n - ServiceFileName|contains|all:\n - cmd\n - /c\n - echo\n - \\pipe\\\n - ServiceFileName|contains|all:\n - '%COMSPEC%'\n - /c\n - echo\n - \\pipe\\\n - ServiceFileName|contains|all:\n - rundll32\n - .dll,a\n - '/p:'\nfields:\n- ComputerName\n- SubjectDomainName\n- SubjectUserName\n- ServiceFileName\n", "detection_rule_title": "Meterpreter or Cobalt Strike Getsystem Service Installation", "detection_rule_author": "Teymur Kheirkhabarov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["System", "Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Service Control Manager", "Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0005_7045_windows_service_insatalled", "DN_0010_6_windows_sysmon_driver_loaded", "DN_0063_4697_service_was_installed_in_the_system"], "logging_policy": ["not defined", "LP_0100_windows_audit_security_system_extension"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3868885242843438658}}
{"date_created": "2018-06-08T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_ntlm_auth.yml", "date_modified": null, "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", "references": ["https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://goo.gl/PsqrhT"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", "technique": ["T1075: Pass the Hash"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CallingProcessName: '*'\n EventID: 8002\n", "detection_rule_title": "NTLM Logon", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-NTLM/Operational"], "provider": ["Microsoft-Windows-NTLM"], "data_needed": ["DN_0082_8002_ntlm_server_blocked_audit"], "logging_policy": ["LP_0044_windows_ntlm_audit"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6611517093400117045}}
{"date_created": "2019-11-08T00:00:00", "sigma_rule_path": "es/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml", "date_modified": null, "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", "technique": ["T1027: Obfuscated Files or Information"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection:\n EventID: 7045\n logsource:\n product: windows\n service: system\n- detection:\n selection:\n EventID: 6\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection:\n EventID: 4697\n logsource:\n product: windows\n service: security\ndetection:\n condition: selection\n selection:\n - ImagePath|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n - ImagePath|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n - ImagePath|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n - ImagePath|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n - ImagePath|re: \\*mdr\\*\\W\\s*\\)\\.Name\n - ImagePath|re: \\$VerbosePreference\\.ToString\\(\n - ImagePath|re: \\String\\]\\s*\\$VerbosePreference\n", "detection_rule_title": "Invoke-Obfuscation Obfuscated IEX Invocation", "detection_rule_author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["System", "Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Service Control Manager", "Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0005_7045_windows_service_insatalled", "DN_0010_6_windows_sysmon_driver_loaded", "DN_0063_4697_service_was_installed_in_the_system"], "logging_policy": ["not defined", "LP_0100_windows_audit_security_system_extension"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3581538382027473815}}
{"date_created": "2017-10-29T00:00:00", "sigma_rule_path": "es/windows/builtin/win_admin_rdp_login.yml", "date_modified": null, "description": "Detect remote login by Administrator user depending on internal pattern", "references": ["https://car.mitre.org/wiki/CAR-2016-04-005"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", "technique": ["T1078: Valid Accounts"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n AccountName: Admin-*\n AuthenticationPackageName: Negotiate\n EventID: 4624\n LogonType: 10\n", "detection_rule_title": "Admin User Remote Logon", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1457332864136163158}}
{"date_created": "2019-12-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_add_domain_trust.yml", "date_modified": null, "description": "Addition of domains is seldom and should be verified for legitimacy.", "references": "not defined", "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "0255a820-e564-4e40-af2b-6ac61160335c", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4706\n", "detection_rule_title": "Addition of Domain Trusts", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4418367446336164915}}
{"date_created": "2017-11-01T00:00:00", "sigma_rule_path": "es/windows/builtin/win_apt_apt29_tor.yml", "date_modified": null, "description": "This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.", "references": ["https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "c069f460-2b87-4010-8dcf-e45bab362624", "technique": ["T1050: New Service"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n process:\n Image:\n - C:\\Program Files(x86)\\Google\\GoogleService.exe\n - C:\\Program Files(x86)\\Google\\GoogleUpdate.exe\n fields:\n - ComputerName\n - User\n - CommandLine\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: service_install | near process\n service_install:\n EventID: 7045\n ServiceName: Google Update\n timeframe: 5m\n", "detection_rule_title": "APT29 Google Update Service Install", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["System", "Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Service Control Manager", "Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0005_7045_windows_service_insatalled", "DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4178838498522197855}}
{"date_created": "2019-04-18T00:00:00", "sigma_rule_path": "es/windows/builtin/win_user_creation.yml", "date_modified": null, "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", "references": ["https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "66b6be3d-55d0-4f47-9855-d69df21740ea", "technique": ["T1136: Create Account"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4720\nfields:\n- EventCode\n- AccountName\n- AccountDomain\n", "detection_rule_title": "Local User Creation", "detection_rule_author": "Patrick Bareiss", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0086_4720_user_account_was_created"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -573479331413145960}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml", "date_modified": null, "description": "Transfering files with well-known filenames (sensitive files with credential data) using network shares", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "910ab938-668b-401b-b08c-b596e80fdca5", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 5145\n RelativeTargetName|contains:\n - \\mimidrv\n - \\lsass\n - \\windows\\minidump\\\n - \\hiberfil\n - \\sqldmpr\n - \\sam\n - \\ntds.dit\n - \\security\n", "detection_rule_title": "Transfering Files with Credential Data via Network Shares", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6074813412479765926}}
{"date_created": "2017-03-23T00:00:00", "sigma_rule_path": "es/windows/builtin/win_rare_schtasks_creations.yml", "date_modified": null, "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0004: Privilege Escalation", "TA0003: Persistence"], "dr_id": "b0d77106-7bb0-41fe-bd94-d1752164d066", "technique": ["T1053: Scheduled Task"], "raw_detection_rule": "detection:\n condition: selection | count() by TaskName < 5\n selection:\n EventID: 4698\n timeframe: 7d\n", "detection_rule_title": "Rare Schtasks Creations", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0064_4698_scheduled_task_was_created"], "logging_policy": ["LP_0041_windows_audit_other_object_access_events"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6895748171537457913}}
{"date_created": "2018-02-12T00:00:00", "sigma_rule_path": "es/windows/builtin/win_overpass_the_hash.yml", "date_modified": null, "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", "references": ["https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "technique": ["T1075: Pass the Hash"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n AuthenticationPackageName: Negotiate\n EventID: 4624\n LogonProcessName: seclogo\n LogonType: 9\n", "detection_rule_title": "Successful Overpass the Hash Attempt", "detection_rule_author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8784016911230837795}}
{"date_created": "2019-08-15T00:00:00", "sigma_rule_path": "es/windows/builtin/win_scm_database_privileged_operation.yml", "date_modified": null, "description": "Detects non-system users performing privileged operation os the SCM database", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "dae8171c-5ec6-4396-b210-8466585b53e9", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4674\n ObjectName: servicesactive\n ObjectType: SC_MANAGER OBJECT\n PrivilegeList: SeTakeOwnershipPrivilege\n SubjectLogonId: '0x3e4'\n", "detection_rule_title": "SCM Database Privileged Operation", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8902399755857904921}}
{"date_created": "2017-02-19T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_security_eventlog_cleared.yml", "date_modified": null, "description": "Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "f2f01843-e7b8-4f95-a35a-d23584476423", "technique": ["T1070: Indicator Removal on Host"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 517\n - 1102\n", "detection_rule_title": "Security Eventlog Cleared", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Eventlog"], "data_needed": ["DN_0050_1102_audit_log_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8600897202397357538}}
{"date_created": "2017-03-07T00:00:00", "sigma_rule_path": "es/windows/builtin/win_apt_stonedrill.yml", "date_modified": null, "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", "references": ["https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", "technique": ["T1050: New Service"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7045\n ServiceFileName: '* LocalService'\n ServiceName: NtsSrv\n", "detection_rule_title": "StoneDrill Service Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 737173119788429802}}
{"date_created": "2019-04-08T00:00:00", "sigma_rule_path": "es/windows/builtin/win_user_driver_loaded.yml", "date_modified": null, "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.", "references": ["https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "f63508a0-c809-4435-b3be-ed819394d612", "technique": ["T1089: Disabling Security Tools"], "raw_detection_rule": "detection:\n condition: selection_1 and not selection_2\n selection_1:\n EventID: 4673\n PrivilegeList: SeLoadDriverPrivilege\n Service: '-'\n selection_2:\n ProcessName|contains:\n - '*\\Windows\\System32\\Dism.exe'\n - '*\\Windows\\System32\\rundll32.exe'\n - '*\\Windows\\System32\\fltMC.exe'\n - '*\\Windows\\HelpPane.exe'\n - '*\\Windows\\System32\\mmc.exe'\n - '*\\Windows\\System32\\svchost.exe'\n - '*\\Windows\\System32\\wimserv.exe'\n - '*\\procexp64.exe'\n - '*\\procexp.exe'\n - '*\\procmon64.exe'\n - '*\\procmon.exe'\n", "detection_rule_title": "Suspicious Driver Loaded By User", "detection_rule_author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6436626202935137483}}
{"date_created": "2019-03-24T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_ldap_dataexchange.yml", "date_modified": null, "description": "detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", "references": ["https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "technique": ["T1041: Exfiltration Over Command and Control Channel"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n AttributeLDAPDisplayName:\n - primaryInternationalISDNNumber\n - otherFacsimileTelephoneNumber\n - primaryTelexNumber\n AttributeValue: '*'\n EventID: 5136\n", "detection_rule_title": "Suspicious LDAP-Attributes Used", "detection_rule_author": "xknow @xknow_infosec", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0026_5136_windows_directory_service_object_was_modified"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8630957962237412707}}
{"date_created": "2017-01-10T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_eventlog_cleared.yml", "date_modified": null, "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "references": ["https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "technique": ["T1070: Indicator Removal on Host"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 104\n Source: Microsoft-Windows-Eventlog\n", "detection_rule_title": "Eventlog Cleared", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-Eventlog"], "data_needed": ["DN_0034_104_log_file_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2302143780243319254}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_account_backdoor_dcsync_rights.yml", "date_modified": null, "description": "backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", "references": ["https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf"], "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0003: Persistence"], "dr_id": "2c99737c-585d-4431-b61a-c911d86ff32f", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 5136\n LDAPDisplayName: ntSecurityDescriptor\n Value|contains:\n - 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\n - 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\n - 89e95b76-444d-4c62-991a-0facbeda640c\n", "detection_rule_title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", "detection_rule_author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0026_5136_windows_directory_service_object_was_modified"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1516345649636997172}}
{"date_created": "2019-10-31T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_local_anon_logon_created.yml", "date_modified": null, "description": "Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", "references": ["https://twitter.com/SBousseaden/status/1189469425482829824"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "1bbf25b9-8038-4154-a50b-118f2a32be27", "technique": ["T1136: Create Account"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4720\n SAMAccountName: '*ANONYMOUS*LOGON*'\n", "detection_rule_title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", "detection_rule_author": "James Pemberton / @4A616D6573", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0086_4720_user_account_was_created"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3516463093603154694}}
{"date_created": "2017-05-15T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_dhcp_config.yml", "date_modified": null, "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", "references": ["https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "technique": ["T1073: DLL Side-Loading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 1033\n Source: Microsoft-Windows-DHCP-Server\n", "detection_rule_title": "DHCP Server Loaded the CallOut DLL", "detection_rule_author": "Dimitrios Slamaris", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["System"], "provider": ["Microsoft-Windows-DHCP-Server"], "data_needed": ["DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4749309787335260774}}
{"date_created": "2019-08-12T00:00:00", "sigma_rule_path": "es/windows/builtin/win_sam_registry_hive_handle_request.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects handles requested to SAM registry hive", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "technique": ["T1012: Query Registry"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4656\n ObjectName|endswith: \\SAM\n ObjectType: Key\nfields:\n- ComputerName\n- SubjectDomainName\n- SubjectUserName\n- ProcessName\n- ObjectName\n", "detection_rule_title": "SAM Registry Hive Handle Request", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3956915794152963874}}
{"date_created": "2019-02-22T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_mshta_execution.yml", "date_modified": "2019-02-22T00:00:00", "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", "references": ["http://blog.sevagas.com/?Hacking-around-HTA-files", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "technique": ["T1140: Deobfuscate/Decode Files or Information"], "raw_detection_rule": "detection:\n condition: selection1\n selection1:\n CommandLine:\n - '*vbscript*'\n - '*.jpg*'\n - '*.png*'\n - '*.lnk*'\n - '*.xls*'\n - '*.doc*'\n - '*.zip*'\n Image: '*\\mshta.exe'\n", "detection_rule_title": "MSHTA Suspicious Execution 01", "detection_rule_author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3752716292047617280}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/builtin/win_register_new_logon_process_by_rubeus.yml", "date_modified": null, "description": "Detects potential use of Rubeus via registered new trusted logon process", "references": ["https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0004: Privilege Escalation"], "dr_id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "technique": ["T1208: Kerberoasting"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - EventID: 4611\n LogonProcessName: User32LogonProcesss\n", "detection_rule_title": "Register new Logon Process by Rubeus", "detection_rule_author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4076601622219434482}}
{"date_created": "2019-05-24T00:00:00", "sigma_rule_path": "es/windows/builtin/win_rdp_potential_cve-2019-0708.yml", "date_modified": null, "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", "references": ["https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep"], "customer": ["None"], "tactic": ["TA0001: Initial Access", "TA0008: Lateral Movement"], "dr_id": "aaa5b30d-f418-420b-83a0-299cb6024885", "technique": ["T1210: Exploitation of Remote Services", "T1190: Exploit Public-Facing Application"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 56\n - 50\n Source: TermDD\n", "detection_rule_title": "Potential RDP Exploit CVE-2019-0708", "detection_rule_author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["TermDD"], "data_needed": ["DN_0090_50_terminal_server_security_layer_detected_an_error", "DN_0089_56_terminal_server_security_layer_detected_an_error"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7338521171939765029}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/builtin/win_suspicious_outbound_kerberos_connection.yml", "date_modified": "2019-11-13T00:00:00", "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", "references": ["https://github.com/GhostPack/Rubeus8"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "technique": ["T1208: Kerberoasting"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith:\n - \\lsass.exe\n - \\opera.exe\n - \\chrome.exe\n - \\firefox.exe\n selection:\n DestinationPort: 88\n EventID: 5156\n", "detection_rule_title": "Suspicious Outbound Kerberos Connection", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0087_5156_windows_filtering_platform_has_permitted_connection"], "logging_policy": ["LP_0045_windows_audit_filtering_platform_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5813828378069254134}}
{"date_created": "2018-03-20T00:00:00", "sigma_rule_path": "es/windows/builtin/win_hack_smbexec.yml", "date_modified": null, "description": "Detects the use of smbexec.py tool by detecting a specific service installation", "references": ["https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0002: Execution"], "dr_id": "52a85084-6989-40c3-8f32-091e12e13f09", "technique": ["T1077: Windows Admin Shares", "T1035: Service Execution"], "raw_detection_rule": "detection:\n condition: service_installation\n service_installation:\n EventID: 7045\n ServiceFileName: '*\\execute.bat'\n ServiceName: BTOBTO\nfields:\n- ServiceName\n- ServiceFileName\n", "detection_rule_title": "smbexec.py Service Installation", "detection_rule_author": "Omer Faruk Celik", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5699190529370594006}}
{"date_created": "2019-08-10T00:00:00", "sigma_rule_path": "es/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml", "date_modified": null, "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4692\nfields:\n- ComputerName\n- SubjectDomainName\n- SubjectUserName\n", "detection_rule_title": "DPAPI Domain Master Key Backup Attempt", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -21169705080637849}}
{"date_created": "2017-05-08T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_dns_config.yml", "date_modified": null, "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", "references": ["https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "cbe51394-cd93-4473-b555-edf0144952d9", "technique": ["T1073: DLL Side-Loading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 150\n - 770\n", "detection_rule_title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["DNS Server"], "provider": ["Microsoft-Windows-DNS-Server-Service"], "data_needed": ["DN_0043_770_dns_server_plugin_dll_has_been_loaded", "DN_0036_150_dns_server_could_not_load_dll"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4486379938165291764}}
{"date_created": "2017-03-27T00:00:00", "sigma_rule_path": "es/windows/builtin/win_mal_service_installs.yml", "date_modified": "2019-11-01T00:00:00", "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity", "references": "not defined", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "5a105d34-05fc-401e-8553-272b45c1522d", "technique": ["T1003: Credential Dumping", "T1035: Service Execution", "T1050: New Service"], "raw_detection_rule": "detection:\n condition: selection and 1 of malsvc_*\n malsvc_paexec:\n ServiceFileName|contains: \\PAExec\n malsvc_persistence:\n ServiceFileName|contains: net user\n malsvc_wannacry:\n ServiceName: mssecsvc2.0\n selection:\n EventID: 7045\n", "detection_rule_title": "Malicious Service Installations", "detection_rule_author": "Florian Roth, Daniil Yugoslavskiy, oscd.community (update)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6652828814759041665}}
{"date_created": "2017-05-31T00:00:00", "sigma_rule_path": "es/windows/builtin/win_alert_ruler.yml", "date_modified": "2019-07-26T00:00:00", "description": "This events that are generated when using the hacktool Ruler by Sensepost", "references": ["https://github.com/sensepost/ruler", "https://github.com/sensepost/ruler/issues/47", "https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624"], "customer": ["None"], "tactic": ["TA0007: Discovery", "TA0002: Execution"], "dr_id": "24549159-ac1b-479c-8175-d42aea947cae", "technique": ["T1087: Account Discovery", "T1075: Pass the Hash", "T1114: Email Collection", "T1059: Command-Line Interface"], "raw_detection_rule": "detection:\n condition: (1 of selection*)\n selection1:\n EventID:\n - 4776\n Workstation: RULER\n selection2:\n EventID:\n - 4624\n - 4625\n WorkstationName: RULER\n", "detection_rule_title": "Hacktool Ruler", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0004_4624_windows_account_logon", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0107_windows_audit_credential_validation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 167960412653786088}}
{"date_created": "2020-03-04T00:00:00", "sigma_rule_path": "es/windows/builtin/win_mmc20_lateral_movement.yml", "date_modified": null, "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "technique": ["T1175: Component Object Model and Distributed COM"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*-Embedding*'\n Image: '*\\mmc.exe'\n ParentImage: '*\\svchost.exe'\n", "detection_rule_title": "MMC20 Lateral Movement", "detection_rule_author": "@2xxeformyshirt (Security Risk Advisors)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5134667849057207943}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/builtin/win_remote_registry_management_using_reg_utility.yml", "date_modified": "2019-11-13T00:00:00", "description": "Remote registry management using REG utility from non-admin workstation", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0007: Discovery"], "dr_id": "68fcba0d-73a5-475e-a915-e8b4c576827e", "technique": ["T1112: Modify Registry", "T1012: Query Registry"], "raw_detection_rule": "detection:\n condition: selection_1 and not selection_2\n selection_1:\n EventID: 5145\n RelativeTargetName|contains: \\winreg\n selection_2:\n IpAddress: '%Admins_Workstations%'\n", "detection_rule_title": "Remote Registry Management Using Reg Utility", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1005967096718743275}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/builtin/win_ad_object_writedac_access.yml", "date_modified": null, "description": "Detects WRITE_DAC access to a domain object", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "technique": ["T1222: File and Directory Permissions Modification"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n AccessMask: 262144\n EventID: 4662\n ObjectServer: DS\n ObjectType:\n - 19195a5b-6da0-11d0-afd3-00c04fd930c9\n - domainDNS\n", "detection_rule_title": "AD Object WriteDAC Access", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0030_4662_operation_was_performed_on_an_object"], "logging_policy": ["LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2803388689031592357}}
{"date_created": "2017-01-10T00:00:00", "sigma_rule_path": "es/windows/builtin/win_alert_mimikatz_keywords.yml", "date_modified": "2019-10-11T00:00:00", "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", "references": "not defined", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0006: Credential Access"], "dr_id": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: keywords\n keywords:\n Message:\n - '* mimikatz *'\n - '* mimilib *'\n - '* <3 eo.oe *'\n - '* eo.oe.kiwi *'\n - '* privilege::debug *'\n - '* sekurlsa::logonpasswords *'\n - '* lsadump::sam *'\n - '* mimidrv.sys *'\n - '* p::d *'\n - '* s::l *'\n", "detection_rule_title": "Mimikatz Use", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5808706792443976540}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_raccess_sensitive_fext.yml", "date_modified": null, "description": "Detects known sensitive file extensions", "references": "not defined", "customer": ["None"], "tactic": ["TA0009: Collection"], "dr_id": "91c945bc-2ad1-4799-a591-4d00198a1215", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 5145\n RelativeTargetName:\n - '*.pst'\n - '*.ost'\n - '*.msg'\n - '*.nst'\n - '*.oab'\n - '*.edb'\n - '*.nsf'\n - '*.bak'\n - '*.dmp'\n - '*.kirbi'\n - '*\\groups.xml'\n - '*.rdp'\nfields:\n- ComputerName\n- SubjectDomainName\n- SubjectUserName\n- RelativeTargetName\n", "detection_rule_title": "Suspicious Access to Sensitive File Extensions", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -546056005552862563}}
{"date_created": "2017-07-30T00:00:00", "sigma_rule_path": "es/windows/builtin/win_alert_active_directory_user_control.yml", "date_modified": null, "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", "references": ["https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", "technique": ["T1078: Valid Accounts"], "raw_detection_rule": "detection:\n condition: all of them\n keywords:\n Message:\n - '*SeEnableDelegationPrivilege*'\n selection:\n EventID: 4704\n", "detection_rule_title": "Enabled User Right in AD to Control User Objects", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0066_4704_user_right_was_assigned"], "logging_policy": ["LP_0105_windows_audit_authorization_policy_change"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5594893097941850581}}
{"date_created": "2017-05-15T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_dhcp_config_failed.yml", "date_modified": "2019-07-17T00:00:00", "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", "references": ["https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "75edd3fd-7146-48e5-9848-3013d7f0282c", "technique": ["T1073: DLL Side-Loading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 1031\n - 1032\n - 1034\n Source: Microsoft-Windows-DHCP-Server\n", "detection_rule_title": "DHCP Server Error Failed Loading the CallOut DLL", "detection_rule_author": "Dimitrios Slamaris, @atc_project (fix)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-DHCP-Server"], "data_needed": ["DN_0049_1034_dhcp_service_failed_to_load_callout_dlls", "DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception", "DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3572668507352563971}}
{"date_created": "2017-11-19T00:00:00", "sigma_rule_path": "es/windows/builtin/win_disable_event_logging.yml", "date_modified": null, "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\". Please note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.", "references": ["https://bit.ly/WinLogsZero2Hero"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "69aeb277-f15f-4d2d-b32a-55e883609563", "technique": ["T1054: Indicator Blocking"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n AuditPolicyChanges: removed\n EventID: 4719\n", "detection_rule_title": "Disabling Windows Event Auditing", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0067_4719_system_audit_policy_was_changed"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7590271885577775073}}
{"date_created": "2017-03-08T00:00:00", "sigma_rule_path": "es/windows/builtin/win_rare_service_installs.yml", "date_modified": null, "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", "references": "not defined", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "66bfef30-22a5-4fcd-ad44-8d81e60922ae", "technique": ["T1050: New Service"], "raw_detection_rule": "detection:\n condition: selection | count() by ServiceFileName < 5\n selection:\n EventID: 7045\n timeframe: 7d\n", "detection_rule_title": "Rare Service Installs", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7212313084846647511}}
{"date_created": "2017-03-17T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_interactive_logons.yml", "date_modified": null, "description": "Detects interactive console logons to", "references": "not defined", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "3ff152b2-1388-4984-9cd9-a323323fdadf", "technique": ["T1078: Valid Accounts"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n ComputerName: '%Workstations%'\n LogonProcessName: Advapi\n selection:\n ComputerName:\n - '%ServerSystems%'\n - '%DomainControllers%'\n EventID:\n - 528\n - 529\n - 4624\n - 4625\n LogonType: 2\n", "detection_rule_title": "Interactive Logon to Server Systems", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0004_4624_windows_account_logon", "DN_0040_528_user_successfully_logged_on_to_a_computer", "DN_0041_529_logon_failure"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2144089961418516515}}
{"date_created": "2017-02-19T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_dsrm_password_change.yml", "date_modified": null, "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", "references": ["https://adsecurity.org/?p=1714"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "technique": ["T1098: Account Manipulation"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4794\n", "detection_rule_title": "Password Change on Directory Service Restore Mode (DSRM) Account", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0028_4794_directory_services_restore_mode_admin_password_set"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8616247398839940279}}
{"date_created": "2018-03-20T00:00:00", "sigma_rule_path": "es/windows/builtin/win_net_ntlm_downgrade.yml", "date_modified": null, "description": "Detects post exploitation using NetNTLM downgrade attacks", "references": ["https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "technique": ["T1212: Exploitation for Credential Access"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection1:\n EventID: 13\n TargetObject:\n - '*SYSTEM\\\\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel'\n - '*SYSTEM\\\\*ControlSet*\\Control\\Lsa*\\NtlmMinClientSec'\n - '*SYSTEM\\\\*ControlSet*\\Control\\Lsa*\\RestrictSendingNTLMTraffic'\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection2:\n EventID: 4657\n ObjectName: \\REGISTRY\\MACHINE\\SYSTEM\\\\*ControlSet*\\Control\\Lsa*\n ObjectValueName:\n - LmCompatibilityLevel\n - NtlmMinClientSec\n - RestrictSendingNTLMTraffic\n logsource:\n definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'\n product: windows\n service: security\ndetection:\n condition: 1 of them\n", "detection_rule_title": "NetNTLM Downgrade Attack", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0059_4657_registry_value_was_modified", "DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5600719977029522669}}
{"date_created": "2019-08-10T00:00:00", "sigma_rule_path": "es/windows/builtin/win_protected_storage_service_access.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "45545954-4016-43c6-855e-eae8f1c369dc", "technique": ["T1021: Remote Services"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 5145\n RelativeTargetName: protected_storage\n ShareName|contains: IPC\n", "detection_rule_title": "Protected Storage Service Access", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8554483669962956451}}
{"date_created": "2017-05-09T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_msmpeng_crash.yml", "date_modified": null, "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "references": ["https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "6c82cf5c-090d-4d57-9188-533577631108", "technique": ["T1089: Disabling Security Tools", "T1211: Exploitation for Defense Evasion"], "raw_detection_rule": "detection:\n condition: 1 of selection* and all of keywords\n keywords:\n Message:\n - '*MsMpEng.exe*'\n - '*mpengine.dll*'\n selection1:\n EventID: 1000\n Source: Application Error\n selection2:\n EventID: 1001\n Source: Windows Error Reporting\n", "detection_rule_title": "Microsoft Malware Protection Engine Crash", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7205651323804475487}}
{"date_created": "2017-06-14T00:00:00", "sigma_rule_path": "es/windows/builtin/win_mal_wceaux_dll.yml", "date_modified": null, "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", "references": ["https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "1de68c67-af5c-4097-9c85-fe5578e09e67", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 4656\n - 4658\n - 4660\n - 4663\n ObjectName: '*\\wceaux.dll'\n", "detection_rule_title": "WCE wceaux.dll Access", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0060_4658_handle_to_an_object_was_closed", "DN_0058_4656_handle_to_an_object_was_requested", "DN_0061_4660_object_was_deleted", "DN_0062_4663_attempt_was_made_to_access_an_object"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry", "LP_0042_windows_audit_handle_manipulation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3603167813559943049}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_psexec.yml", "date_modified": null, "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", "references": ["https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "technique": ["T1077: Windows Admin Shares"], "raw_detection_rule": "detection:\n condition: selection1 and not selection2\n selection1:\n EventID: 5145\n RelativeTargetName:\n - '*-stdin'\n - '*-stdout'\n - '*-stderr'\n ShareName: \\\\*\\IPC$\n selection2:\n EventID: 5145\n RelativeTargetName: PSEXESVC*\n ShareName: \\\\*\\IPC$\n", "detection_rule_title": "Suspicious PsExec Execution", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1767698422000483565}}
{"date_created": "2017-05-12T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_backup_delete.yml", "date_modified": null, "description": "Detects backup catalog deletions", "references": ["https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "9703792d-fd9a-456d-a672-ff92efe4806a", "technique": ["T1107: File Deletion"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 524\n Source: Backup\n", "detection_rule_title": "Backup Catalog Deleted", "detection_rule_author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 653909114910372518}}
{"date_created": "2020-01-15T00:00:00", "sigma_rule_path": "es/windows/builtin/win_audit_cve.yml", "date_modified": null, "description": "Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)", "references": ["https://twitter.com/mattifestation/status/1217179698008068096", "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://twitter.com/davisrichardg/status/1217517547576348673", "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/FlemmingRiis/status/1217147415482060800"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Source: Microsoft-Windows-Audit-CVE\n", "detection_rule_title": "Audit CVE Event", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4623188508192721987}}
{"date_created": "2017-02-10T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_kerberos_manipulation.yml", "date_modified": null, "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", "references": "not defined", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "f7644214-0eb0-4ace-9455-331ec4c09253", "technique": ["T1212: Exploitation for Credential Access"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 675\n - 4768\n - 4769\n - 4771\n FailureCode:\n - '0x9'\n - '0xA'\n - '0xB'\n - '0xF'\n - '0x10'\n - '0x11'\n - '0x13'\n - '0x14'\n - '0x1A'\n - '0x1F'\n - '0x21'\n - '0x22'\n - '0x23'\n - '0x24'\n - '0x26'\n - '0x27'\n - '0x28'\n - '0x29'\n - '0x2C'\n - '0x2D'\n - '0x2E'\n - '0x2F'\n - '0x31'\n - '0x32'\n - '0x3E'\n - '0x3F'\n - '0x40'\n - '0x41'\n - '0x43'\n - '0x44'\n", "detection_rule_title": "Kerberos Manipulation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0042_675_kerberos_preauthentication_failed", "DN_0077_4769_kerberos_service_ticket_was_requested", "DN_0078_4771_kerberos_pre_authentication_failed", "DN_0076_4768_kerberos_authentication_ticket_was_requested"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0106_windows_audit_kerberos_service_ticket_operations", "LP_0038_windows_audit_kerberos_authentication_service"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2141592960474191963}}
{"date_created": "2017-07-30T00:00:00", "sigma_rule_path": "es/windows/builtin/win_alert_enable_weak_encryption.yml", "date_modified": null, "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", "references": ["https://adsecurity.org/?p=2053", "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "technique": ["T1089: Disabling Security Tools"], "raw_detection_rule": "detection:\n condition: selection and keywords and filters\n filters:\n Message:\n - '*Enabled*'\n keywords:\n Message:\n - '*DES*'\n - '*Preauth*'\n - '*Encrypted*'\n selection:\n EventID: 4738\n", "detection_rule_title": "Weak Encryption Enabled and Kerberoast", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0027_4738_user_account_was_changed"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4460499198616553659}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/builtin/win_tap_driver_installation.yml", "date_modified": null, "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", "references": "not defined", "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "dr_id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "technique": ["T1048: Exfiltration Over Alternative Protocol"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection:\n EventID: 7045\n logsource:\n product: windows\n service: system\n- detection:\n selection:\n EventID: 6\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection:\n EventID: 4697\n logsource:\n product: windows\n service: security\ndetection:\n condition: selection\n selection:\n ImagePath|contains: tap0901\n", "detection_rule_title": "Tap Driver Installation", "detection_rule_author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["System", "Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Service Control Manager", "Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0005_7045_windows_service_insatalled", "DN_0010_6_windows_sysmon_driver_loaded", "DN_0063_4697_service_was_installed_in_the_system"], "logging_policy": ["not defined", "LP_0100_windows_audit_security_system_extension"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7216616488184358165}}
{"date_created": "2017-06-09T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_samr_pwset.yml", "date_modified": null, "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). \"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.", "references": "not defined", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", "technique": ["T1212: Exploitation for Credential Access"], "raw_detection_rule": "detection:\n condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe\n passwordchanged:\n EventID: 4738\n passwordchanged_filter:\n PasswordLastSet: null\n samrpipe:\n EventID: 5145\n RelativeTargetName: samr\n timeframe: 15s\n", "detection_rule_title": "Possible Remote Password Change Through SAMR", "detection_rule_author": "Dimitrios Slamaris", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed", "DN_0027_4738_user_account_was_changed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share", "LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8932642958943788431}}
{"date_created": "2019-06-20T00:00:00", "sigma_rule_path": "es/windows/builtin/win_dpapi_domain_backupkey_extraction.yml", "date_modified": null, "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n AccessMask: '0x2'\n EventID: 4662\n ObjectName: BCKUPKEY\n ObjectType: SecretObject\n", "detection_rule_title": "DPAPI Domain Backup Key Extraction", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0030_4662_operation_was_performed_on_an_object"], "logging_policy": ["LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8255381496978184997}}
{"date_created": "2019-11-15T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_rottenpotato.yml", "date_modified": null, "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", "references": ["https://twitter.com/SBousseaden/status/1195284233729777665"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0006: Credential Access"], "dr_id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "technique": ["T1171: LLMNR/NBT-NS Poisoning and Relay"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4624\n LogonType: 3\n SourceNetworkAddress: 127.0.0.1\n TargetUserName: ANONYMOUS_LOGON\n WorkstationName: '-'\n", "detection_rule_title": "RottenPotato Like Attack Pattern", "detection_rule_author": "@SBousseaden, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3488669293514716161}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_lm_namedpipe.yml", "date_modified": null, "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", "references": ["https://twitter.com/menasec1/status/1104489274387451904"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "technique": ["T1077: Windows Admin Shares"], "raw_detection_rule": "detection:\n condition: selection1 and not selection2\n selection1:\n EventID: 5145\n ShareName: \\\\*\\IPC$\n selection2:\n EventID: 5145\n RelativeTargetName:\n - atsvc\n - samr\n - lsarpc\n - winreg\n - netlogon\n - srvsvc\n - protected_storage\n - wkssvc\n - browser\n - netdfs\n - svcctl\n - spoolss\n - ntsvcs\n - LSM_API_service\n - HydraLsPipe\n - TermSrv_API_service\n - MsFteWds\n ShareName: \\\\*\\IPC$\n", "detection_rule_title": "First Time Seen Remote Named Pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6640227654202001624}}
{"date_created": "2019-12-04T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_wmi_login.yml", "date_modified": null, "description": "Detection of logins performed with WMI", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "5af54681-df95-4c26-854f-2565e13cfab0", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4624\n ProcessName: '*\\WmiPrvSE.exe'\n", "detection_rule_title": "Login with WMI", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5185962375613947184}}
{"date_created": "2017-11-09T00:00:00", "sigma_rule_path": "es/windows/builtin/win_usb_device_plugged.yml", "date_modified": null, "description": "Detects plugged USB devices", "references": ["https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", "technique": ["T1200: Hardware Additions"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 2003\n - 2100\n - 2102\n", "detection_rule_title": "USB Device Plugged", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-DriverFrameworks-UserMode/Operational"], "provider": ["Microsoft-Windows-DriverFrameworks-UserMode"], "data_needed": ["DN_0054_2102_pnp_or_power_operation_for_usb_device", "DN_0053_2100_pnp_or_power_operation_for_usb_device", "DN_0052_2003_query_to_load_usb_drivers"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2036876623285590555}}
{"date_created": "2019-12-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_codeintegrity_check_failure.yml", "date_modified": null, "description": "Code integrity failures may indicate tampered executables.", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "470ec5fa-7b4e-4071-b200-4c753100f49b", "technique": ["T1009: Binary Padding"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 5038\n - 6281\n", "detection_rule_title": "Failed Code Integrity Checks", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1382320703406084337}}
{"date_created": "2019-06-20T00:00:00", "sigma_rule_path": "es/windows/builtin/win_lsass_access_non_system_account.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n SubjectUserName|endswith: $\n selection:\n EventID:\n - 4663\n - 4656\n ObjectName|endswith: \\lsass.exe\n ObjectType: Process\nfields:\n- ComputerName\n- ObjectName\n- SubjectUserName\n- ProcessName\n", "detection_rule_title": "LSASS Access from Non System Account", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested", "DN_0062_4663_attempt_was_made_to_access_an_object"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2751517739721446060}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_impacket_secretdump.yml", "date_modified": null, "description": "Detect AD credential dumping using impacket secretdump HKTL", "references": ["https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 5145\n RelativeTargetName: SYSTEM32\\\\*.tmp\n ShareName: \\\\*\\ADMIN$\n", "detection_rule_title": "Possible Impacket SecretDump Remote Activity", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4033227028148850880}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/builtin/win_possible_dc_sync.yml", "date_modified": null, "description": "Detects DC sync via create new SPN", "references": ["https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://jsecurity101.com/2019/Syncing-into-the-Shadows/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4742\n ServicePrincipalNames: '*GC/*'\n", "detection_rule_title": "Possible DC Sync", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2541887687790237183}}
{"date_created": "2018-11-23T00:00:00", "sigma_rule_path": "es/windows/builtin/win_apt_turla_service_png.yml", "date_modified": null, "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", "references": ["https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "technique": ["T1050: New Service"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7045\n ServiceName: WerFaultSvc\n", "detection_rule_title": "Turla PNG Dropper Service", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5201932323102901342}}
{"date_created": "2017-03-08T00:00:00", "sigma_rule_path": "es/windows/builtin/win_pass_the_hash.yml", "date_modified": null, "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "references": ["https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "f8d98d6c-7a07-4d74-b064-dd4a3c244528", "technique": ["T1075: Pass the Hash"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n AccountName: ANONYMOUS LOGON\n selection:\n - ComputerName: '%Workstations%'\n EventID: 4624\n LogonProcessName: NtLmSsp\n LogonType: '3'\n WorkstationName: '%Workstations%'\n - ComputerName: '%Workstations%'\n EventID: 4625\n LogonProcessName: NtLmSsp\n LogonType: '3'\n WorkstationName: '%Workstations%'\n", "detection_rule_title": "Pass the Hash Activity", "detection_rule_author": "Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2120944167409438875}}
{"date_created": "2019-07-26T00:00:00", "sigma_rule_path": "es/windows/builtin/win_ad_replication_non_machine_account.yml", "date_modified": "2020-03-02T00:00:00", "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "17d619c1-e020-4347-957e-1d1207455c93", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n - SubjectUserName|endswith: $\n - SubjectUserName|startswith: MSOL_\n selection:\n AccessMask: '0x100'\n EventID: 4662\n Properties|contains:\n - 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\n - 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\n - 89e95b76-444d-4c62-991a-0facbeda640c\nfields:\n- ComputerName\n- SubjectDomainName\n- SubjectUserName\n", "detection_rule_title": "Active Directory Replication from Non Machine Account", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0030_4662_operation_was_performed_on_an_object"], "logging_policy": ["LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7028618830357849617}}
{"date_created": "2017-03-04T00:00:00", "sigma_rule_path": "es/windows/builtin/win_admin_share_access.yml", "date_modified": null, "description": "Detects access to $ADMIN share", "references": "not defined", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "098d7118-55bc-4912-a836-dc6483a8d150", "technique": ["T1077: Windows Admin Shares"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n SubjectUserName: '*$'\n selection:\n EventID: 5140\n ShareName: Admin$\n", "detection_rule_title": "Access to ADMIN$ Share", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0033_5140_network_share_object_was_accessed"], "logging_policy": ["LP_0030_windows_audit_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3452441204114063848}}
{"date_created": "2017-03-14T00:00:00", "sigma_rule_path": "es/windows/builtin/win_user_added_to_local_administrators.yml", "date_modified": null, "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", "references": "not defined", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "c265cf08-3f99-46c1-8d59-328247057d57", "technique": ["T1078: Valid Accounts"], "raw_detection_rule": "detection:\n condition: selection and (1 of selection_group*) and not filter\n filter:\n SubjectUserName: '*$'\n selection:\n EventID: 4732\n selection_group1:\n GroupName: Administrators\n selection_group2:\n GroupSid: S-1-5-32-544\n", "detection_rule_title": "User Added to Local Administrators", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0069_4732_member_was_added_to_security_enabled_local_group"], "logging_policy": ["LP_0101_windows_audit_security_group_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3900934473858847818}}
{"date_created": "2019-11-01T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_lsass_dump_generic.yml", "date_modified": "2019-11-07T00:00:00", "description": "Detects process handle on LSASS process with certain access mask", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection_1 or selection_2 and not filter\n filter:\n ProcessName|endswith:\n - \\wmiprvse.exe\n - \\taskmgr.exe\n - \\procexp64.exe\n - \\procexp.exe\n - \\lsm.exe\n - \\csrss.exe\n - \\wininit.exe\n - \\vmtoolsd.exe\n selection_1:\n AccessMask|contains:\n - '0x40'\n - '0x1400'\n - '0x1000'\n - '0x100000'\n - '0x1410'\n - '0x1010'\n - '0x1438'\n - '0x143a'\n - '0x1418'\n - '0x1f0fff'\n - '0x1f1fff'\n - '0x1f2fff'\n - '0x1f3fff'\n EventID: 4656\n ObjectName|endswith: \\lsass.exe\n selection_2:\n AccessList|contains:\n - '4484'\n - '4416'\n EventID: 4663\n ObjectName|endswith: \\lsass.exe\nfields:\n- ComputerName\n- SubjectDomainName\n- SubjectUserName\n- ProcessName\n- ProcessID\n", "detection_rule_title": "Generic Password Dumper Activity on LSASS", "detection_rule_author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested", "DN_0062_4663_attempt_was_made_to_access_an_object"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 976370428403422705}}
{"date_created": "2017-02-12T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_lsass_dump.yml", "date_modified": null, "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "references": ["https://twitter.com/jackcr/status/807385668833968128"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n AccessMask: '0x705'\n EventID: 4656\n ObjectType: SAM_DOMAIN\n ProcessName: C:\\Windows\\System32\\lsass.exe\n", "detection_rule_title": "Password Dumper Activity on LSASS", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8953019156472845129}}
{"date_created": "2019-02-16T00:00:00", "sigma_rule_path": "es/windows/builtin/win_rdp_reverse_tunnel.yml", "date_modified": null, "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "references": ["https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0011: Command and Control", "TA0008: Lateral Movement"], "dr_id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "technique": ["T1076: Remote Desktop Protocol", "T1090: Connection Proxy"], "raw_detection_rule": "detection:\n condition: selection and ( sourceRDP or destinationRDP )\n destinationRDP:\n DestinationPort: 3389\n SourceAddress:\n - 127.*\n - ::1\n selection:\n EventID: 5156\n sourceRDP:\n DestinationAddress:\n - 127.*\n - ::1\n SourcePort: 3389\n", "detection_rule_title": "RDP over Reverse SSH Tunnel WFP", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0087_5156_windows_filtering_platform_has_permitted_connection"], "logging_policy": ["LP_0045_windows_audit_filtering_platform_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1293504830711657905}}
{"date_created": "2020-03-30T00:00:00", "sigma_rule_path": "es/windows/builtin/win_ad_user_enumeration.yml", "date_modified": null, "description": "Detects access to a domain user from a non-machine account", "references": ["https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "ab6bffca-beff-4baa-af11-6733f296d57a", "technique": ["T1087: Account Discovery"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n - SubjectUserName|endswith: $\n - SubjectUserName|startswith: MSOL_\n selection:\n EventID: 4662\n ObjectType|contains:\n - bf967aba-0de6-11d0-a285-00aa003049e2\n", "detection_rule_title": "AD User Enumeration", "detection_rule_author": "Maxime Thiebaut (@0xThiebaut)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0030_4662_operation_was_performed_on_an_object"], "logging_policy": ["LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5704756184093887709}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/builtin/win_atsvc_task.yml", "date_modified": null, "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", "references": ["https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0003: Persistence"], "dr_id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "technique": ["T1053: Scheduled Task"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Accesses: '*WriteData*'\n EventID: 5145\n RelativeTargetName: atsvc\n ShareName: \\\\*\\IPC$\n", "detection_rule_title": "Remote Task Creation via ATSVC Named Pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8641272707714106869}}
{"date_created": "2019-06-02T00:00:00", "sigma_rule_path": "es/windows/builtin/win_rdp_bluekeep_poc_scanner.yml", "date_modified": null, "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", "references": ["https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/zerosum0x0/CVE-2019-0708"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "8400629e-79a9-4737-b387-5db940ab2367", "technique": ["T1210: Exploitation of Remote Services"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n AccountName: AAAAAAA\n EventID: 4625\n", "detection_rule_title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", "detection_rule_author": "Florian Roth (rule), Adam Bradbury (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7126689977398813690}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml", "date_modified": null, "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", "references": ["https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0004: Privilege Escalation"], "dr_id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "technique": ["T1208: Kerberoasting"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - EventID: 4673\n Keywords: '0x8010000000000000'\n Service: LsaRegisterLogonProcess()\n", "detection_rule_title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", "detection_rule_author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3763682631183733984}}
{"date_created": "2018-08-26T00:00:00", "sigma_rule_path": "es/windows/builtin/win_alert_lsass_access.yml", "date_modified": null, "description": "Detects Access to LSASS Process", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 1121\n Path: '*\\lsass.exe'\n", "detection_rule_title": "LSASS Access Detected via Attack Surface Reduction", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4082464944263535554}}
{"date_created": "2020-02-29T00:00:00", "sigma_rule_path": "es/windows/builtin/win_vul_cve_2020_0688.yml", "date_modified": null, "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", "references": ["https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "d6266bf5-935e-4661-b477-78772735a7cb", "technique": ["T1190: Exploit Public-Facing Application"], "raw_detection_rule": "detection:\n condition: selection1 and selection2\n selection1:\n EventID: 4\n Level: Error\n Source: MSExchange Control Panel\n selection2:\n - '*&__VIEWSTATE=*'\n", "detection_rule_title": "CVE-2020-0688 Exploitation via Eventlog", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8089562687425181238}}
{"date_created": "2017-01-10T00:00:00", "sigma_rule_path": "es/windows/builtin/win_susp_failed_logons_single_source.yml", "date_modified": null, "description": "Detects suspicious failed logins with different user accounts from a single source system", "references": "not defined", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "e98374a6-e2d9-4076-9b5c-11bdb2569995", "technique": ["T1078: Valid Accounts"], "raw_detection_rule": "detection:\n condition:\n - selection1 | count(UserName) by WorkstationName > 3\n - selection2 | count(UserName) by Workstation > 3\n selection1:\n EventID:\n - 529\n - 4625\n UserName: '*'\n WorkstationName: '*'\n selection2:\n EventID: 4776\n UserName: '*'\n Workstation: '*'\n timeframe: 24h\n", "detection_rule_title": "Failed Logins with Different Accounts from Single Source System", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account", "DN_0041_529_logon_failure"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0107_windows_audit_credential_validation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6440569417376291990}}
{"date_created": "2019-08-06T00:00:00", "sigma_rule_path": "es/windows/malware/win_mal_ryuk.yml", "date_modified": null, "description": "Detects Ryuk Ransomware command lines", "references": ["https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "0acaad27-9f02-4136-a243-c357202edd74", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*\\net.exe stop \"samss\" *'\n - '*\\net.exe stop \"audioendpointbuilder\" *'\n - '*\\net.exe stop \"unistoresvc_?????\" *'\n", "detection_rule_title": "Ryuk Ransomware", "detection_rule_author": "Vasiliy Burov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2762610722511466092}}
{"date_created": "2018-09-09T00:00:00", "sigma_rule_path": "es/windows/malware/av_webshell.yml", "date_modified": "2019-10-04T00:00:00", "description": "Detects a highly relevant Antivirus alert that reports a web shell", "references": ["https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "fdf135a2-9241-4f96-a114-bb404948f736", "technique": ["T1100: Web Shell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Signature:\n - PHP/Backdoor*\n - JSP/Backdoor*\n - ASP/Backdoor*\n - Backdoor.PHP*\n - Backdoor.JSP*\n - Backdoor.ASP*\n - '*Webshell*'\nfields:\n- FileName\n- User\n", "detection_rule_title": "Antivirus Web Shell Detection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7784918898427049938}}
{"date_created": "2018-09-09T00:00:00", "sigma_rule_path": "es/windows/malware/av_relevant_files.yml", "date_modified": "2019-10-04T00:00:00", "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", "references": ["https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "c9a88268-0047-4824-ba6e-4d81ce0b907c", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n FileName:\n - C:\\Windows\\Temp\\\\*\n - C:\\Temp\\\\*\n - '*\\\\Client\\\\*'\n - C:\\PerfLogs\\\\*\n - C:\\Users\\Public\\\\*\n - C:\\Users\\Default\\\\*\n - '*.ps1'\n - '*.vbs'\n - '*.bat'\n - '*.chm'\n - '*.xml'\n - '*.txt'\n - '*.jsp'\n - '*.jspx'\n - '*.asp'\n - '*.aspx'\n - '*.php'\n - '*.war'\n - '*.hta'\n - '*.lnk'\n - '*.scf'\n - '*.sct'\n - '*.vbe'\n - '*.wsf'\n - '*.wsh'\nfields:\n- Signature\n- User\n", "detection_rule_title": "Antivirus Relevant File Paths Alerts", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 375075054462187941}}
{"date_created": "2018-09-09T00:00:00", "sigma_rule_path": "es/windows/malware/av_exploiting.yml", "date_modified": "2019-01-16T00:00:00", "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", "references": ["https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0011: Command and Control"], "dr_id": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", "technique": ["T1203: Exploitation for Client Execution", "T1219: Remote Access Tools"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Signature:\n - '*MeteTool*'\n - '*MPreter*'\n - '*Meterpreter*'\n - '*Metasploit*'\n - '*PowerSploit*'\n - '*CobaltSrike*'\n - '*Swrort*'\n - '*Rozena*'\n - '*Backdoor.Cobalt*'\nfields:\n- FileName\n- User\n", "detection_rule_title": "Antivirus Exploitation Framework Detection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1565081243294245855}}
{"date_created": "2018-09-09T00:00:00", "sigma_rule_path": "es/windows/malware/av_password_dumper.yml", "date_modified": "2019-10-04T00:00:00", "description": "Detects a highly relevant Antivirus alert that reports a password dumper", "references": ["https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "78cc2dd2-7d20-4d32-93ff-057084c38b93", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Signature:\n - '*DumpCreds*'\n - '*Mimikatz*'\n - '*PWCrack*'\n - HTool/WCE\n - '*PSWtool*'\n - '*PWDump*'\n - '*SecurityTool*'\n - '*PShlSpy*'\nfields:\n- FileName\n- User\n", "detection_rule_title": "Antivirus Password Dumper Detection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 23780675418314112}}
{"date_created": "2019-02-13T00:00:00", "sigma_rule_path": "es/windows/malware/win_mal_ursnif.yml", "date_modified": null, "description": "Detects new registry key created by Ursnif malware.", "references": ["https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "21f17060-b282-4249-ade0-589ea3591558", "technique": ["T1112: Modify Registry"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 13\n TargetObject: '*\\Software\\AppDataLow\\Software\\Microsoft\\\\*'\n", "detection_rule_title": "Ursnif", "detection_rule_author": "megan201296", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2790891916222590215}}
{"date_created": "2017-06-12T00:00:00", "sigma_rule_path": "es/windows/other/win_tool_psexec.yml", "date_modified": null, "description": "Detects PsExec service installation and execution events (service and Sysmon)", "references": ["https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "42c575ea-e41e-41f1-b248-8093c3e82a28", "technique": ["T1035: Service Execution"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n service_execution:\n EventID: 7036\n ServiceName: PSEXESVC\n service_installation:\n EventID: 7045\n ServiceFileName: '*\\PSEXESVC.exe'\n ServiceName: PSEXESVC\n logsource:\n product: windows\n service: system\n- detection:\n sysmon_processcreation:\n Image: '*\\PSEXESVC.exe'\n User: NT AUTHORITY\\SYSTEM\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: 1 of them\nfields:\n- EventID\n- CommandLine\n- ParentCommandLine\n- ServiceName\n- ServiceFileName\n", "detection_rule_title": "PsExec Tool Execution", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["System", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Service Control Manager", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0005_7045_windows_service_insatalled", "DN_0031_7036_service_started_stopped", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5725000869416308182}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/other/win_defender_bypass.yml", "date_modified": null, "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", "references": ["https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", "technique": ["T1089: Disabling Security Tools"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 4657\n - 4656\n - 4660\n - 4663\n ObjectName|contains: \\Microsoft\\Windows Defender\\Exclusions\\\n", "detection_rule_title": "Windows Defender Exclusion Set", "detection_rule_author": "@BarryShooshooga", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested", "DN_0061_4660_object_was_deleted", "DN_0059_4657_registry_value_was_modified", "DN_0062_4663_attempt_was_made_to_access_an_object"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7926554473266354698}}
{"date_created": "2017-03-17T00:00:00", "sigma_rule_path": "es/windows/other/win_rare_schtask_creation.yml", "date_modified": null, "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", "references": "not defined", "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "b20f6158-9438-41be-83da-a5a16ac90c2b", "technique": ["T1053: Scheduled Task"], "raw_detection_rule": "detection:\n condition: selection | count() by TaskName < 5\n selection:\n EventID: 106\n timeframe: 7d\n", "detection_rule_title": "Rare Scheduled Task Creations", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-TaskScheduler/Operational"], "provider": ["Microsoft-Windows-TaskScheduler"], "data_needed": ["DN_0035_106_task_scheduler_task_registered"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4808403361945555872}}
{"date_created": "2017-08-22T00:00:00", "sigma_rule_path": "es/windows/other/win_wmi_persistence.yml", "date_modified": null, "description": "Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)", "references": ["https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence"], "dr_id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: selection and 1 of keywords or selection2\n keywords:\n Message:\n - '*ActiveScriptEventConsumer*'\n - '*CommandLineEventConsumer*'\n - '*CommandLineTemplate*'\n selection:\n EventID: 5861\n selection2:\n EventID: 5859\n", "detection_rule_title": "WMI Persistence", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-WMI-Activity/Operational"], "provider": ["Microsoft-Windows-WMI-Activity"], "data_needed": ["DN_0081_5861_wmi_activity", "DN_0080_5859_wmi_activity"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5028093265114630674}}
{"date_created": "2017-03-22T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_downgrade_attack.yml", "date_modified": "2020-03-20T00:00:00", "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "references": ["http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "6331d09b-4785-4c13-980f-f96661356249", "technique": ["T1086: PowerShell"], "raw_detection_rule": "action: global\ndetection:\n condition: selection and not filter\n filter:\n HostVersion|startswith: '2.'\n selection:\n EngineVersion|startswith: '2.'\n EventID: 400\n", "detection_rule_title": "PowerShell Downgrade Attack", "detection_rule_author": "Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Windows PowerShell"], "provider": ["PowerShell"], "data_needed": ["DN_0038_400_engine_state_is_changed_from_none_to_available"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1944673064458711881}}
{"date_created": "2017-03-05T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_suspicious_download.yml", "date_modified": "2020-03-25T00:00:00", "description": "Detects suspicious PowerShell download command", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "65531a81-a694-4e31-ae04-f8ba5bc33759", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: downloadfile or downloadstring\n downloadfile:\n Message|contains|all:\n - System.Net.WebClient\n - .DownloadFile(\n downloadstring:\n Message|contains|all:\n - System.Net.WebClient\n - .DownloadString(\n", "detection_rule_title": "Suspicious PowerShell Download", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6611517093400117045}}
{"date_created": "2019-11-08T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml", "date_modified": null, "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "technique": ["T1027: Obfuscated Files or Information"], "raw_detection_rule": "detection:\n condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )\n selection_1:\n EventID: 4104\n selection_2:\n - ScriptBlockText|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n - ScriptBlockText|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n - ScriptBlockText|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n - ScriptBlockText|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n - ScriptBlockText|re: \\*mdr\\*\\W\\s*\\)\\.Name\n - ScriptBlockText|re: \\$VerbosePreference\\.ToString\\(\n - ScriptBlockText|re: \\String\\]\\s*\\$VerbosePreference\n selection_3:\n EventID: 4103\n selection_4:\n - Payload|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n - Payload|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n - Payload|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n - Payload|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n - Payload|re: \\*mdr\\*\\W\\s*\\)\\.Name\n - Payload|re: \\$VerbosePreference\\.ToString\\(\n - Payload|re: \\String\\]\\s*\\$VerbosePreference\n", "detection_rule_title": "Invoke-Obfuscation Obfuscated IEX Invocation", "detection_rule_author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0108_windows_powershell_module_logging", "LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -903781878367013939}}
{"date_created": "2019-02-11T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_suspicious_keywords.yml", "date_modified": null, "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", "references": ["https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: keywords\n keywords:\n Message:\n - System.Reflection.Assembly.Load\n - '[System.Reflection.Assembly]::Load'\n - '[Reflection.Assembly]::Load'\n - System.Reflection.AssemblyName\n - Reflection.Emit.AssemblyBuilderAccess\n - Runtime.InteropServices.DllImportAttribute\n - SuspendThread\n", "detection_rule_title": "Suspicious PowerShell Keywords", "detection_rule_author": "Florian Roth, Perez Diego (@darkquassar)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5849684670627149834}}
{"date_created": "2017-03-05T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_malicious_commandlets.yml", "date_modified": "2019-01-22T00:00:00", "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "references": ["https://adsecurity.org/?p=2921"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: keywords and not false_positives\n false_positives:\n - Get-SystemDriveInfo\n keywords:\n Message:\n - '*Invoke-DllInjection*'\n - '*Invoke-Shellcode*'\n - '*Invoke-WmiCommand*'\n - '*Get-GPPPassword*'\n - '*Get-Keystrokes*'\n - '*Get-TimedScreenshot*'\n - '*Get-VaultCredential*'\n - '*Invoke-CredentialInjection*'\n - '*Invoke-Mimikatz*'\n - '*Invoke-NinjaCopy*'\n - '*Invoke-TokenManipulation*'\n - '*Out-Minidump*'\n - '*VolumeShadowCopyTools*'\n - '*Invoke-ReflectivePEInjection*'\n - '*Invoke-UserHunter*'\n - '*Find-GPOLocation*'\n - '*Invoke-ACLScanner*'\n - '*Invoke-DowngradeAccount*'\n - '*Get-ServiceUnquoted*'\n - '*Get-ServiceFilePermission*'\n - '*Get-ServicePermission*'\n - '*Invoke-ServiceAbuse*'\n - '*Install-ServiceBinary*'\n - '*Get-RegAutoLogon*'\n - '*Get-VulnAutoRun*'\n - '*Get-VulnSchTask*'\n - '*Get-UnattendedInstallFile*'\n - '*Get-ApplicationHost*'\n - '*Get-RegAlwaysInstallElevated*'\n - '*Get-Unconstrained*'\n - '*Add-RegBackdoor*'\n - '*Add-ScrnSaveBackdoor*'\n - '*Gupt-Backdoor*'\n - '*Invoke-ADSBackdoor*'\n - '*Enabled-DuplicateToken*'\n - '*Invoke-PsUaCme*'\n - '*Remove-Update*'\n - '*Check-VM*'\n - '*Get-LSASecret*'\n - '*Get-PassHashes*'\n - '*Show-TargetScreen*'\n - '*Port-Scan*'\n - '*Invoke-PoshRatHttp*'\n - '*Invoke-PowerShellTCP*'\n - '*Invoke-PowerShellWMI*'\n - '*Add-Exfiltration*'\n - '*Add-Persistence*'\n - '*Do-Exfiltration*'\n - '*Start-CaptureServer*'\n - '*Get-ChromeDump*'\n - '*Get-ClipboardContents*'\n - '*Get-FoxDump*'\n - '*Get-IndexedItem*'\n - '*Get-Screenshot*'\n - '*Invoke-Inveigh*'\n - '*Invoke-NetRipper*'\n - '*Invoke-EgressCheck*'\n - '*Invoke-PostExfil*'\n - '*Invoke-PSInject*'\n - '*Invoke-RunAs*'\n - '*MailRaider*'\n - '*New-HoneyHash*'\n - '*Set-MacAttribute*'\n - '*Invoke-DCSync*'\n - '*Invoke-PowerDump*'\n - '*Exploit-Jboss*'\n - '*Invoke-ThunderStruck*'\n - '*Invoke-VoiceTroll*'\n - '*Set-Wallpaper*'\n - '*Invoke-InveighRelay*'\n - '*Invoke-PsExec*'\n - '*Invoke-SSHCommand*'\n - '*Get-SecurityPackages*'\n - '*Install-SSP*'\n - '*Invoke-BackdoorLNK*'\n - '*PowerBreach*'\n - '*Get-SiteListPassword*'\n - '*Get-System*'\n - '*Invoke-BypassUAC*'\n - '*Invoke-Tater*'\n - '*Invoke-WScriptBypassUAC*'\n - '*PowerUp*'\n - '*PowerView*'\n - '*Get-RickAstley*'\n - '*Find-Fruit*'\n - '*HTTP-Login*'\n - '*Find-TrustedDocuments*'\n - '*Invoke-Paranoia*'\n - '*Invoke-WinEnum*'\n - '*Invoke-ARPScan*'\n - '*Invoke-PortScan*'\n - '*Invoke-ReverseDNSLookup*'\n - '*Invoke-SMBScanner*'\n - '*Invoke-Mimikittenz*'\n - '*Invoke-AllChecks*'\n", "detection_rule_title": "Malicious PowerShell Commandlets", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3077976513197765677}}
{"date_created": "2018-07-24T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_ntfs_ads_access.yml", "date_modified": null, "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", "references": ["http://www.powertheshell.com/ntfsstreams/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "8c521530-5169-495d-a199-0a3a881ad24e", "technique": ["T1096: NTFS File Attributes"], "raw_detection_rule": "detection:\n condition: keyword1 and keyword2\n keyword1:\n - set-content\n keyword2:\n - -stream\n", "detection_rule_title": "NTFS Alternate Data Stream", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0108_windows_powershell_module_logging", "LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4556681429616557033}}
{"date_created": "2020-03-26T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_wmimplant.yml", "date_modified": null, "description": "Detects parameters used by WMImplant", "references": ["https://github.com/FortyNorthSecurity/WMImplant"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n ScriptBlockText|contains:\n - WMImplant\n - ' change_user '\n - ' gen_cli '\n - ' command_exec '\n - ' disable_wdigest '\n - ' disable_winrm '\n - ' enable_wdigest '\n - ' enable_winrm '\n - ' registry_mod '\n - ' remote_posh '\n - ' sched_job '\n - ' service_mod '\n - ' process_kill '\n - ' active_users '\n - ' basic_info '\n - ' power_off '\n - ' vacant_system '\n - ' logon_events '\n", "detection_rule_title": "WMImplant Hack Tool", "detection_rule_author": "NVISO", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 9132288405967767094}}
{"date_created": "2019-08-10T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_remote_powershell_session.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects remote PowerShell sessions", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "96b9f619-aa91-478f-bacb-c3e50f8df575", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 4103\n - 400\n HostApplication|contains: wsmprovhost.exe\n HostName: ServerRemoteHost\n", "detection_rule_title": "Remote PowerShell Session", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline"], "logging_policy": ["LP_0108_windows_powershell_module_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1114909398277422451}}
{"date_created": "2017-04-09T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_prompt_credentials.yml", "date_modified": null, "description": "Detects PowerShell calling a credential prompt", "references": ["https://twitter.com/JohnLaTwC/status/850381440629981184", "https://t.co/ezOTGy1a1G"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0006: Credential Access"], "dr_id": "ca8b77a9-d499-4095-b793-5d5f330d450e", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: all of them\n keyword:\n Message:\n - '*PromptForCredential*'\n selection:\n EventID: 4104\n", "detection_rule_title": "PowerShell Credential Prompt", "detection_rule_author": "John Lambert (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3273210644080287515}}
{"date_created": "2019-05-16T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_nishang_malicious_commandlets.yml", "date_modified": null, "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", "references": ["https://github.com/samratashok/nishang"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: keywords\n keywords:\n - Add-ConstrainedDelegationBackdoor\n - Set-DCShadowPermissions\n - DNS_TXT_Pwnage\n - Execute-OnTime\n - HTTP-Backdoor\n - Set-RemotePSRemoting\n - Set-RemoteWMI\n - Invoke-AmsiBypass\n - Out-CHM\n - Out-HTA\n - Out-SCF\n - Out-SCT\n - Out-Shortcut\n - Out-WebQuery\n - Out-Word\n - Enable-Duplication\n - Remove-Update\n - Download-Execute-PS\n - Download_Execute\n - Execute-Command-MSSQL\n - Execute-DNSTXT-Code\n - Out-RundllCommand\n - Copy-VSS\n - FireBuster\n - FireListener\n - Get-Information\n - Get-PassHints\n - Get-WLAN-Keys\n - Get-Web-Credentials\n - Invoke-CredentialsPhish\n - Invoke-MimikatzWDigestDowngrade\n - Invoke-SSIDExfil\n - Invoke-SessionGopher\n - Keylogger\n - Invoke-Interceptor\n - Create-MultipleSessions\n - Invoke-NetworkRelay\n - Run-EXEonRemote\n - Invoke-Prasadhak\n - Invoke-BruteForce\n - Password-List\n - Invoke-JSRatRegsvr\n - Invoke-JSRatRundll\n - Invoke-PoshRatHttps\n - Invoke-PowerShellIcmp\n - Invoke-PowerShellUdp\n - Invoke-PSGcat\n - Invoke-PsGcatAgent\n - Remove-PoshRat\n - Add-Persistance\n - ExetoText\n - Invoke-Decode\n - Invoke-Encode\n - Parse_Keys\n - Remove-Persistence\n - StringtoBase64\n - TexttoExe\n - Powerpreter\n - Nishang\n - EncodedData\n - DataToEncode\n - LoggedKeys\n - OUT-DNSTXT\n - Jitter\n - ExfilOption\n - Tamper\n - DumpCerts\n - DumpCreds\n - Shellcode32\n - Shellcode64\n - NotAllNameSpaces\n - exfill\n - FakeDC\n - Exploit\n", "detection_rule_title": "Malicious Nishang PowerShell Commandlets", "detection_rule_author": "Alec Costello", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0108_windows_powershell_module_logging", "LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -558821761251722140}}
{"date_created": "2017-03-05T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_exe_calling_ps.yml", "date_modified": null, "description": "Detects PowerShell called from an executable by the version mismatch method", "references": ["https://adsecurity.org/?p=2921"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection1\n selection1:\n EngineVersion:\n - 2.*\n - 4.*\n - 5.*\n EventID: 400\n HostVersion: 3.*\n", "detection_rule_title": "PowerShell Called from an Executable Version Mismatch", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Windows PowerShell"], "provider": ["PowerShell"], "data_needed": ["DN_0038_400_engine_state_is_changed_from_none_to_available"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8973445727230499228}}
{"date_created": "2017-03-12T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_suspicious_invocation_generic.yml", "date_modified": null, "description": "Detects suspicious PowerShell invocation command parameters", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "3d304fda-78aa-43ed-975c-d740798a49c1", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: all of them\n encoded:\n - ' -enc '\n - ' -EncodedCommand '\n hidden:\n - ' -w hidden '\n - ' -window hidden '\n - ' -windowstyle hidden '\n noninteractive:\n - ' -noni '\n - ' -noninteractive '\n", "detection_rule_title": "Suspicious PowerShell Invocations - Generic", "detection_rule_author": "Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0108_windows_powershell_module_logging", "LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7470792106738892951}}
{"date_created": "2018-11-17T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_shellcode_b64.yml", "date_modified": null, "description": "Detects Base64 encoded Shellcode", "references": ["https://twitter.com/cyb3rops/status/1063072865992523776"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0002: Execution"], "dr_id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "technique": ["T1055: Process Injection", "T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and keyword1 and keyword2\n keyword1:\n - '*AAAAYInlM*'\n keyword2:\n - '*OiCAAAAYInlM*'\n - '*OiJAAAAYInlM*'\n selection:\n EventID: 4104\n", "detection_rule_title": "PowerShell ShellCode", "detection_rule_author": "David Ledbetter (shellcode), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 924121772911498443}}
{"date_created": "2017-03-05T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_malicious_keywords.yml", "date_modified": "2019-01-22T00:00:00", "description": "Detects keywords from well-known PowerShell exploitation frameworks", "references": ["https://adsecurity.org/?p=2921"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "f62176f3-8128-4faa-bf6c-83261322e5eb", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: keywords\n keywords:\n Message:\n - '*AdjustTokenPrivileges*'\n - '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'\n - '*Microsoft.Win32.UnsafeNativeMethods*'\n - '*ReadProcessMemory.Invoke*'\n - '*SE_PRIVILEGE_ENABLED*'\n - '*LSA_UNICODE_STRING*'\n - '*MiniDumpWriteDump*'\n - '*PAGE_EXECUTE_READ*'\n - '*SECURITY_DELEGATION*'\n - '*TOKEN_ADJUST_PRIVILEGES*'\n - '*TOKEN_ALL_ACCESS*'\n - '*TOKEN_ASSIGN_PRIMARY*'\n - '*TOKEN_DUPLICATE*'\n - '*TOKEN_ELEVATION*'\n - '*TOKEN_IMPERSONATE*'\n - '*TOKEN_INFORMATION_CLASS*'\n - '*TOKEN_PRIVILEGES*'\n - '*TOKEN_QUERY*'\n - '*Metasploit*'\n - '*Mimikatz*'\n", "detection_rule_title": "Malicious PowerShell Keywords", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7642506280216695032}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_suspicious_profile_create.yml", "date_modified": "2020-04-03T00:00:00", "description": "Detects a change in profile.ps1 of the Powershell profile", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: event and (target1 or target2)\n event:\n EventID: 11\n target1:\n TargetFilename|contains|all:\n - \\My Documents\\PowerShell\\\n - \\profile.ps1\n target2:\n TargetFilename|contains|all:\n - C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\\n - \\profile.ps1\n", "detection_rule_title": "Powershell Profile.ps1 Modification", "detection_rule_author": "HieuTT35", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1373726215360456750}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_dnscat_execution.yml", "date_modified": null, "description": "Dnscat exfiltration tool execution", "references": "not defined", "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "dr_id": "a6d67db4-6220-436d-8afc-f3842fe05d43", "technique": ["T1048: Exfiltration Over Alternative Protocol"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4104\n ScriptBlockText|contains: Start-Dnscat2\n", "detection_rule_title": "Dnscat Execution", "detection_rule_author": "Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1412546016066655461}}
{"date_created": "2017-03-05T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_psattack.yml", "date_modified": null, "description": "Detects the use of PSAttack PowerShell hack tool", "references": ["https://adsecurity.org/?p=2921"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: all of them\n keyword:\n - PS ATTACK!!!\n selection:\n EventID: 4103\n", "detection_rule_title": "PowerShell PSAttack", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline"], "logging_policy": ["LP_0108_windows_powershell_module_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7742600996266530392}}
{"date_created": "2017-03-05T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_suspicious_invocation_specific.yml", "date_modified": null, "description": "Detects suspicious PowerShell invocation command parameters", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "fce5f582-cc00-41e1-941a-c6fabf0fdb8c", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: keywords\n keywords:\n Message:\n - '* -nop -w hidden -c * [Convert]::FromBase64String*'\n - '* -w hidden -noni -nop -c \"iex(New-Object*'\n - '* -w hidden -ep bypass -Enc*'\n - '*powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run*'\n - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'\n - '*iex(New-Object Net.WebClient).Download*'\n", "detection_rule_title": "Suspicious PowerShell Invocations - Specific", "detection_rule_author": "Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5691770769425221876}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_data_compressed.yml", "date_modified": "2019-11-04T00:00:00", "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml"], "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "dr_id": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", "technique": ["T1002: Data Compressed"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4104\n keywords|contains|all:\n - -Recurse\n - '|'\n - Compress-Archive\n", "detection_rule_title": "Data Compressed - Powershell", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5436013956493964194}}
{"date_created": "2019-08-11T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_alternate_powershell_hosts.yml", "date_modified": "2020-02-25T00:00:00", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "64e8e417-c19a-475a-8d19-98ea705394cc", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n - ContextInfo: powershell.exe\n - Message: powershell.exe\n selection:\n ContextInfo: '*'\n EventID:\n - 4103\n - 400\n", "detection_rule_title": "Alternate PowerShell Hosts", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline"], "logging_policy": ["LP_0108_windows_powershell_module_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6961740085831724971}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_winlogon_helper_dll.yml", "date_modified": "2019-11-04T00:00:00", "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "851c506b-6b7c-4ce2-8802-c703009d03c0", "technique": ["T1004: Winlogon Helper DLL"], "raw_detection_rule": "detection:\n condition: selection and ( keyword1 and keyword2 )\n keyword1:\n - '*Set-ItemProperty*'\n - '*New-Item*'\n keyword2:\n - '*CurrentVersion\\Winlogon*'\n selection:\n EventID: 4104\n", "detection_rule_title": "Winlogon Helper DLL", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6558380244596122783}}
{"date_created": "2020-04-11T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_create_local_user.yml", "date_modified": null, "description": "Detects creation of a local user via PowerShell", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence"], "dr_id": "243de76f-4725-4f2e-8225-a8a69b15ad61", "technique": ["T1086: PowerShell", "T1136: Create Account"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 4104\n Message|contains:\n - New-LocalUser\n", "detection_rule_title": "PowerShell Create Local User", "detection_rule_author": "@ROxPinTeddy", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7748923761419588914}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/powershell/powershell_clear_powershell_history.yml", "date_modified": null, "description": "Detects keywords that could indicate clearing PowerShell history", "references": ["https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "dfba4ce1-e0ea-495f-986e-97140f31af2d", "technique": ["T1146: Clear Command History"], "raw_detection_rule": "detection:\n condition: keywords\n keywords:\n - del (Get-PSReadlineOption).HistorySavePath\n - \"Set-PSReadlineOption \\u2013HistorySaveStyle SaveNothing\"\n - Remove-Item (Get-PSReadlineOption).HistorySavePath\n - rm (Get-PSReadlineOption).HistorySavePath\n", "detection_rule_title": "Clear PowerShell History", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["LP_0108_windows_powershell_module_logging", "LP_0109_windows_powershell_script_block_logging"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3042481114765232638}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_interactive_at.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detect an interactive AT job, which may be used as a form of privilege escalation", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "technique": ["T1053: Scheduled Task"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: interactive\n Image|endswith: \\at.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Interactive AT Job", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5302061867524373662}}
{"date_created": "2018-03-07T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_wmi_persistence_script_event_consumer.yml", "date_modified": null, "description": "Detects WMI script event consumers", "references": ["https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence"], "dr_id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n ParentImage: C:\\Windows\\System32\\svchost.exe\n", "detection_rule_title": "WMI Persistence - Script Event Consumer", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6900525133688292445}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_script_execution.yml", "date_modified": null, "description": "Detects suspicious file execution by wscript and cscript", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "1e33157c-53b1-41ad-bbcc-780b80b58288", "technique": ["T1064: Scripting"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*.jse'\n - '*.vbe'\n - '*.js'\n - '*.vba'\n Image:\n - '*\\wscript.exe'\n - '*\\cscript.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "WSF/JSE/JS/VBA/VBE File Execution", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 823820362638483036}}
{"date_created": "2020-02-01T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml", "date_modified": null, "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", "references": ["https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "3121461b-5aa0-4a41-b910-66d25524edbb", "technique": ["T1073: DLL Side-Loading"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n Image|startswith: C:\\ProgramData\\DRM\n ParentImage|contains:\n - C:\\Windows\\Temp\n - \\hpqhvind.exe\n selection2:\n Image|endswith: \\wmplayer.exe\n ParentImage|startswith: C:\\ProgramData\\DRM\n selection3:\n Image|endswith: \\wmplayer.exe\n ParentImage|endswith: \\Test.exe\n selection4:\n Image: C:\\ProgramData\\DRM\\CLR\\CLR.exe\n selection5:\n Image|endswith: \\SearchFilterHost.exe\n ParentImage|startswith: C:\\ProgramData\\DRM\\Windows\n", "detection_rule_title": "Winnti Malware HK University Campaign", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6440569417376291990}}
{"date_created": "2019-12-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_ryuk.yml", "date_modified": null, "description": "Detects Ryuk ransomware activity", "references": ["https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "c37510b8-2107-4b78-aa32-72f251e7a844", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - Microsoft\\Windows\\CurrentVersion\\Run\n - C:\\users\\Public\\\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Ryuk Ransomware", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 9076082300926412496}}
{"date_created": "2018-09-05T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_xor_commandline.yml", "date_modified": null, "description": "Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* -bxor*'\n", "detection_rule_title": "Suspicious XOR Encoded PowerShell Command Line", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6516671125183259181}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_powershell_parent_combo.yml", "date_modified": null, "description": "Detects suspicious powershell invocations from interpreters or unusual programs", "references": ["https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "95eadcb2-92e4-4ed1-9031-92547773a6db", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not falsepositive\n falsepositive:\n CurrentDirectory: '*\\Health Service State\\\\*'\n selection:\n Image:\n - '*\\powershell.exe'\n ParentImage:\n - '*\\wscript.exe'\n - '*\\cscript.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious PowerShell Invocation Based on Parent Process", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4918611757283141932}}
{"date_created": "2019-10-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_compression_params.yml", "date_modified": null, "description": "Detects suspicious command line arguments of common data compression tools", "references": ["https://twitter.com/SBousseaden/status/1184067445612535811"], "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "dr_id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "technique": ["T1020: Automated Exfiltration", "T1002: Data Compressed"], "raw_detection_rule": "detection:\n condition: selection and not falsepositive\n falsepositive:\n ParentImage: C:\\Program*\n selection:\n CommandLine:\n - '* -p*'\n - '* -ta*'\n - '* -tb*'\n - '* -sdel*'\n - '* -dw*'\n - '* -hp*'\n OriginalFileName:\n - 7z*.exe\n - '*rar.exe'\n - '*Command*Line*RAR*'\n", "detection_rule_title": "Suspicious Compression Tool Parameters", "detection_rule_author": "Florian Roth, Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -898589825526157635}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_wmi_execution.yml", "date_modified": null, "description": "Detects WMI executing suspicious commands", "references": ["https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "526be59f-a573-4eea-b5f7-f0973207634d", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*/NODE:*process call create *'\n - '* path AntiVirusProduct get *'\n - '* path FirewallProduct get *'\n - '* shadowcopy delete *'\n Image:\n - '*\\wmic.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious WMI Execution", "detection_rule_author": "Michael Haag, Florian Roth, juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6835531613813412859}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_service_path_modification.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects service path modification to powershell/cmd", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "138d3531-8793-4f50-a2cd-f291b2863d78", "technique": ["T1031: Modify Existing Service"], "raw_detection_rule": "detection:\n condition: selection_1 and selection_2\n selection_1:\n CommandLine|contains|all:\n - config\n - binpath\n Image|endswith: \\sc.exe\n selection_2:\n CommandLine|contains:\n - powershell\n - cmd\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Service Path Modification", "detection_rule_author": "Victor Sergeev, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 147077968460725556}}
{"date_created": "2019-09-03T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_impacket_lateralization.yml", "date_modified": null, "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py", "https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "10c14723-61c7-4c75-92ca-9af245723ad2", "technique": ["T1047: Windows Management Instrumentation", "T1175: Component Object Model and Distributed COM"], "raw_detection_rule": "detection:\n condition: (1 of selection_*)\n selection_atexec:\n CommandLine:\n - cmd.exe /C *Windows\\\\Temp\\\\*&1\n ParentCommandLine:\n - '*svchost.exe -k netsvcs'\n - taskeng.exe*\n selection_other:\n CommandLine:\n - '*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*'\n ParentImage:\n - '*\\wmiprvse.exe'\n - '*\\mmc.exe'\n - '*\\explorer.exe'\n - '*\\services.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Impacket Lateralization Detection", "detection_rule_author": "Ecco", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7833708778981030363}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "24357373-078f-44ed-9ac4-6d334a668a11", "technique": ["T1060: Registry Run Keys / Startup Folder"], "raw_detection_rule": "detection:\n condition: selection_1 and selection_2\n selection_1:\n CommandLine|contains: add\n Image|endswith: '*\\reg.exe'\n selection_2:\n CommandLine|contains:\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n - \\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Direct Autorun Keys Modification", "detection_rule_author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1918014436841563149}}
{"date_created": "2018-03-18T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_taskmgr_localsystem.yml", "date_modified": null, "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\taskmgr.exe'\n User: NT AUTHORITY\\SYSTEM\n", "detection_rule_title": "Taskmgr as LOCAL_SYSTEM", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1104979916929958356}}
{"date_created": "2019-06-03T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml", "date_modified": null, "description": "Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "8065b1b4-1778-4427-877f-6bf948b26d38", "technique": ["T1068: Exploitation for Privilege Escalation"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n IntegrityLevel: System\n ParentIntegrityLevel: Medium\n User: NT AUTHORITY\\SYSTEM\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n", "detection_rule_title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing", "detection_rule_author": "Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["EN_0001_cache_sysmon_event_id_1_info", "EN_0002_enrich_sysmon_event_id_1_with_parent_info"], "enrichment_requirements": ["not defined", ["EN_0001_cache_sysmon_event_id_1_info"]]}
{"index": {"_id": 4082107377804913450}}
{"date_created": "2018-08-17T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_amsi_bypass.yml", "date_modified": null, "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning", "references": ["https://twitter.com/mattifestation/status/735261176745988096", "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "30edb182-aa75-42c0-b0a9-e998bb29067c", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection1 and selection2\n selection1:\n CommandLine:\n - '*System.Management.Automation.AmsiUtils*'\n selection2:\n CommandLine:\n - '*amsiInitFailed*'\n", "detection_rule_title": "Powershell AMSI Bypass via .NET Reflection", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4345888420140551093}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_net_execution.yml", "date_modified": null, "description": "Detects execution of Net.exe, whether suspicious or benign.", "references": ["https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0007: Discovery", "TA0005: Defense Evasion"], "dr_id": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "technique": ["T1027: Obfuscated Files or Information", "T1049: System Network Connections Discovery", "T1077: Windows Admin Shares", "T1135: Network Share Discovery"], "raw_detection_rule": "detection:\n cmdline:\n CommandLine:\n - '* group*'\n - '* localgroup*'\n - '* user*'\n - '* view*'\n - '* share'\n - '* accounts*'\n - '* use*'\n - '* stop *'\n condition: selection and cmdline\n selection:\n Image:\n - '*\\net.exe'\n - '*\\net1.exe'\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Net.exe Execution", "detection_rule_author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1424152256549153930}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_mimikatz_command_line.yml", "date_modified": null, "description": "Detection well-known mimikatz command line arguments", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection_1 or selection_2 and selection_3\n selection_1:\n CommandLine|contains:\n - DumpCreds\n - invoke-mimikatz\n selection_2:\n CommandLine|contains:\n - rpc\n - token\n - crypto\n - dpapi\n - sekurlsa\n - kerberos\n - lsadump\n - privilege\n - process\n selection_3:\n CommandLine|contains:\n - '::'\n", "detection_rule_title": "Mimikatz Command Line", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2261712407754659033}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_workflow_compiler.yml", "date_modified": null, "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", "references": ["https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "technique": ["T1127: Trusted Developer Utilities"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\Microsoft.Workflow.Compiler.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Microsoft Workflow Compiler", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 546493794302932261}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_notpetya.yml", "date_modified": null, "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", "references": ["https://securelist.com/schroedingers-petya/78870/", "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0006: Credential Access", "TA0005: Defense Evasion"], "dr_id": "79aeeb41-8156-4fac-a0cd-076495ab82a1", "technique": ["T1085: Rundll32", "T1070: Indicator Removal on Host", "T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: 1 of them\n perfc_keyword:\n - '*\\perfc.dat*'\n pipe_com:\n CommandLine: '*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*'\n rundll32_dash1:\n CommandLine: '*.dat,#1'\n Image: '*\\rundll32.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "NotPetya Ransomware Activity", "detection_rule_author": "Florian Roth, Tom Ueltschi", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -9006045960584408077}}
{"date_created": "2018-03-13T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_psexesvc_start.yml", "date_modified": "2012-12-11T00:00:00", "description": "Detects a PsExec service start", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "3ede524d-21cc-472d-a3ce-d21b568d8db7", "technique": ["T1035: Service Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n ProcessCommandLine: C:\\Windows\\PSEXESVC.exe\n", "detection_rule_title": "PsExec Service Start", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1008313325953303609}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_multiple_suspicious_cli.yml", "date_modified": null, "description": "Detects multiple suspicious process in a limited timeframe", "references": ["https://car.mitre.org/wiki/CAR-2013-04-002"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "61ab5496-748e-4818-a92f-de78e20fe7f1", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection | count() by MachineName > 5\n selection:\n CommandLine:\n - arp.exe\n - at.exe\n - attrib.exe\n - cscript.exe\n - dsquery.exe\n - hostname.exe\n - ipconfig.exe\n - mimikatz.exe\n - nbtstat.exe\n - net.exe\n - netsh.exe\n - nslookup.exe\n - ping.exe\n - quser.exe\n - qwinsta.exe\n - reg.exe\n - runas.exe\n - sc.exe\n - schtasks.exe\n - ssh.exe\n - systeminfo.exe\n - taskkill.exe\n - telnet.exe\n - tracert.exe\n - wscript.exe\n - xcopy.exe\n - pscp.exe\n - copy.exe\n - robocopy.exe\n - certutil.exe\n - vssadmin.exe\n - powershell.exe\n - wevtutil.exe\n - psexec.exe\n - bcedit.exe\n - wbadmin.exe\n - icacls.exe\n - diskpart.exe\n timeframe: 5m\n", "detection_rule_title": "Quick Execution of a Series of Suspicious Commands", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8639558399745327634}}
{"date_created": "2019-02-06T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_gup.yml", "date_modified": null, "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", "references": ["https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "0a4f6091-223b-41f6-8743-f322ec84930b", "technique": ["T1073: DLL Side-Loading"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - C:\\Users\\\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe\n - C:\\Users\\\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe\n - C:\\Program Files\\Notepad++\\updater\\gup.exe\n - C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe\n selection:\n Image: '*\\GUP.exe'\n", "detection_rule_title": "Suspicious GUP Usage", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 780721338435780736}}
{"date_created": "2019-10-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_psr_capture_screenshots.yml", "date_modified": "2019-11-04T00:00:00", "description": "The psr.exe captures desktop screenshots and saves them on the local machine", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml", "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "2158f96f-43c2-43cb-952a-ab4580f32382", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: /start\n Image|endswith: \\Psr.exe\n", "detection_rule_title": "Psr.exe Capture Screenshots", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1620652771138530219}}
{"date_created": "2018-01-01T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_process_creations.yml", "date_modified": "2019-11-01T00:00:00", "description": "Detects suspicious process starts on Windows systems based on keywords", "references": ["https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/", "https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://twitter.com/subTee/status/872244674609676288", "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples", "https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html", "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html", "https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat", "https://twitter.com/vector_sec/status/896049052642533376", "http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "5f0f47a5-cb16-4dbe-9e31-e8d976d73de3", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* sekurlsa:*'\n - net localgroup administrators * /add\n - net group \"Domain Admins\" * /ADD /DOMAIN\n - certutil.exe *-urlcache* http*\n - certutil.exe *-urlcache* ftp*\n - netsh advfirewall firewall *\\AppData\\\\*\n - attrib +S +H +R *\\AppData\\\\*\n - schtasks* /create *\\AppData\\\\*\n - schtasks* /sc minute*\n - '*\\Regasm.exe *\\AppData\\\\*'\n - '*\\Regasm *\\AppData\\\\*'\n - '*\\bitsadmin* /transfer*'\n - '*\\certutil.exe * -decode *'\n - '*\\certutil.exe * -decodehex *'\n - '*\\certutil.exe -ping *'\n - icacls * /grant Everyone:F /T /C /Q\n - '* wbadmin.exe delete catalog -quiet*'\n - '*\\wscript.exe *.jse'\n - '*\\wscript.exe *.js'\n - '*\\wscript.exe *.vba'\n - '*\\wscript.exe *.vbe'\n - '*\\cscript.exe *.jse'\n - '*\\cscript.exe *.js'\n - '*\\cscript.exe *.vba'\n - '*\\cscript.exe *.vbe'\n - '*\\fodhelper.exe'\n - '*waitfor*/s*'\n - '*waitfor*/si persist*'\n - '*remote*/s*'\n - '*remote*/c*'\n - '*remote*/q*'\n - '*AddInProcess*'\n - '* /stext *'\n - '* /scomma *'\n - '* /stab *'\n - '* /stabular *'\n - '* /shtml *'\n - '* /sverhtml *'\n - '* /sxml *'\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Suspicious Process Creation", "detection_rule_author": "Florian Roth, Daniil Yugoslavskiy, oscd.community (update)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2000221921309844501}}
{"date_created": "2017-06-03T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_crime_fireball.yml", "date_modified": null, "description": "Detects Archer malware invocation via rundll32", "references": ["https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", "technique": ["T1059: Command-Line Interface", "T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*\\rundll32.exe *,InstallArcherSvc'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Fireball Archer Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5961507593986792079}}
{"date_created": "2019-10-02T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_bluemashroom.yml", "date_modified": null, "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", "references": ["https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", "technique": ["T1117: Regsvr32"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*\\regsvr32*\\AppData\\Local\\\\*'\n - '*\\AppData\\Local\\\\*,DllEntry*'\n", "detection_rule_title": "BlueMashroom DLL Load", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2314821328309641184}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_sdbinst_shim_persistence.yml", "date_modified": null, "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", "references": ["https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "517490a7-115a-48c6-8862-1a481504d5a8", "technique": ["T1138: Application Shimming"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*.sdb*'\n Image:\n - '*\\sdbinst.exe'\n", "detection_rule_title": "Possible Shim Database Persistence via sdbinst.exe", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5118226312146387810}}
{"date_created": "2019-08-05T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_mmc_spawn_shell.yml", "date_modified": null, "description": "Detects a Windows command line executable started from MMC.", "references": "not defined", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "technique": ["T1175: Component Object Model and Distributed COM"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*\\cmd.exe'\n - '*\\powershell.exe'\n - '*\\wscript.exe'\n - '*\\cscript.exe'\n - '*\\sh.exe'\n - '*\\bash.exe'\n - '*\\reg.exe'\n - '*\\regsvr32.exe'\n - '*\\BITSADMIN*'\n ParentImage: '*\\mmc.exe'\nfields:\n- CommandLine\n- Image\n- ParentCommandLine\n", "detection_rule_title": "MMC Spawning Windows Shell", "detection_rule_author": "Karneades, Swisscom CSIRT", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 618379199350313030}}
{"date_created": "2017-08-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_svchost.yml", "date_modified": null, "description": "Detects a suspicious svchost process start", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection and not filter and not filter_null\n filter:\n ParentImage:\n - '*\\services.exe'\n - '*\\MsMpEng.exe'\n - '*\\Mrt.exe'\n - '*\\rpcnet.exe'\n - '*\\svchost.exe'\n filter_null:\n ParentImage: null\n selection:\n Image: '*\\svchost.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Svchost Process", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1378554935516023575}}
{"date_created": "2019-01-29T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_netsh_fw_add.yml", "date_modified": null, "description": "Allow Incoming Connections by Port or Application on Windows Firewall", "references": ["https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0011: Command and Control"], "dr_id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", "technique": ["T1090: Connection Proxy"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*netsh firewall add*'\n", "detection_rule_title": "Netsh", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -707949066251310430}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_shadow_copies_deletion.yml", "date_modified": null, "description": "Shadow Copies deletion using operating systems utilities", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0040: Impact"], "dr_id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", "technique": ["T1070: Indicator Removal on Host", "T1490: Inhibit System Recovery"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - shadow\n - delete\n NewProcessName|endswith:\n - \\powershell.exe\n - \\wmic.exe\n - \\vssadmin.exe\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Shadow Copies Deletion Using Operating Systems Utilities", "detection_rule_author": "Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6039603917797248615}}
{"date_created": "2019-10-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_sysmon_driver_unload.yml", "date_modified": "2019-11-07T00:00:00", "description": "Detect possible Sysmon driver unload", "references": ["https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - unload\n - sys\n Image|endswith: \\fltmc.exe\nfields:\n- CommandLine\n- Details\n", "detection_rule_title": "Sysmon Driver Unload", "detection_rule_author": "Kirill Kiryanov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3058564876348592506}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_uac_fodhelper.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "technique": ["T1088: Bypass User Account Control"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n ParentImage|endswith: \\fodhelper.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Bypass UAC via Fodhelper.exe", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7335892437125474128}}
{"date_created": "2017-04-07T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_cloudhopper.yml", "date_modified": null, "description": "Detects suspicious file execution by wscript and cscript", "references": ["https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "966e4016-627f-44f7-8341-f394905c361f", "technique": ["T1064: Scripting"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*.vbs /shell *'\n Image: '*\\cscript.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "WMIExec VBS Script", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2579241989965234103}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_tap_installer_execution.yml", "date_modified": null, "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", "references": "not defined", "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "dr_id": "99793437-3e16-439b-be0f-078782cf953d", "technique": ["T1048: Exfiltration Over Alternative Protocol"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image|endswith: \\tapinstall.exe\n", "detection_rule_title": "Tap Installer Execution", "detection_rule_author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 217625533211044016}}
{"date_created": "2020-01-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_hack_koadic.yml", "date_modified": null, "description": "Detects command line parameters used by Koadic hack tool", "references": ["https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "5cddf373-ef00-4112-ad72-960ac29bac34", "technique": ["T1170: Mshta"], "raw_detection_rule": "detection:\n condition: selection1\n selection1:\n CommandLine:\n - '*cmd.exe* /q /c chcp *'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Koadic Execution", "detection_rule_author": "wagga", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7172357557154958183}}
{"date_created": "2019-09-06T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_install_reg_debugger_backdoor.yml", "date_modified": null, "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", "references": ["https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "ae215552-081e-44c7-805f-be16f975c8a2", "technique": ["T1015: Accessibility Features"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*\\CurrentVersion\\Image File Execution Options\\sethc.exe*'\n - '*\\CurrentVersion\\Image File Execution Options\\utilman.exe*'\n - '*\\CurrentVersion\\Image File Execution Options\\osk.exe*'\n - '*\\CurrentVersion\\Image File Execution Options\\magnify.exe*'\n - '*\\CurrentVersion\\Image File Execution Options\\narrator.exe*'\n - '*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*'\n - '*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*'\n", "detection_rule_title": "Suspicious Debugger Registration Cmdline", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3086661394533050518}}
{"date_created": "2018-12-19T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_hack_secutyxploded.yml", "date_modified": null, "description": "Detects the execution of SecurityXploded Tools", "references": ["https://securityxploded.com/", "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n Company: SecurityXploded\n selection2:\n Image|endswith: PasswordDump.exe\n selection3:\n OriginalFilename|endswith: PasswordDump.exe\n", "detection_rule_title": "SecurityXploded Tool", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4429436638422616894}}
{"date_created": "2018-09-03T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_powershell_enc_cmd.yml", "date_modified": "2019-12-16T00:00:00", "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", "references": ["https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not falsepositive1\n falsepositive1:\n CommandLine: '* -ExecutionPolicy remotesigned *'\n selection:\n CommandLine:\n - '* -e JAB*'\n - '* -e JAB*'\n - '* -e JAB*'\n - '* -e JAB*'\n - '* -e JAB*'\n - '* -e JAB*'\n - '* -en JAB*'\n - '* -enc JAB*'\n - '* -enc* JAB*'\n - '* -w hidden -e* JAB*'\n - '* BA^J e-'\n - '* -e SUVYI*'\n - '* -e aWV4I*'\n - '* -e SQBFAFgA*'\n - '* -e aQBlAHgA*'\n - '* -enc SUVYI*'\n - '* -enc aWV4I*'\n - '* -enc SQBFAFgA*'\n - '* -enc aQBlAHgA*'\n", "detection_rule_title": "Suspicious Encoded PowerShell Command Line", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2292109259092538274}}
{"date_created": "2020-01-13T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_task_folder_evasion.yml", "date_modified": null, "description": "The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr", "references": ["https://twitter.com/subTee/status/1216465628946563073", "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "dr_id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", "technique": ["T1064: Scripting", "T1211: Exploitation for Defense Evasion", "T1059: Command-Line Interface"], "raw_detection_rule": "detection:\n condition: selection1 and selection2\n selection1:\n CommandLine|contains:\n - 'echo '\n - 'copy '\n - 'type '\n - file createnew\n selection2:\n CommandLine|contains:\n - ' C:\\Windows\\System32\\Tasks\\'\n - ' C:\\Windows\\SysWow64\\Tasks\\'\nfields:\n- CommandLine\n- ParentProcess\n- CommandLine\n", "detection_rule_title": "Tasks Folder Evasion", "detection_rule_author": "Sreeman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2004238980576259304}}
{"date_created": "2019-10-01T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_outlook_temp.yml", "date_modified": null, "description": "Detects a suspicious program execution in Outlook temp folder", "references": "not defined", "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\Temporary Internet Files\\Content.Outlook\\\\*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Execution in Outlook Temp Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7128978296397072884}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml", "date_modified": null, "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", "references": ["http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: encoded and selection\n encoded:\n CommandLine: '* hidden *'\n Image: '*\\powershell.exe'\n selection:\n CommandLine:\n - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'\n - '*aXRzYWRtaW4gL3RyYW5zZmVy*'\n - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'\n - '*JpdHNhZG1pbiAvdHJhbnNmZX*'\n - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'\n - '*Yml0c2FkbWluIC90cmFuc2Zlc*'\n - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'\n - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'\n - '*JGNodW5rX3Npem*'\n - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'\n - '*RjaHVua19zaXpl*'\n - '*Y2h1bmtfc2l6Z*'\n - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'\n - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'\n - '*lPLkNvbXByZXNzaW9u*'\n - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'\n - '*SU8uQ29tcHJlc3Npb2*'\n - '*Ty5Db21wcmVzc2lvb*'\n - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'\n - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'\n - '*lPLk1lbW9yeVN0cmVhb*'\n - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'\n - '*SU8uTWVtb3J5U3RyZWFt*'\n - '*Ty5NZW1vcnlTdHJlYW*'\n - '*4ARwBlAHQAQwBoAHUAbgBrA*'\n - '*5HZXRDaHVua*'\n - '*AEcAZQB0AEMAaAB1AG4Aaw*'\n - '*LgBHAGUAdABDAGgAdQBuAGsA*'\n - '*LkdldENodW5r*'\n - '*R2V0Q2h1bm*'\n - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'\n - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'\n - '*RIUkVBRF9JTkZPNj*'\n - '*SFJFQURfSU5GTzY0*'\n - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'\n - '*VEhSRUFEX0lORk82N*'\n - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'\n - '*cmVhdGVSZW1vdGVUaHJlYW*'\n - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'\n - '*NyZWF0ZVJlbW90ZVRocmVhZ*'\n - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'\n - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'\n - '*0AZQBtAG0AbwB2AGUA*'\n - '*1lbW1vdm*'\n - '*AGUAbQBtAG8AdgBlA*'\n - '*bQBlAG0AbQBvAHYAZQ*'\n - '*bWVtbW92Z*'\n - '*ZW1tb3Zl*'\n", "detection_rule_title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", "detection_rule_author": "John Lambert (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5864536515736639442}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_wannacry.yml", "date_modified": null, "description": "Detects WannaCry ransomware activity", "references": ["https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "41d40bff-377a-43e2-8e1b-2e543069e079", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n Image:\n - '*\\tasksche.exe'\n - '*\\mssecsvc.exe'\n - '*\\taskdl.exe'\n - '*\\@WanaDecryptor@*'\n - '*\\WanaDecryptor*'\n - '*\\taskhsvc.exe'\n - '*\\taskse.exe'\n - '*\\111.exe'\n - '*\\lhdfrgui.exe'\n - '*\\diskpart.exe'\n - '*\\linuxnew.exe'\n - '*\\wannacry.exe'\n selection2:\n CommandLine:\n - '*icacls * /grant Everyone:F /T /C /Q*'\n - '*bcdedit /set {default} recoveryenabled no*'\n - '*wbadmin delete catalog -quiet*'\n - '*@[email protected]*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "WannaCry Ransomware", "detection_rule_author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3868194239254743133}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_download.yml", "date_modified": null, "description": "Detects a Powershell process that contains download commands in its command line string", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*new-object system.net.webclient).downloadstring(*'\n - '*new-object system.net.webclient).downloadfile(*'\n - '*new-object net.webclient).downloadstring(*'\n - '*new-object net.webclient).downloadfile(*'\n Image: '*\\powershell.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "PowerShell Download from URL", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 314421306654693223}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_dxcap.yml", "date_modified": "2019-11-04T00:00:00", "description": "Detects execution of of Dxcap.exe", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml", "https://twitter.com/harr0ey/status/992008180904419328"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "60f16a96-db70-42eb-8f76-16763e333590", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - -c\n - .exe\n Image|endswith: \\dxcap.exe\n", "detection_rule_title": "Application Whitelisting Bypass via Dxcap.exe", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1714978443672059939}}
{"date_created": "2020-03-08T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_use_of_csharp_console.yml", "date_modified": null, "description": "Detects the execution of CSharp interactive console by PowerShell", "references": ["https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "technique": ["T1127: Trusted Developer Utilities"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image|endswith: \\csi.exe\n OriginalFileName: csi.exe\n ParentImage|endswith: \\powershell.exe\n", "detection_rule_title": "Suspicious Use of CSharp Interactive Console", "detection_rule_author": "Michael R. (@nahamike01)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4379142609499453165}}
{"date_created": "2019-10-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_openwith.yml", "date_modified": "2019-11-04T00:00:00", "description": "The OpenWith.exe executes other binary", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: /c\n Image|endswith: \\OpenWith.exe\n", "detection_rule_title": "OpenWith.exe Executes Specified Binary", "detection_rule_author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6137315370752544077}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml", "date_modified": null, "description": "Dump sam, system or security hives using REG.exe utility", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection_1 and selection_2 and selection_3\n selection_1:\n CommandLine|contains:\n - save\n - export\n NewProcessName: '*\\reg.exe'\n selection_2:\n CommandLine|contains:\n - hklm\n - hkey_local_machine\n selection_3:\n CommandLine|endswith:\n - \\system\n - \\sam\n - \\security\n", "detection_rule_title": "Grabbing Sensitive Hives via Reg Utility", "detection_rule_author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8362446952177353446}}
{"date_created": "2018-11-14T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_spn_enum.yml", "date_modified": null, "description": "Detects Service Principal Name Enumeration used for Kerberoasting", "references": ["https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", "technique": ["T1208: Kerberoasting"], "raw_detection_rule": "detection:\n cmd:\n CommandLine: '*-q*'\n condition: (selection_image or selection_desc) and cmd\n selection_desc:\n Description: '*Query or reset the computer* SPN attribute*'\n selection_image:\n Image: '*\\setspn.exe'\n", "detection_rule_title": "Possible SPN Enumeration", "detection_rule_author": "Markus Neis, keepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5248928669168643978}}
{"date_created": "2018-10-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_net_enum.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "62510e69-616b-4078-b371-847da438cc03", "technique": ["T1018: Remote System Discovery"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n CommandLine|contains: \\\\\n selection:\n CommandLine|contains: view\n Image|endswith:\n - \\net.exe\n - \\net1.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Windows Network Enumeration", "detection_rule_author": "Endgame, JHasenbusch (ported for oscd.community)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 596895636703872507}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_bootconf_mod.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html"], "customer": ["None"], "tactic": ["TA0040: Impact"], "dr_id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", "technique": ["T1490: Inhibit System Recovery"], "raw_detection_rule": "detection:\n condition: selection1 and selection2\n selection1:\n CommandLine: set\n Image|endswith: \\bcdedit.exe\n selection2:\n - CommandLine|contains|all:\n - bootstatuspolicy\n - ignoreallfailures\n - CommandLine|contains|all:\n - recoveryenabled\n - 'no'\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Modification of Boot Configuration", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2856104081904099032}}
{"date_created": "2019-12-20T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_hack_bloodhound.yml", "date_modified": "2019-12-21T00:00:00", "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", "references": ["https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "technique": ["T1087: Account Discovery"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n Image|contains:\n - \\Bloodhound.exe\n - \\SharpHound.exe\n selection2:\n CommandLine|contains:\n - ' -CollectionMethod All '\n - '.exe -c All -d '\n - Invoke-Bloodhound\n - Get-BloodHoundData\n selection3:\n CommandLine|contains|all:\n - ' -JsonFolder '\n - ' -ZipFileName '\n selection4:\n CommandLine|contains|all:\n - ' DCOnly '\n - ' --NoSaveCache '\n", "detection_rule_title": "Bloodhound and Sharphound Hack Tool", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7907100125117898424}}
{"date_created": "2019-10-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_dtrack.yml", "date_modified": null, "description": "Detects specific process parameters as seen in DTRACK infections", "references": ["https://securelist.com/my-name-is-dtrack/93338/", "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '* echo EEEE > *'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "DTRACK Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4734430390365413320}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_vul_java_remote_debugging.yml", "date_modified": null, "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", "references": "not defined", "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "technique": ["T1046: Network Service Scanning"], "raw_detection_rule": "detection:\n condition: selection and not exclusion\n exclusion:\n - CommandLine: '*address=127.0.0.1*'\n - CommandLine: '*address=localhost*'\n selection:\n CommandLine: '*transport=dt_socket,address=*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Java Running with Remote Debugging", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7449754171135233522}}
{"date_created": "2019-08-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_wmiprvse_spawning_process.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects wmiprvse spawning processes", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n - LogonId: '0x3e7'\n - Username: NT AUTHORITY\\SYSTEM\n selection:\n ParentImage|endswith: \\WmiPrvSe.exe\n", "detection_rule_title": "Wmiprvse Spawning Process", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7818276987465637673}}
{"date_created": "2019-01-10T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_dridex.yml", "date_modified": null, "description": "Detects typical Dridex process patterns", "references": ["https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3"], "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "dr_id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n CommandLine: '*\\svchost.exe C:\\Users\\\\*\\Desktop\\\\*'\n selection2:\n CommandLine:\n - '*whoami.exe /all'\n - '*net.exe view'\n ParentImage: '*\\svchost.exe*'\n", "detection_rule_title": "Dridex Process Pattern", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1184291348905974983}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_attrib_hiding_files.yml", "date_modified": null, "description": "Detects usage of attrib.exe to hide files from users.", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "dr_id": "4281cb20-2994-4580-aa63-c8b86d019934", "technique": ["T1158: Hidden Files and Directories"], "raw_detection_rule": "detection:\n condition: selection and not (ini or intel)\n ini:\n CommandLine: '*\\desktop.ini *'\n intel:\n CommandLine: +R +H +S +A \\\\*.cui\n ParentCommandLine: C:\\WINDOWS\\system32\\\\*.bat\n ParentImage: '*\\cmd.exe'\n selection:\n CommandLine: '* +h *'\n Image: '*\\attrib.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n- User\n", "detection_rule_title": "Hiding Files with Attrib.exe", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7343349901603624828}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_possible_applocker_bypass.yml", "date_modified": null, "description": "Detects execution of executables that can be used to bypass Applocker whitelisting", "references": ["https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt", "https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719", "technique": ["T1118: InstallUtil", "T1121: Regsvcs/Regasm", "T1127: Trusted Developer Utilities", "T1170: Mshta"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains:\n - \\msdt.exe\n - \\installutil.exe\n - \\regsvcs.exe\n - \\regasm.exe\n - \\msbuild.exe\n - \\ieexec.exe\n", "detection_rule_title": "Possible Applocker Bypass", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2984262443420917088}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_audio_capture.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detects audio capture via PowerShell Cmdlet", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html"], "customer": ["None"], "tactic": ["TA0009: Collection"], "dr_id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", "technique": ["T1123: Audio Capture"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: WindowsAudioDevice-Powershell-Cmdlet\n", "detection_rule_title": "Audio Capture via PowerShell", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3743644297357435097}}
{"date_created": "2019-10-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_whoami_as_system.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", "references": ["https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment"], "customer": ["None"], "tactic": ["TA0007: Discovery", "TA0004: Privilege Escalation"], "dr_id": "80167ada-7a12-41ed-b8e9-aa47195c66a1", "technique": ["T1033: System Owner/User Discovery"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image|endswith: \\whoami.exe\n User: NT AUTHORITY\\SYSTEM\n", "detection_rule_title": "Run Whoami as SYSTEM", "detection_rule_author": "Teymur Kheirkhabarov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 495105596277763406}}
{"date_created": "2019-06-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_renamed_binary.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "references": ["https://attack.mitre.org/techniques/T1036/", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith:\n - \\cmd.exe\n - \\powershell.exe\n - \\powershell_ise.exe\n - \\psexec.exe\n - \\psexec64.exe\n - \\cscript.exe\n - \\wscript.exe\n - \\mshta.exe\n - \\regsvr32.exe\n - \\wmic.exe\n - \\certutil.exe\n - \\rundll32.exe\n - \\cmstp.exe\n - \\msiexec.exe\n - \\7z.exe\n - \\winrar.exe\n - \\wevtutil.exe\n - \\net.exe\n - \\net1.exe\n selection:\n OriginalFileName:\n - cmd.exe\n - powershell.exe\n - powershell_ise.exe\n - psexec.exe\n - psexec.c\n - cscript.exe\n - wscript.exe\n - mshta.exe\n - regsvr32.exe\n - wmic.exe\n - certutil.exe\n - rundll32.exe\n - cmstp.exe\n - msiexec.exe\n - 7z.exe\n - winrar.exe\n - wevtutil.exe\n - net.exe\n - net1.exe\n", "detection_rule_title": "Renamed Binary", "detection_rule_author": "Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3532052316761375877}}
{"date_created": "2018-03-01T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_sofacy.yml", "date_modified": null, "description": "Detects Trojan loader acitivty as used by APT28", "references": ["https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://twitter.com/ClearskySec/status/960924755355369472"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", "technique": ["T1059: Command-Line Interface", "T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - rundll32.exe %APPDATA%\\\\*.dat\",*\n - rundll32.exe %APPDATA%\\\\*.dll\",#1\n", "detection_rule_title": "Sofacy Trojan Loader Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 126117079228751197}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_msoffice.yml", "date_modified": "2019-11-04T00:00:00", "description": "Downloads payload from remote server", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "Reegun J (OCBC Bank)"], "customer": ["None"], "tactic": ["TA0011: Command and Control"], "dr_id": "0c79148b-118e-472b-bdb7-9b57b444cc19", "technique": ["T1105: Remote File Copy"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: http\n Image|endswith:\n - \\powerpnt.exe\n - \\winword.exe\n - \\excel.exe\n", "detection_rule_title": "Malicious Payload Download via Office Binaries", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -649604546471389736}}
{"date_created": "2018-02-09T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_msiexec_web_install.yml", "date_modified": "2012-12-11T00:00:00", "description": "Detects suspicious msiexec process starts with web addreses as parameter", "references": ["https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* msiexec*://*'\n", "detection_rule_title": "MsiExec Web Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6187670099620196496}}
{"date_created": "2019-11-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_exploit_cve_2019_1378.yml", "date_modified": null, "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378", "references": ["https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "dr_id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\WinSxS\\\\*\n - C:\\Windows\\Setup\\\\*\n selection:\n ParentCommandLine:\n - '*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd'\n - '*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd'\n", "detection_rule_title": "Exploiting SetupComplete.cmd CVE-2019-1378", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -558845238342870851}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_dnx.yml", "date_modified": "2019-11-04T00:00:00", "description": "Execute C# code located in the consoleapp folder", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml", "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image|endswith: \\dnx.exe\n", "detection_rule_title": "Application Whitelisting Bypass via Dnx.exe", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6664767494491393321}}
{"date_created": "2019-04-02T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_office_spawn_exe_from_users_directory.yml", "date_modified": null, "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio", "references": ["sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - C:\\users\\\\*.exe\n ParentImage:\n - '*\\WINWORD.EXE'\n - '*\\EXCEL.EXE'\n - '*\\POWERPNT.exe'\n - '*\\MSPUB.exe'\n - '*\\VISIO.exe'\n - '*\\OUTLOOK.EXE'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "MS Office Product Spawning Exe in User Dir", "detection_rule_author": "Jason Lynch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5341244892340208521}}
{"date_created": "2018-06-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_sysprep_appdata.yml", "date_modified": "2018-12-11T00:00:00", "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "references": ["https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*\\sysprep.exe *\\AppData\\\\*'\n - sysprep.exe *\\AppData\\\\*\n", "detection_rule_title": "Sysprep on AppData Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5343371034432146721}}
{"date_created": "2019-06-17T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_userinit_child.yml", "date_modified": null, "description": "Detects a suspicious child process of userinit", "references": ["https://twitter.com/SBousseaden/status/1139811587760562176"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "b655a06a-31c0-477a-95c2-3726b83d649d", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection and not filter1 and not filter2\n filter1:\n CommandLine: '*\\\\netlogon\\\\*'\n filter2:\n Image: '*\\explorer.exe'\n selection:\n ParentImage: '*\\userinit.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Userinit Child Process", "detection_rule_author": "Florian Roth (rule), Samir Bousseaden (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -558598835981991100}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_bginfo.yml", "date_modified": "2019-11-04T00:00:00", "description": "Execute VBscript code that is referenced within the *.bgi file.", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "aaf46cdc-934e-4284-b329-34aa701e3771", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - /popup\n - /nolicprompt\n Image|endswith: \\bginfo.exe\n", "detection_rule_title": "Application Whitelisting Bypass via Bginfo", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1309955096826982577}}
{"date_created": "2019-02-11T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_csc.yml", "date_modified": null, "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", "references": ["https://twitter.com/SBousseaden/status/1094924091256176641"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\csc.exe*'\n ParentImage:\n - '*\\wscript.exe'\n - '*\\cscript.exe'\n - '*\\mshta.exe'\n", "detection_rule_title": "Suspicious Parent of Csc.exe", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 9101837036685473297}}
{"date_created": "2020-01-29T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_frombase64string.yml", "date_modified": null, "description": "Detects suspicious FromBase64String expressions in command line arguments", "references": ["https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "e32d4572-9826-4738-b651-95fa63747e8a", "technique": ["T1027: Obfuscated Files or Information"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: ::FromBase64String(\n", "detection_rule_title": "FromBase64String Command Line", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8919070375188333716}}
{"date_created": "2019-05-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_win10_sched_task_0day.yml", "date_modified": null, "description": "Detects Task Scheduler .job import arbitrary DACL write\\par", "references": ["https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0002: Execution"], "dr_id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", "technique": ["T1053: Scheduled Task"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*/change*/TN*/RU*/RP*'\n Image: schtasks.exe\n", "detection_rule_title": "Windows 10 Scheduled Task SandboxEscaper 0-day", "detection_rule_author": "Olaf Hartong", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -878595727749514889}}
{"date_created": "2017-11-07T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_turla_commands.yml", "date_modified": null, "description": "Detects automated lateral movement by Turla group", "references": ["https://securelist.com/the-epic-turla-operation/65545/"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0008: Lateral Movement", "TA0007: Discovery"], "dr_id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", "technique": ["T1059: Command-Line Interface", "T1077: Windows Admin Shares", "T1083: File and Directory Discovery", "T1135: Network Share Discovery"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n condition: selection\n selection:\n CommandLine:\n - net use \\\\%DomainController%\\C$ \"P@ssw0rd\" *\n - dir c:\\\\*.doc* /s\n - dir %TEMP%\\\\*.exe\n level: critical\n- detection:\n condition: netCommand1 | near netCommand2 and netCommand3\n netCommand1:\n CommandLine: net view /DOMAIN\n netCommand2:\n CommandLine: net session\n netCommand3:\n CommandLine: net share\n timeframe: 1m\n level: medium\n", "detection_rule_title": "Turla Group Lateral Movement", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "not defined", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2185715466122362071}}
{"date_created": "2019-04-20T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_powershell_empire_launch.yml", "date_modified": null, "description": "Detects suspicious powershell command line parameters used in Empire", "references": ["https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* -NoP -sta -NonI -W Hidden -Enc *'\n - '* -noP -sta -w 1 -enc *'\n - '* -NoP -NonI -W Hidden -enc *'\n", "detection_rule_title": "Empire PowerShell Launch Parameters", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6859935583602754531}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_data_compressed_with_rar.yml", "date_modified": "2019-11-04T00:00:00", "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html"], "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "dr_id": "6f3e2987-db24-4c78-a860-b4f4095a7095", "technique": ["T1002: Data Compressed"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: ' a '\n Image|endswith: \\rar.exe\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\n", "detection_rule_title": "Data Compressed - rar.exe", "detection_rule_author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4743349276426510180}}
{"date_created": "2018-12-27T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_outlook.yml", "date_modified": null, "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook", "references": ["https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "e212d415-0e93-435f-9e1a-f29005bb4723", "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "raw_detection_rule": "detection:\n clientMailRules:\n CommandLine: '*EnableUnsafeClientMailRules*'\n condition: clientMailRules or outlookExec\n outlookExec:\n CommandLine: \\\\\\\\*\\\\*.exe\n ParentImage: '*\\outlook.exe'\n", "detection_rule_title": "Suspicious Execution from Outlook", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8864290731351847797}}
{"date_created": "2019-03-04T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_hurricane_panda.yml", "date_modified": null, "description": "Detects Hurricane Panda Activity", "references": ["https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "0eb2107b-a596-422e-b123-b389d5594ed7", "technique": ["T1068: Exploitation for Privilege Escalation"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* localgroup administrators admin /add'\n - '*\\Win64.exe*'\n", "detection_rule_title": "Hurricane Panda Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 941941404106049343}}
{"date_created": "2019-09-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_emotet.yml", "date_modified": "2019-10-16T00:00:00", "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "references": ["https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* -e* PAA*'\n - '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*'\n - '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*'\n - '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*'\n - '*IgAoACcAKgAnACkAOwAkA*'\n - '*IAKAAnACoAJwApADsAJA*'\n - '*iACgAJwAqACcAKQA7ACQA*'\n - '*JABGAGwAeAByAGgAYwBmAGQ*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Emotet Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5548186754593074832}}
{"date_created": "2020-01-13T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_curl_start_combo.yml", "date_modified": null, "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", "references": ["https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: 'curl* start '\nfields:\n- ParentImage\n- CommandLine\n", "detection_rule_title": "Curl Start Combination", "detection_rule_author": "Sreeman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8793193171413887388}}
{"date_created": "2019-08-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_encoded_frombase64string.yml", "date_modified": null, "description": "Detects a base64 encoded FromBase64String keyword in a process command line", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", "technique": ["T1086: PowerShell", "T1140: Deobfuscate/Decode Files or Information"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|base64offset|contains: ::FromBase64String\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Encoded FromBase64String", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6619266188123184100}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_wmi_spwns_powershell.yml", "date_modified": null, "description": "Detects WMI spawning PowerShell", "references": ["https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml", "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "692f0bec-83ba-4d04-af7e-e884a96059b6", "technique": ["T1064: Scripting"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*\\powershell.exe'\n ParentImage:\n - '*\\wmiprvse.exe'\n", "detection_rule_title": "WMI Spawning Windows PowerShell", "detection_rule_author": "Markus Neis / @Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6642131816735531537}}
{"date_created": "2019-11-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_tropictrooper.yml", "date_modified": null, "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", "references": ["https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", "technique": ["T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'\n", "detection_rule_title": "TropicTrooper Campaign November 2018", "detection_rule_author": "@41thexplorer, Microsoft Defender ATP", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4852866496765907535}}
{"date_created": "2017-04-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_control_dll_load.yml", "date_modified": null, "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "references": ["https://twitter.com/rikvduijn/status/853251879320662017"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "technique": ["T1073: DLL Side-Loading", "T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n CommandLine: '*Shell32.dll*'\n selection:\n CommandLine: '*\\rundll32.exe *'\n ParentImage: '*\\System32\\control.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Control Panel DLL Load", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7171081964942875812}}
{"date_created": "2018-03-06T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powersploit_empire_schtasks.yml", "date_modified": null, "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", "references": ["https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "56c217c3-2de2-479b-990f-5c109ba8458f", "technique": ["T1053: Scheduled Task", "T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*'\n - '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*'\n - '*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*'\n - '*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*'\n ParentImage:\n - '*\\powershell.exe'\n", "detection_rule_title": "Default PowerSploit and Empire Schtasks Persistence", "detection_rule_author": "Markus Neis, @Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5684887408052602381}}
{"date_created": "2019-02-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_bear_activity_gtr19.yml", "date_modified": null, "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", "references": ["https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", "technique": ["T1081: Credentials in Files", "T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection1 or selection2\n selection1:\n CommandLine: '* /S /E /C /Q /H \\\\*'\n Image: '*\\xcopy.exe'\n selection2:\n CommandLine: '* -snapshot \"\" c:\\users\\\\*'\n Image: '*\\adexplorer.exe'\n", "detection_rule_title": "Judgement Panda Credential Access Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7946713908748358095}}
{"date_created": "2019-03-04T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_slingshot.yml", "date_modified": null, "description": "Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group", "references": ["https://securelist.com/apt-slingshot/84312/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "958d81aa-8566-4cea-a565-59ccd4df27b0", "technique": ["T1053: Scheduled Task"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection1:\n CommandLine:\n - '*schtasks* /delete *Defrag\\ScheduledDefrag*'\n logsource:\n category: process_creation\n product: windows\n- detection:\n selection2:\n EventID: 4701\n TaskName: \\Microsoft\\Windows\\Defrag\\ScheduledDefrag\n logsource:\n definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'\n product: windows\n service: security\ndetection:\n condition: 1 of them\n", "detection_rule_title": "Defrag Deactivation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0065_4701_scheduled_task_was_disabled", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0041_windows_audit_other_object_access_events", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4080181764811536511}}
{"date_created": "2018-04-09T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_sysvol_access.yml", "date_modified": "2018-12-11T00:00:00", "description": "Detects Access to Domain Group Policies stored in SYSVOL", "references": ["https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*\\SYSVOL\\\\*\\policies\\\\*'\n", "detection_rule_title": "Suspicious SYSVOL Domain Group Policy Access", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8585843519267919336}}
{"date_created": "2018-02-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_exploit_cve_2015_1641.yml", "date_modified": null, "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", "references": ["https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100"], "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "7993792c-5ce2-4475-a3db-a3a5539827ef", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\MicroScMgmt.exe '\n ParentImage: '*\\WINWORD.EXE'\n", "detection_rule_title": "Exploit for CVE-2015-1641", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2035172299164501034}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_network_sniffing.yml", "date_modified": "2019-11-04T00:00:00", "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml"], "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0007: Discovery"], "dr_id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", "technique": ["T1040: Network Sniffing"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains: -i\n Image|endswith: \\tshark.exe\n - Image|endswith: \\windump.exe\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\n", "detection_rule_title": "Network Sniffing", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1377598650387532987}}
{"date_created": "2017-03-09T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_process_creation_bitsadmin_download.yml", "date_modified": "2019-12-06T00:00:00", "description": "Detects usage of bitsadmin downloading a file", "references": ["https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "dr_id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "technique": ["T1197: BITS Jobs"], "raw_detection_rule": "detection:\n condition: selection1 or selection2\n selection1:\n CommandLine:\n - '* /transfer *'\n Image:\n - '*\\bitsadmin.exe'\n selection2:\n CommandLine:\n - '*copy bitsadmin.exe*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Bitsadmin Download", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2859853830330469992}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_xsl_script_processing.yml", "date_modified": "2019-11-04T00:00:00", "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "technique": ["T1220: XSL Script Processing"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains: /format\n Image|endswith: \\wmic.exe\n - Image|endswith: \\msxsl.exe\n", "detection_rule_title": "XSL Script Processing", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8289028273502206186}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_cmdkey_recon.yml", "date_modified": null, "description": "Detects usage of cmdkey to look for cached credentials", "references": ["https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx"], "customer": ["TESTCUSTOMER2", "TESTCUSTOMER"], "tactic": ["TA0006: Credential Access"], "dr_id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '* /list *'\n Image: '*\\cmdkey.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n- User\n", "detection_rule_title": "Cmdkey Cached Credentials Recon", "detection_rule_author": "jmallette", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8193984834171815862}}
{"date_created": "2019-05-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_termserv_proc_spawn.yml", "date_modified": null, "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", "references": ["https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "1012f107-b8f1-4271-af30-5aed2de89b39", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image: '*\\rdpclip.exe'\n selection:\n ParentCommandLine: '*\\svchost.exe*termsvcs'\n", "detection_rule_title": "Terminal Service Process Spawn", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2093741215750451047}}
{"date_created": "2019-09-02T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_comsvcs_procdump.yml", "date_modified": null, "description": "Detects process memory dump via comsvcs.dll and rundll32", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "09e6d5c0-05b8-4ff8-9eeb-043046ec774c", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: (rundll_image or rundll_ofn) and selection\n rundll_image:\n Image: '*\\rundll32.exe'\n rundll_ofn:\n OriginalFileName: RUNDLL32.EXE\n selection:\n CommandLine:\n - '*comsvcs*MiniDump*full*'\n - '*comsvcs*MiniDumpW*full*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Process Dump via Comsvcs DLL", "detection_rule_author": "Modexp (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8670589115530946309}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_suspicious_parameter_variation.yml", "date_modified": null, "description": "Detects suspicious PowerShell invocation with a parameter substring", "references": ["http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "36210e0d-5b19-485d-a087-c096088885f0", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - ' -windowstyle h '\n - ' -windowstyl h'\n - ' -windowsty h'\n - ' -windowst h'\n - ' -windows h'\n - ' -windo h'\n - ' -wind h'\n - ' -win h'\n - ' -wi h'\n - ' -win h '\n - ' -win hi '\n - ' -win hid '\n - ' -win hidd '\n - ' -win hidde '\n - ' -NoPr '\n - ' -NoPro '\n - ' -NoProf '\n - ' -NoProfi '\n - ' -NoProfil '\n - ' -nonin '\n - ' -nonint '\n - ' -noninte '\n - ' -noninter '\n - ' -nonintera '\n - ' -noninterac '\n - ' -noninteract '\n - ' -noninteracti '\n - ' -noninteractiv '\n - ' -ec '\n - ' -encodedComman '\n - ' -encodedComma '\n - ' -encodedComm '\n - ' -encodedCom '\n - ' -encodedCo '\n - ' -encodedC '\n - ' -encoded '\n - ' -encode '\n - ' -encod '\n - ' -enco '\n - ' -en '\n Image:\n - '*\\Powershell.exe'\n", "detection_rule_title": "Suspicious PowerShell Parameter Substring", "detection_rule_author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6349301072007238488}}
{"date_created": "2018-08-13T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_whoami.yml", "date_modified": null, "description": "Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators", "references": ["https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", "technique": ["T1033: System Owner/User Discovery"], "raw_detection_rule": "detection:\n condition: selection or selection2\n selection:\n Image: '*\\whoami.exe'\n selection2:\n OriginalFileName: whoami.exe\n", "detection_rule_title": "Whoami Execution", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5510811781240585080}}
{"date_created": "2018-10-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_bitsjob.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detect download by BITS jobs via PowerShell", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "dr_id": "f67dbfce-93bc-440d-86ad-a95ae8858c90", "technique": ["T1197: BITS Jobs"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: Start-BitsTransfer\n Image|endswith: \\powershell.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Suspicious Bitsadmin Job via PowerShell", "detection_rule_author": "Endgame, JHasenbusch (ported to sigma for oscd.community)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2538063976316215680}}
{"date_created": "2019-02-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_proc_wrong_parent.yml", "date_modified": "2019-08-20T00:00:00", "description": "Detect suspicious parent processes of well-known Windows processes", "references": ["https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://attack.mitre.org/techniques/T1036/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "96036718-71cc-4027-a538-d1587e0006a7", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection and not filter and not filter_null\n filter:\n ParentImage:\n - '*\\System32\\\\*'\n - '*\\SysWOW64\\\\*'\n - '*\\SavService.exe'\n - '*\\Windows Defender\\\\*\\MsMpEng.exe'\n filter_null:\n ParentImage: null\n selection:\n Image:\n - '*\\svchost.exe'\n - '*\\taskhost.exe'\n - '*\\lsm.exe'\n - '*\\lsass.exe'\n - '*\\services.exe'\n - '*\\lsaiso.exe'\n - '*\\csrss.exe'\n - '*\\wininit.exe'\n - '*\\winlogon.exe'\n", "detection_rule_title": "Windows Processes Suspicious Parent Directory", "detection_rule_author": "vburov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2381606616016091600}}
{"date_created": "2020-01-28T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_renamed_dctask64.yml", "date_modified": null, "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", "references": ["https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith: \\dctask64.exe\n selection:\n Imphash: 6834B1B94E49701D77CCB3C0895E1AFD\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\n", "detection_rule_title": "Renamed ZOHO Dctask64", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4749638340120788031}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_run_locations.yml", "date_modified": null, "description": "Detects suspicious process run from unusual locations", "references": ["https://car.mitre.org/wiki/CAR-2013-05-002"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*:\\RECYCLER\\\\*'\n - '*:\\SystemVolumeInformation\\\\*'\n - C:\\\\Windows\\\\Tasks\\\\*\n - C:\\\\Windows\\\\debug\\\\*\n - C:\\\\Windows\\\\fonts\\\\*\n - C:\\\\Windows\\\\help\\\\*\n - C:\\\\Windows\\\\drivers\\\\*\n - C:\\\\Windows\\\\addins\\\\*\n - C:\\\\Windows\\\\cursors\\\\*\n - C:\\\\Windows\\\\system32\\tasks\\\\*\n", "detection_rule_title": "Suspicious Process Start Locations", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3878499897101808106}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_execution_path_webserver.yml", "date_modified": null, "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", "references": "not defined", "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "35efb964-e6a5-47ad-bbcd-19661854018d", "technique": ["T1100: Web Shell"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - '*bin\\\\*'\n - '*\\Tools\\\\*'\n - '*\\SMSComponent\\\\*'\n ParentImage:\n - '*\\services.exe'\n selection:\n Image:\n - '*\\wwwroot\\\\*'\n - '*\\wmpub\\\\*'\n - '*\\htdocs\\\\*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Execution in Webserver Root Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7494305266771933433}}
{"date_created": "2017-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_ta17_293a_ps.yml", "date_modified": null, "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", "references": ["https://www.us-cert.gov/ncas/alerts/TA17-293A"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "18da1007-3f26-470f-875d-f77faf1cab31", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: ps.exe -accepteula\n", "detection_rule_title": "Ps.exe Renamed SysInternals Tool", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6089679345182715325}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_non_interactive_powershell.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "f4bbd493-b796-416e-bbf2-121235348529", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n ParentImage|endswith: \\explorer.exe\n selection:\n Image|endswith: \\powershell.exe\n", "detection_rule_title": "Non Interactive PowerShell", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8918516089504260906}}
{"date_created": "2019-01-09T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_ps_appdata.yml", "date_modified": null, "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", "references": ["https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "ac175779-025a-4f12-98b0-acdaeb77ea85", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* /c powershell*\\AppData\\Local\\\\*'\n - '* /c powershell*\\AppData\\Roaming\\\\*'\n", "detection_rule_title": "PowerShell Script Run in AppData", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5662424435826129950}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_soundrec_audio_capture.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detect attacker collecting audio via SoundRecorder application", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html"], "customer": ["None"], "tactic": ["TA0009: Collection"], "dr_id": "83865853-59aa-449e-9600-74b9d89a6d6e", "technique": ["T1123: Audio Capture"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: /FILE\n Image|endswith: \\SoundRecorder.exe\n", "detection_rule_title": "Audio Capture via SoundRecorder", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5490486126388286479}}
{"date_created": "2020-01-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_rdp_hijack_shadowing.yml", "date_modified": null, "description": "Detects RDP session hijacking by using MSTSC shadowing", "references": ["https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - noconsentprompt\n - 'shadow:'\n", "detection_rule_title": "MSTSC Shadowing", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2197758905999391568}}
{"date_created": "2019-02-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_babyshark.yml", "date_modified": null, "description": "Detects activity that could be related to Baby Shark malware", "references": ["https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0007: Discovery", "TA0005: Defense Evasion"], "dr_id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", "technique": ["T1059: Command-Line Interface", "T1086: PowerShell", "T1012: Query Registry", "T1170: Mshta"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\n - powershell.exe mshta.exe http*\n - cmd.exe /c taskkill /im cmd.exe\n", "detection_rule_title": "Baby Shark Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1599784412151948099}}
{"date_created": "2019-09-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_fsutil_usage.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "add64136-62e5-48ea-807e-88638d02df1e", "technique": ["T1070: Indicator Removal on Host"], "raw_detection_rule": "detection:\n binary_1:\n Image|endswith: \\fsutil.exe\n binary_2:\n OriginalFileName: fsutil.exe\n condition: (1 of binary_*) and selection\n selection:\n CommandLine|contains:\n - deletejournal\n - createjournal\n", "detection_rule_title": "Fsutil Suspicious Invocation", "detection_rule_author": "Ecco, E.M. Anhaus, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5914103047840070182}}
{"date_created": "2018-08-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_commands_recon_activity.yml", "date_modified": "2018-12-11T00:00:00", "description": "Detects a set of commands often used in recon stages by different attack groups", "references": ["https://twitter.com/haroonmeer/status/939099379834658817", "https://twitter.com/c_APT_ure/status/939475433711722497", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "2887e914-ce96-435f-8105-593937e90757", "technique": ["T1087: Account Discovery", "T1082: System Information Discovery"], "raw_detection_rule": "detection:\n condition: selection | count() by CommandLine > 4\n selection:\n CommandLine:\n - tasklist\n - net time\n - systeminfo\n - whoami\n - nbtstat\n - net start\n - '*\\net1 start'\n - qprocess\n - nslookup\n - hostname.exe\n - '*\\net1 user /domain'\n - '*\\net1 group /domain'\n - '*\\net1 group \"domain admins\" /domain'\n - '*\\net1 group \"Exchange Trusted Subsystem\" /domain'\n - '*\\net1 accounts /domain'\n - '*\\net1 user net localgroup administrators'\n - netstat -an\n timeframe: 15s\n", "detection_rule_title": "Reconnaissance Activity with Net Command", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1343607417832304318}}
{"date_created": "2020-01-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_wsreset_uac_bypass.yml", "date_modified": null, "description": "Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://twitter.com/ReaQta/status/1222548288731217921"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae", "technique": ["T1088: Bypass User Account Control"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n ParentImage|endswith:\n - \\WSreset.exe\nfields:\n- CommandLine\n", "detection_rule_title": "Wsreset UAC Bypass", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -756128939309282352}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_netsh_dll_persistence.yml", "date_modified": "2019-10-25T00:00:00", "description": "Detects persitence via netsh helper", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "56321594-9087-49d9-bf10-524fe8479452", "technique": ["T1128: Netsh Helper DLL"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - add\n - helper\n Image|endswith: \\netsh.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Netsh DLL Persistence", "detection_rule_author": "Victor Sergeev, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "test", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7962263660616383379}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_shadow_copies_access_symlink.yml", "date_modified": null, "description": "Shadow Copies storage symbolic link creation using operating systems utilities", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "40b19fa6-d835-400c-b301-41f3a2baacaf", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - mklink\n - HarddiskVolumeShadowCopy\n", "detection_rule_title": "Shadow Copies Access via Symlink", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1904199704317189818}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_schtask_creation.yml", "date_modified": null, "description": "Detects the creation of scheduled tasks in user session", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "92626ddd-662c-49e3-ac59-f6535f12d189", "technique": ["T1053: Scheduled Task"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n User: NT AUTHORITY\\SYSTEM\n selection:\n CommandLine: '* /create *'\n Image: '*\\schtasks.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Scheduled Task Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -307575839076888415}}
{"date_created": "2017-01-01T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_webshell_detection.yml", "date_modified": "2019-10-26T00:00:00", "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", "references": "not defined", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "dr_id": "bed2a484-9348-4143-8a8a-b801c979301c", "technique": ["T1100: Web Shell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*whoami*'\n - '*net user *'\n - '*ping -n *'\n - '*systeminfo'\n - '*&cd&echo*'\n - '*cd /d*'\n ParentImage:\n - '*\\apache*'\n - '*\\tomcat*'\n - '*\\w3wp.exe'\n - '*\\php-cgi.exe'\n - '*\\nginx.exe'\n - '*\\httpd.exe'\nfields:\n- CommandLine\n- ParentCommandLine\nreference:\n- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\n", "detection_rule_title": "Webshell Detection With Command Line Keywords", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4964019783419582171}}
{"date_created": "2020-02-18T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_process_dump_rundll32_comsvcs.yml", "date_modified": null, "description": "Detects a process memory dump performed via ordinal function 24 in comsvcs.dll", "references": ["https://twitter.com/shantanukhande/status/1229348874298388484"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0006: Credential Access"], "dr_id": "646ea171-dded-4578-8a4d-65e9822892e3", "technique": ["T1036: Masquerading", "T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains:\n - comsvcs.dll,#24\n - comsvcs.dll,MiniDump\n", "detection_rule_title": "Process Dump via Rundll32 and Comsvcs.dll", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2079401608016261920}}
{"date_created": "2020-04-01T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_html_help_spawn.yml", "date_modified": "2020-04-03T00:00:00", "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "technique": ["T1223: Compiled HTML File"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image|endswith:\n - \\cmd.exe\n - \\powershell.exe\n - \\wscript.exe\n - \\cscript.exe\n - \\regsvr32.exe\n - \\wmic.exe\n - \\rundll32.exe\n ParentImage: C:\\Windows\\hh.exe\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "HTML Help Shell Spawn", "detection_rule_author": "Maxim Pavlunin", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1243914737142241482}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_uac_wsreset.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "technique": ["T1088: Bypass User Account Control"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith: \\conhost.exe\n selection:\n ParentImage|endswith: \\wsreset.exe\n", "detection_rule_title": "Bypass UAC via WSReset.exe", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6707472573285914571}}
{"date_created": "2019-01-29T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_netsh_port_fwd.yml", "date_modified": null, "description": "Detects netsh commands that configure a port forwarding", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0011: Command and Control"], "dr_id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "technique": ["T1090: Connection Proxy"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - netsh interface portproxy add v4tov4 *\n", "detection_rule_title": "Netsh Port Forwarding", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4592432785257413167}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_dns_exfiltration_tools_execution.yml", "date_modified": null, "description": "Well-known DNS Exfiltration tools execution", "references": "not defined", "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "dr_id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "technique": ["T1048: Exfiltration Over Alternative Protocol"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - Image|endswith: '*\\iodine.exe'\n - Image|contains: \\dnscat2\n", "detection_rule_title": "DNS Exfiltration Tools Execution", "detection_rule_author": "Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6389106665097145697}}
{"date_created": "2018-10-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_net_user_add.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies creation of local users via the net.exe command", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0006: Credential Access"], "dr_id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "technique": ["T1136: Create Account"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - user\n - add\n Image|endswith:\n - \\net.exe\n - \\net1.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Net.exe User Account Creation", "detection_rule_author": "Endgame, JHasenbusch (adapted to sigma for oscd.community)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3518256896198199239}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_service_execution.yml", "date_modified": "2019-11-04T00:00:00", "description": "Detects manual service execution (start) via system utilities", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "2a072a96-a086-49fa-bcb5-15cc5a619093", "technique": ["T1035: Service Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: ' start '\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n", "detection_rule_title": "Service Execution", "detection_rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2535525358450742095}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_cdb.yml", "date_modified": "2019-11-04T00:00:00", "description": "Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml", "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: -cf\n Image|endswith: \\cdb.exe\n", "detection_rule_title": "Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5878674202920768034}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_change_default_file_association.yml", "date_modified": "2019-11-04T00:00:00", "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", "technique": ["T1042: Change Default File Association"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - cmd\n - /c\n - assoc\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\n", "detection_rule_title": "Change Default File Association", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2515905122781995371}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_script_dropper.yml", "date_modified": null, "description": "Detects wscript/cscript executions of scripts located in user directories", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "cea72823-df4d-4567-950c-0b579eaf0846", "technique": ["T1064: Scripting"], "raw_detection_rule": "detection:\n condition: selection and not falsepositive\n falsepositive:\n ParentImage: '*\\winzip*'\n selection:\n CommandLine:\n - '* C:\\Users\\\\*.jse *'\n - '* C:\\Users\\\\*.vbe *'\n - '* C:\\Users\\\\*.js *'\n - '* C:\\Users\\\\*.vba *'\n - '* C:\\Users\\\\*.vbs *'\n - '* C:\\ProgramData\\\\*.jse *'\n - '* C:\\ProgramData\\\\*.vbe *'\n - '* C:\\ProgramData\\\\*.js *'\n - '* C:\\ProgramData\\\\*.vba *'\n - '* C:\\ProgramData\\\\*.vbs *'\n Image:\n - '*\\wscript.exe'\n - '*\\cscript.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "WScript or CScript Dropper", "detection_rule_author": "Margaritis Dimitrios (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -173308810233460037}}
{"date_created": "2019-02-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_certutil_encode.yml", "date_modified": null, "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - certutil -f -encode *\n - certutil.exe -f -encode *\n - certutil -encode -f *\n - certutil.exe -encode -f *\n", "detection_rule_title": "Certutil Encode", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3550603920152008304}}
{"date_created": "2020-01-28T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_dctask64_proc_inject.yml", "date_modified": null, "description": "Detects suspicious process injection using ZOHO's dctask64.exe", "references": ["https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "6345b048-8441-43a7-9bed-541133633d7a", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n CommandLine|contains:\n - DesktopCentral_Agent\\agent\n selection:\n Image|endswith:\n - \\dctask64.exe\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\n", "detection_rule_title": "ZOHO Dctask64 Process Injection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2050514296678992841}}
{"date_created": "2017-09-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_exploit_cve_2017_8759.yml", "date_modified": null, "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", "references": ["https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "fdd84c68-a1f6-47c9-9477-920584f94905", "technique": ["T1203: Exploitation for Client Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\csc.exe'\n ParentImage: '*\\WINWORD.EXE'\n", "detection_rule_title": "Exploit for CVE-2017-8759", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6540596179379257449}}
{"date_created": "2019-04-02T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_empiremonkey.yml", "date_modified": null, "description": "Detects EmpireMonkey APT reported Activity", "references": ["https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "10152a7b-b566-438f-a33c-390b607d1c8d", "technique": ["T1086: PowerShell"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection_cutil:\n CommandLine:\n - '*/i:%APPDATA%\\logs.txt scrobj.dll'\n Image:\n - '*\\cutil.exe'\n selection_regsvr32:\n CommandLine:\n - '*/i:%APPDATA%\\logs.txt scrobj.dll'\n Description:\n - Microsoft(C) Registerserver\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: 1 of them\n", "detection_rule_title": "Empire Monkey", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3873269630756751075}}
{"date_created": "2019-11-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_squirrel_lolbin.yml", "date_modified": null, "description": "Detects Possible Squirrel Packages Manager as Lolbin", "references": ["http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "fa4b21c9-0057-4493-b289-2556416ae4d7", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*--processStart*.exe*'\n - '*--processStartAndWait*.exe*'\n - '*--createShortcut*.exe*'\n Image:\n - '*\\update.exe'\n", "detection_rule_title": "Squirrel Lolbin", "detection_rule_author": "Karneades / Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2320800201578193988}}
{"date_created": "2018-09-03T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_emissarypanda_sep19.yml", "date_modified": null, "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", "references": ["https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", "https://twitter.com/cyb3rops/status/1168863899531132929"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\svchost.exe'\n ParentImage: '*\\sllauncher.exe'\n", "detection_rule_title": "Emissary Panda Malware SLLauncher", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4214589048568333684}}
{"date_created": "2018-04-06T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_office_shell.yml", "date_modified": null, "description": "Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.", "references": ["https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "438025f9-5856-4663-83f7-52f878a70a50", "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*\\cmd.exe'\n - '*\\powershell.exe'\n - '*\\wscript.exe'\n - '*\\cscript.exe'\n - '*\\sh.exe'\n - '*\\bash.exe'\n - '*\\scrcons.exe'\n - '*\\schtasks.exe'\n - '*\\regsvr32.exe'\n - '*\\hh.exe'\n - '*\\wmic.exe'\n - '*\\mshta.exe'\n - '*\\rundll32.exe'\n - '*\\msiexec.exe'\n - '*\\forfiles.exe'\n - '*\\scriptrunner.exe'\n - '*\\mftrace.exe'\n - '*\\AppVLP.exe'\n - '*\\svchost.exe'\n ParentImage:\n - '*\\WINWORD.EXE'\n - '*\\EXCEL.EXE'\n - '*\\POWERPNT.exe'\n - '*\\MSPUB.exe'\n - '*\\VISIO.exe'\n - '*\\OUTLOOK.EXE'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Microsoft Office Product Spawning Windows Shell", "detection_rule_author": "Michael Haag, Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2714828929292046185}}
{"date_created": "2018-11-17T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_b64_shellcode.yml", "date_modified": null, "description": "Detects Base64 encoded Shellcode", "references": ["https://twitter.com/cyb3rops/status/1063072865992523776"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection1 and selection2\n selection1:\n CommandLine: '*AAAAYInlM*'\n selection2:\n CommandLine:\n - '*OiCAAAAYInlM*'\n - '*OiJAAAAYInlM*'\n", "detection_rule_title": "PowerShell Base64 Encoded Shellcode", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7904930574436013118}}
{"date_created": "2019-10-01T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_qbot.yml", "date_modified": null, "description": "Detects QBot like process executions", "references": ["https://twitter.com/killamjr/status/1179034907932315648", "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "4fcac6eb-0287-4090-8eea-2602e4c20040", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection1 or selection2\n selection1:\n Image: '*\\wscript.exe'\n ParentImage: '*\\WinRAR.exe'\n selection2:\n CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "QBot Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8897002401933397587}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_local_system_owner_account_discovery.yml", "date_modified": "2019-11-04T00:00:00", "description": "Local accounts, System Owner/User discovery using operating systems utilities", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "502b42de-4306-40b4-9596-6f590c81f073", "technique": ["T1033: System Owner/User Discovery", "T1087: Account Discovery"], "raw_detection_rule": "detection:\n condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)\n filter_1:\n CommandLine|contains:\n - ' rmdir '\n filter_2:\n CommandLine|contains:\n - /domain\n - /add\n - /delete\n - /active\n - /expires\n - /passwordreq\n - /scriptpath\n - /times\n - /workstations\n selection_1:\n - Image|endswith: \\whoami.exe\n - CommandLine|contains|all:\n - useraccount\n - get\n Image|endswith: \\wmic.exe\n - Image|endswith:\n - \\quser.exe\n - \\qwinsta.exe\n - CommandLine|contains: /list\n Image|endswith: \\cmdkey.exe\n - CommandLine|contains|all:\n - /c\n - 'dir '\n - \\Users\\\n Image|endswith: \\cmd.exe\n selection_2:\n CommandLine|contains: user\n Image|endswith:\n - \\net.exe\n - \\net1.exe\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\n", "detection_rule_title": "Local Accounts Discovery", "detection_rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1838832880386324309}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_regsvr32_anomalies.yml", "date_modified": null, "description": "Detects various anomalies in relation to regsvr32.exe", "references": ["https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "technique": ["T1117: Regsvr32"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n CommandLine: '*\\Temp\\\\*'\n Image: '*\\regsvr32.exe'\n selection2:\n Image: '*\\regsvr32.exe'\n ParentImage: '*\\powershell.exe'\n selection3:\n Image: '*\\regsvr32.exe'\n ParentImage: '*\\cmd.exe'\n selection4:\n CommandLine:\n - '*/i:http* scrobj.dll'\n - '*/i:ftp* scrobj.dll'\n Image: '*\\regsvr32.exe'\n selection5:\n Image: '*\\wscript.exe'\n ParentImage: '*\\regsvr32.exe'\n selection6:\n CommandLine: '*..\\..\\..\\Windows\\System32\\regsvr32.exe *'\n Image: '*\\EXCEL.EXE'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Regsvr32 Anomaly", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2450032299474464798}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_webshell_spawn.yml", "date_modified": "2020-03-25T00:00:00", "description": "Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack", "references": "not defined", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "dr_id": "8202070f-edeb-4d31-a010-a26c72ac5600", "technique": ["T1100: Web Shell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*\\cmd.exe'\n - '*\\sh.exe'\n - '*\\bash.exe'\n - '*\\powershell.exe'\n - '*\\bitsadmin.exe'\n ParentImage:\n - '*\\w3wp.exe'\n - '*\\httpd.exe'\n - '*\\nginx.exe'\n - '*\\php-cgi.exe'\n - '*\\tomcat.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Shells Spawned by Web Servers", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5346884026001353533}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_uac_cmstp.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "e66779cc-383e-4224-a3a4-267eeb585c40", "technique": ["T1191: CMSTP", "T1088: Bypass User Account Control"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains:\n - /s\n - /au\n Image|endswith: \\cmstp.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Bypass UAC via CMSTP", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5984957660006008310}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_silenttrinity_stage_use.yml", "date_modified": "2019-11-04T00:00:00", "description": "Detects SILENTTRINITY stager use", "references": ["https://github.com/byt3bl33d3r/SILENTTRINITY"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "03552375-cc2c-4883-bbe4-7958d5a980be", "technique": ["not defined"], "raw_detection_rule": "action: global\nadditions:\n- logsource:\n category: process_creation\n product: windows\n- detection:\n selection:\n EventID: 7\n logsource:\n product: windows\n service: sysmon\ndetection:\n condition: selection\n selection:\n Description|contains: st2stager\n", "detection_rule_title": "SILENTTRINITY Stager Execution", "detection_rule_author": "Aleksey Potapov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3436428572934574197}}
{"date_created": "2019-10-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_run_powershell_script_from_ads.yml", "date_modified": null, "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", "references": ["https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "technique": ["T1096: NTFS File Attributes"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - Get-Content\n - -Stream\n Image|endswith: \\powershell.exe\n ParentImage|endswith: \\powershell.exe\n", "detection_rule_title": "Run PowerShell Script from ADS", "detection_rule_author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5558719852322318307}}
{"date_created": "2018-03-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_chafer_mar18.yml", "date_modified": "2019-03-01T00:00:00", "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", "references": ["https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0005: Defense Evasion"], "dr_id": "53ba33fd-3a50-4468-a5ef-c583635cfa92", "technique": ["T1053: Scheduled Task", "T1112: Modify Registry"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection_service:\n EventID: 7045\n ServiceName:\n - SC Scheduled Scan\n - UpdatMachine\n logsource:\n product: windows\n service: system\n- detection:\n selection_service:\n EventID: 4698\n TaskName:\n - SC Scheduled Scan\n - UpdatMachine\n logsource:\n product: windows\n service: security\n- detection:\n selection_reg1:\n EventID: 13\n EventType: SetValue\n TargetObject:\n - '*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe'\n - '*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT'\n selection_reg2:\n Details: DWORD (0x00000001)\n EventID: 13\n EventType: SetValue\n TargetObject: '*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential'\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection_process1:\n CommandLine:\n - '*\\Service.exe i'\n - '*\\Service.exe u'\n - '*\\microsoft\\Taskbar\\autoit3.exe'\n - C:\\wsc.exe*\n selection_process2:\n Image: '*\\Windows\\Temp\\DB\\\\*.exe'\n selection_process3:\n CommandLine: '*\\nslookup.exe -q=TXT*'\n ParentImage: '*\\Autoit*'\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: 1 of them\n", "detection_rule_title": "Chafer Activity", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "System", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Service Control Manager", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0064_4698_scheduled_task_was_created", "DN_0005_7045_windows_service_insatalled", "DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0041_windows_audit_other_object_access_events", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5028093265114630674}}
{"date_created": "2020-03-20T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_downgrade_attack.yml", "date_modified": null, "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "references": ["http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "b3512211-c67e-4707-bedc-66efc7848863", "technique": ["T1086: PowerShell"], "raw_detection_rule": "action: global\ndetection:\n condition: selection\n selection:\n CommandLine|contains:\n - ' -version 2 '\n - ' -versio 2 '\n - ' -versi 2 '\n - ' -vers 2 '\n - ' -ver 2 '\n - ' -ve 2 '\n Image|endswith: \\powershell.exe\nrelated:\n- id: 6331d09b-4785-4c13-980f-f96661356249\n type: derived\n", "detection_rule_title": "PowerShell Downgrade Attack", "detection_rule_author": "Harish Segar (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2119268757728655822}}
{"date_created": "2019-12-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_copy_lateral_movement.yml", "date_modified": null, "description": "Detects a suspicious copy command from a remote C$ or ADMIN$ share", "references": ["https://twitter.com/SBousseaden/status/1211636381086339073"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "technique": ["T1077: Windows Admin Shares", "T1105: Remote File Copy"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains:\n - copy *\\c$\n - copy *\\ADMIN$\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Copy from Admin Share", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3115830417327301257}}
{"date_created": "2018-01-31T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_elise.yml", "date_modified": null, "description": "Detects Elise backdoor acitivty as used by APT32", "references": ["https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n CommandLine: '*\\Windows\\Caches\\NavShExt.dll *'\n Image: C:\\Windows\\SysWOW64\\cmd.exe\n selection2:\n CommandLine: '*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting'\n", "detection_rule_title": "Elise Backdoor", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2683014734052932679}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_lsass_dump.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection1 and not selection2 or selection3\n selection1:\n CommandLine|contains|all:\n - lsass\n - .dmp\n selection2:\n Image|endswith: \\werfault.exe\n selection3:\n CommandLine|contains: lsass\n Image|contains: \\procdump\n Image|endswith: .exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "LSASS Memory Dumping", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8185822104039460123}}
{"date_created": "2019-02-09T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_calc.yml", "date_modified": null, "description": "Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", "references": ["https://twitter.com/ItsReallyNick/status/1094080242686312448"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection1 or ( selection2 and not filter2 )\n filter2:\n Image: '*\\Windows\\Sys*'\n selection1:\n CommandLine: '*\\calc.exe *'\n selection2:\n Image: '*\\calc.exe'\n", "detection_rule_title": "Suspicious Calculator Usage", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3836839688615144389}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_rundll32_by_ordinal.yml", "date_modified": null, "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", "references": ["https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://github.com/Neo23x0/DLLRunner", "https://twitter.com/cyb3rops/status/1186631731543236608"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", "technique": ["T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*\\rundll32.exe *,#*'\n", "detection_rule_title": "Suspicious Call by Ordinal", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3630434179390861084}}
{"date_created": "2019-09-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_formbook.yml", "date_modified": "2019-10-31T00:00:00", "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", "references": ["https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "032f5fb3-d959-41a5-9263-4173c802dc2b", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* /c del \"C:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.exe'\n - '* /c del \"C:\\Users\\\\*\\Desktop\\\\*.exe'\n - '* /C type nul > \"C:\\Users\\\\*\\Desktop\\\\*.exe'\n ParentCommandLine:\n - C:\\Windows\\System32\\\\*.exe\n - C:\\Windows\\SysWOW64\\\\*.exe\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Formbook Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -864955810425394632}}
{"date_created": "2019-08-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml", "date_modified": null, "description": "Detects some Empire PowerShell UAC bypass methods", "references": ["https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "dr_id": "3268b746-88d8-4cd3-bffc-30077d02c787", "technique": ["T1088: Bypass User Account Control"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*'\n - '* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Empire PowerShell UAC Bypass", "detection_rule_author": "Ecco", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6611517093400117045}}
{"date_created": "2019-11-08T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml", "date_modified": null, "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "technique": ["T1027: Obfuscated Files or Information"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n - CommandLine|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n - CommandLine|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n - CommandLine|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n - CommandLine|re: \\*mdr\\*\\W\\s*\\)\\.Name\n - CommandLine|re: \\$VerbosePreference\\.ToString\\(\n - CommandLine|re: \\String\\]\\s*\\$VerbosePreference\n", "detection_rule_title": "Invoke-Obfuscation Obfuscated IEX Invocation", "detection_rule_author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2025710122840331738}}
{"date_created": "2018-10-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_procdump.yml", "date_modified": "2019-10-14T00:00:00", "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", "references": ["Internal Research"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0006: Credential Access"], "dr_id": "5afee48e-67dd-4e03-a783-f74259dcf998", "technique": ["T1036: Masquerading", "T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: ( selection1 and selection2 ) or selection3\n selection1:\n CommandLine:\n - '* -ma *'\n selection2:\n CommandLine:\n - '* lsass*'\n selection3:\n CommandLine:\n - '* -ma ls*'\n", "detection_rule_title": "Suspicious Use of Procdump", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7837969599807071182}}
{"date_created": "2017-11-27T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_system_exe_anomaly.yml", "date_modified": null, "description": "Detects a Windows program executable started in a suspicious folder", "references": ["https://twitter.com/GelosSnake/status/934900723426439170"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\system32\\\\*\n - C:\\Windows\\SysWow64\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\explorer.exe\n - C:\\Windows\\winsxs\\\\*\n - C:\\Windows\\WinSxS\\\\*\n - \\SystemRoot\\System32\\\\*\n selection:\n Image:\n - '*\\svchost.exe'\n - '*\\rundll32.exe'\n - '*\\services.exe'\n - '*\\powershell.exe'\n - '*\\regsvr32.exe'\n - '*\\spoolsv.exe'\n - '*\\lsass.exe'\n - '*\\smss.exe'\n - '*\\csrss.exe'\n - '*\\conhost.exe'\n - '*\\wininit.exe'\n - '*\\lsm.exe'\n - '*\\winlogon.exe'\n - '*\\explorer.exe'\n - '*\\taskhost.exe'\nfields:\n- ComputerName\n- User\n- Image\n", "detection_rule_title": "System File Execution Location Anomaly", "detection_rule_author": "Florian Roth, Patrick Bareiss", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2456976798230951936}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_execution_path.yml", "date_modified": null, "description": "Detects a suspicious exection from an uncommon folder", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*\\$Recycle.bin'\n - '*\\Users\\All Users\\\\*'\n - '*\\Users\\Default\\\\*'\n - '*\\Users\\Public\\\\*'\n - C:\\Perflogs\\\\*\n - '*\\config\\systemprofile\\\\*'\n - '*\\Windows\\Fonts\\\\*'\n - '*\\Windows\\IME\\\\*'\n - '*\\Windows\\addins\\\\*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Execution in Non-Executable Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1900828016478950063}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_hwp_exploits.yml", "date_modified": null, "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "references": ["https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://blog.alyac.co.kr/1901", "https://en.wikipedia.org/wiki/Hangul_(word_processor)"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion", "TA0001: Initial Access"], "dr_id": "023394c4-29d5-46ab-92b8-6a534c6f447b", "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution", "T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\gbb.exe'\n ParentImage: '*\\Hwp.exe'\n", "detection_rule_title": "Suspicious HWP Sub Processes", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8351500612182883576}}
{"date_created": "2018-12-04T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_apt29_thinktanks.yml", "date_modified": null, "description": "This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks", "references": ["https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "033fe7d6-66d1-4240-ac6b-28908009c71f", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*-noni -ep bypass $*'\n", "detection_rule_title": "APT29", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6834790736239047389}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_hh_chm.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies usage of hh.exe executing recently modified .chm files.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "technique": ["T1223: Compiled HTML File"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: .chm\n Image|endswith: \\hh.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "HH.exe Execution", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6078566199879949562}}
{"date_created": "2018-12-19T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_hack_rubeus.yml", "date_modified": null, "description": "Detects command line parameters used by Rubeus hack tool", "references": ["https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* asreproast *'\n - '* dump /service:krbtgt *'\n - '* kerberoast *'\n - '* createnetonly /program:*'\n - '* ptt /ticket:*'\n - '* /impersonateuser:*'\n - '* renew /ticket:*'\n - '* asktgt /user:*'\n - '* harvest /interval:*'\n", "detection_rule_title": "Rubeus Hack Tool", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2757996797713994605}}
{"date_created": "2018-11-20T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_unidentified_nov_18.yml", "date_modified": "2018-12-11T00:00:00", "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", "references": ["https://twitter.com/DrunkBinary/status/1063075530180886529"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "7453575c-a747-40b9-839b-125a0aae324b", "technique": ["T1085: Rundll32"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection1:\n CommandLine: '*cyzfc.dat, PointFunctionCall'\n logsource:\n category: process_creation\n product: windows\n- detection:\n selection2:\n EventID: 11\n TargetFilename:\n - '*ds7002.lnk*'\n logsource:\n product: windows\n service: sysmon\ndetection:\n condition: 1 of them\n", "detection_rule_title": "Unidentified Attacker November 2018", "detection_rule_author": "@41thexplorer, Microsoft Defender ATP", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3163366126505673500}}
{"date_created": "2012-12-11T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_iss_module_install.yml", "date_modified": null, "description": "Detects suspicious IIS native-code module installations via command line", "references": ["https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "technique": ["T1100: Web Shell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*\\APPCMD.EXE install module /name:*'\n", "detection_rule_title": "IIS Native-Code Module Command Line Installation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2635494639821476654}}
{"date_created": "2019-10-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_service_stop.yml", "date_modified": "2019-11-08T00:00:00", "description": "Detects a windows service to be stopped", "references": "not defined", "customer": ["None"], "tactic": ["TA0040: Impact"], "dr_id": "eb87818d-db5d-49cc-a987-d5da331fbd90", "technique": ["T1489: Service Stop"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains: stop\n Image|endswith:\n - \\sc.exe\n - \\net.exe\n - \\net1.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Stop Windows Service", "detection_rule_author": "Jakob Weinzettl, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7390807013366198157}}
{"date_created": "2019-11-20T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_exploit_cve_2019_1388.yml", "date_modified": null, "description": "Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", "technique": ["T1068: Exploitation for Privilege Escalation"], "raw_detection_rule": "detection:\n condition: selection and ( rights1 or rights2 )\n rights1:\n IntegrityLevel: System\n rights2:\n User: NT AUTHORITY\\SYSTEM\n selection:\n CommandLine: '* http*'\n Image: '*\\iexplore.exe'\n ParentImage: '*\\consent.exe'\n", "detection_rule_title": "Exploiting CVE-2019-1388", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4111656338875452189}}
{"date_created": "2017-10-14T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_exec_folder.yml", "date_modified": "2019-02-21T00:00:00", "description": "Detects process starts of binaries from a suspicious folder", "references": ["https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "7a38aa19-86a9-4af7-ac51-6bfe4e59f254", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - C:\\PerfLogs\\\\*\n - C:\\$Recycle.bin\\\\*\n - C:\\Intel\\Logs\\\\*\n - C:\\Users\\Default\\\\*\n - C:\\Users\\Public\\\\*\n - C:\\Users\\NetworkService\\\\*\n - C:\\Windows\\Fonts\\\\*\n - C:\\Windows\\Debug\\\\*\n - C:\\Windows\\Media\\\\*\n - C:\\Windows\\Help\\\\*\n - C:\\Windows\\addins\\\\*\n - C:\\Windows\\repair\\\\*\n - C:\\Windows\\security\\\\*\n - '*\\RSA\\MachineKeys\\\\*'\n - C:\\Windows\\system32\\config\\systemprofile\\\\*\n - C:\\Windows\\Tasks\\\\*\n - C:\\Windows\\System32\\Tasks\\\\*\n", "detection_rule_title": "Executables Started in Suspicious Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2266794606716452257}}
{"date_created": "2019-09-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_eventlog_clear.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "technique": ["T1070: Indicator Removal on Host"], "raw_detection_rule": "detection:\n condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)\n selection_other_ps:\n CommandLine|contains:\n - Clear-EventLog\n - Remove-EventLog\n - Limit-EventLog\n Image|endswith: \\powershell.exe\n selection_other_wmic:\n CommandLine|contains: ' ClearEventLog '\n Image|endswith: \\wmic.exe\n selection_wevtutil_binary:\n Image|endswith: \\wevtutil.exe\n selection_wevtutil_command:\n CommandLine|contains:\n - clear-log\n - ' cl '\n - set-log\n - ' sl '\n", "detection_rule_title": "Suspicious Eventlog Clear or Configuration Using Wevtutil", "detection_rule_author": "Ecco, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7395046424561450047}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml", "date_modified": null, "description": "Execution of well known tools for data exfiltration and tunneling", "references": "not defined", "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "dr_id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "technique": ["T1020: Automated Exfiltration"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n NewProcessName|endswith:\n - \\plink.exe\n - \\socat.exe\n - \\stunnel.exe\n - \\httptunnel.exe\n", "detection_rule_title": "Exfiltration and Tunneling Tools Execution", "detection_rule_author": "Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5449879107267567854}}
{"date_created": "2017-11-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_exploit_cve_2017_11882.yml", "date_modified": null, "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", "references": ["https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "678eb5f4-8597-4be6-8be7-905e4234b53a", "technique": ["T1211: Exploitation for Defense Evasion"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n ParentImage: '*\\EQNEDT32.EXE'\nfields:\n- CommandLine\n", "detection_rule_title": "Droppers Exploiting CVE-2017-11882", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5562658232387578873}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_certutil_command.yml", "date_modified": "2019-01-22T00:00:00", "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility", "references": ["https://twitter.com/JohnLaTwC/status/835149808817991680", "https://twitter.com/subTee/status/888102593838362624", "https://twitter.com/subTee/status/888071631528235010", "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", "technique": ["T1140: Deobfuscate/Decode Files or Information", "T1105: Remote File Copy"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '* -decode *'\n - '* /decode *'\n - '* -decodehex *'\n - '* /decodehex *'\n - '* -urlcache *'\n - '* /urlcache *'\n - '* -verifyctl *'\n - '* /verifyctl *'\n - '* -encode *'\n - '* /encode *'\n - '*certutil* -URL*'\n - '*certutil* /URL*'\n - '*certutil* -ping*'\n - '*certutil* /ping*'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Certutil Command", "detection_rule_author": "Florian Roth, juju4, keepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4626329698266198191}}
{"date_created": "2019-12-28T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_malware_trickbot_recon_activity.yml", "date_modified": null, "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.", "references": ["https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "410ad193-a728-4107-bc79-4419789fcbf8", "technique": ["T1482: Domain Trust Discovery"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - /domain_trusts /all_trusts\n - /domain_trusts\n Image:\n - '*\\nltest.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Trickbot Malware Recon Activity", "detection_rule_author": "David Burkett", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4577730038651757936}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_remote_time_discovery.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "b243b280-65fe-48df-ba07-6ddea7646427", "technique": ["T1124: System Time Discovery"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains: time\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n - CommandLine|contains: tz\n Image|endswith: \\w32tm.exe\n - CommandLine|contains: Get-Date\n Image|endswith: \\powershell.exe\n", "detection_rule_title": "Discovery of a System Time", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8367533576086630995}}
{"date_created": "2019-03-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_etw_trace_evasion.yml", "date_modified": null, "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml", "https://abuse.io/lockergoga.txt"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "technique": ["T1070: Indicator Removal on Host"], "raw_detection_rule": "detection:\n condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2\n selection_clear_1:\n CommandLine: '* cl */Trace*'\n selection_clear_2:\n CommandLine: '* clear-log */Trace*'\n selection_disable_1:\n CommandLine: '* sl* /e:false*'\n selection_disable_2:\n CommandLine: '* set-log* /e:false*'\n", "detection_rule_title": "Disable of ETW Trace", "detection_rule_author": "@neu5ron, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1912621005640103892}}
{"date_created": "2018-04-08T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_dragonfly.yml", "date_modified": null, "description": "Detects CrackMapExecWin Activity as Described by NCSC", "references": ["https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "04d9079e-3905-4b70-ad37-6bdf11304965", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*\\crackmapexec.exe'\n", "detection_rule_title": "CrackMapExecWin", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7123431878890392992}}
{"date_created": "2020-03-25T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_ps_downloadfile.yml", "date_modified": null, "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "references": ["https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - powershell\n - .DownloadFile\n - System.Net.WebClient\n", "detection_rule_title": "PowerShell DownloadFile", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2807047513569807010}}
{"date_created": "2019-04-17T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_renamed_paexec.yml", "date_modified": null, "description": "Detects execution of renamed paexec via imphash and executable product string", "references": ["sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: (selection1 and selection2) and not filter1\n filter1:\n Image: '*paexec*'\n selection1:\n Product:\n - '*PAExec*'\n selection2:\n Imphash:\n - 11D40A7B7876288F919AB819CC2D9802\n - 6444f8a34e99b8f7d9647de66aabe516\n - dfd6aa3f7b2b1035b76b718f1ddc689f\n - 1a6cca4d5460b1710a12dea39e4a592c\n", "detection_rule_title": "Execution of Renamed PaExec", "detection_rule_author": "Jason Lynch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2427890844048131190}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_shadow_copies_creation.yml", "date_modified": null, "description": "Shadow Copies creation using operating systems utilities, possible credential access", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - shadow\n - create\n NewProcessName|endswith:\n - \\powershell.exe\n - \\wmic.exe\n - \\vssadmin.exe\n", "detection_rule_title": "Shadow Copies Creation Using Operating Systems Utilities", "detection_rule_author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6024294542086107330}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_mshta_javascript.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies suspicious mshta.exe commands", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "67f113fa-e23d-4271-befa-30113b3e08b1", "technique": ["T1170: Mshta"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: javascript\n Image|endswith: \\mshta.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Mshta JavaScript Execution", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5500503643274499282}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml", "date_modified": "2019-11-13T00:00:00", "description": "Files with well-known filenames (sensitive files with credential data) copying", "references": ["https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains:\n - vss\n - ' /m '\n - ' /y '\n Image|endswith: \\esentutl.exe\n - CommandLine|contains:\n - \\windows\\ntds\\ntds.dit\n - \\config\\sam\n - \\config\\security\n - '\\config\\system '\n - \\repair\\sam\n - \\repair\\system\n - \\repair\\security\n - \\config\\RegBack\\sam\n - \\config\\RegBack\\system\n - \\config\\RegBack\\security\n", "detection_rule_title": "Copying Sensitive Files with Credential Data", "detection_rule_author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8071684757889705755}}
{"date_created": "2019-08-27T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_control_panel_item.yml", "date_modified": null, "description": "Detects the use of a control panel item (.cpl) outside of the System32 folder", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "technique": ["T1196: Control Panel Items"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n CommandLine:\n - '*\\System32\\\\*'\n - '*%System%*'\n selection:\n CommandLine: '*.cpl'\nreference:\n- https://attack.mitre.org/techniques/T1196/\n", "detection_rule_title": "Control Panel Items", "detection_rule_author": "Kyaw Min Thein", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5170787835653631231}}
{"date_created": "2018-12-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_mavinject_proc_inj.yml", "date_modified": null, "description": "Detects process injection using the signed Windows tool Mavinject32.exe", "references": ["https://twitter.com/gN3mes1s/status/941315826107510784", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://twitter.com/Hexacorn/status/776122138063409152"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "17eb8e57-9983-420d-ad8a-2c4976c22eb8", "technique": ["T1055: Process Injection", "T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '* /INJECTRUNNING *'\n", "detection_rule_title": "MavInject Process Injection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7112521024673033725}}
{"date_created": "2019-08-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_csc_folder.yml", "date_modified": "2019-12-17T00:00:00", "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", "references": ["https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://twitter.com/gN3mes1s/status/1206874118282448897"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", "technique": ["T1500: Compile After Delivery"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n ParentImage:\n - C:\\Program Files*\n - '*\\sdiagnhost.exe'\n - '*\\w3wp.exe'\n selection:\n CommandLine:\n - '*\\AppData\\\\*'\n - '*\\Windows\\Temp\\\\*'\n Image: '*\\csc.exe'\n", "detection_rule_title": "Suspicious Csc.exe Source File Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -37044131189808031}}
{"date_created": "2019-01-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_prog_location_process_starts.yml", "date_modified": null, "description": "Detects programs running in suspicious files system locations", "references": ["https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*\\$Recycle.bin'\n - '*\\Users\\Public\\\\*'\n - C:\\Perflogs\\\\*\n - '*\\Windows\\Fonts\\\\*'\n - '*\\Windows\\IME\\\\*'\n - '*\\Windows\\addins\\\\*'\n - '*\\Windows\\debug\\\\*'\n", "detection_rule_title": "Suspicious Program Location Process Starts", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3128602364249674431}}
{"date_created": "2018-03-17T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_tscon_localsystem.yml", "date_modified": null, "description": "Detects a tscon.exe start as LOCAL SYSTEM", "references": ["http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "customer": ["None"], "tactic": ["TA0011: Command and Control"], "dr_id": "9847f263-4a81-424f-970c-875dab15b79b", "technique": ["T1219: Remote Access Tools"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\tscon.exe'\n User: NT AUTHORITY\\SYSTEM\n", "detection_rule_title": "Suspicious TSCON Start", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1975462377383972618}}
{"date_created": "2019-10-30T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_mustangpanda.yml", "date_modified": null, "description": "Detects specific process parameters as used by Mustang Panda droppers", "references": ["https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n CommandLine:\n - '*Temp\\wtask.exe /create*'\n - '*%windir:~-3,1%%PUBLIC:~-9,1%*'\n - '*/E:vbscript * C:\\Users\\*.txt\" /F'\n - '*/tn \"Security Script *'\n - '*%windir:~-1,1%*'\n selection2:\n Image:\n - '*Temp\\winwsh.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Mustang Panda Dropper", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1839776897179535558}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_cmstp_com_object_access.yml", "date_modified": "2019-07-31T00:00:00", "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects", "references": ["http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225"], "customer": ["TESTCUSTOMER2", "TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation", "TA0002: Execution"], "dr_id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", "technique": ["T1088: Bypass User Account Control", "T1191: CMSTP"], "raw_detection_rule": "detection:\n condition: selection1 and selection2\n selection1:\n ParentCommandLine: '*\\DllHost.exe'\n selection2:\n ParentCommandLine:\n - '*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'\n - '*{3E000D72-A845-4CD9-BD83-80C07C3B881F}'\nfields:\n- CommandLine\n- ParentCommandLine\n- Hashes\n", "detection_rule_title": "CMSTP UAC Bypass via COM Object Access", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8200580087331203949}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", "references": ["https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/30/weak-service-permissions/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", "technique": ["T1134: Access Token Manipulation"], "raw_detection_rule": "detection:\n binpath:\n CommandLine|contains|all:\n - config\n - binPath\n condition: scbynonadmin and (binpath or failurecommand)\n failurecommand:\n CommandLine|contains|all:\n - failure\n - command\n scbynonadmin:\n Image|endswith: \\sc.exe\n IntegrityLevel: Medium\n", "detection_rule_title": "Possible Privilege Escalation via Weak Service Permissions", "detection_rule_author": "Teymur Kheirkhabarov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5856751077811742550}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_ntdsutil.yml", "date_modified": null, "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "2afafd61-6aae-4df4-baed-139fa1f4c345", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '*\\ntdsutil*'\n", "detection_rule_title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 423276063178392131}}
{"date_created": "2019-10-14T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_codepage_switch.yml", "date_modified": null, "description": "Detects a code page switch in command line or batch scripts to a rare language", "references": ["https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://twitter.com/cglyer/status/1183756892952248325"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "c7942406-33dd-4377-a564-0f62db0593a3", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - chcp* 936\n - chcp* 1258\nfields:\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Code Page Switch", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3083743542985423985}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_new_service_creation.yml", "date_modified": "2019-11-04T00:00:00", "description": "Detects creation if a new service", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "dr_id": "7fe71fc9-de3b-432a-8d57-8c809efc10ab", "technique": ["T1050: New Service"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains|all:\n - create\n - binpath\n Image|endswith: \\sc.exe\n - CommandLine|contains: new-service\n Image|endswith: \\powershell.exe\n", "detection_rule_title": "New Service Creation", "detection_rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 836910124068123709}}
{"date_created": "2019-08-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_encoded_iex.yml", "date_modified": null, "description": "Detects a base64 encoded IEX command string in a process command line", "references": "not defined", "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "88f680b8-070e-402c-ae11-d2914f2257f1", "technique": ["T1086: PowerShell", "T1140: Deobfuscate/Decode Files or Information"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|base64offset|contains:\n - IEX ([\n - iex ([\n - iex (New\n - IEX (New\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Encoded IEX", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2570364394408386578}}
{"date_created": "2020-02-07T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_gallium.yml", "date_modified": null, "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", "references": ["https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)"], "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0011: Command and Control"], "dr_id": "440a56bf-7873-4439-940a-1c8a671073c2", "technique": ["not defined"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n condition: exec_selection\n exec_selection:\n sha1:\n - 53a44c2396d15c3a03723fa5e5db54cafd527635\n - 9c5e496921e3bc882dc40694f1dcc3746a75db19\n - aeb573accfd95758550cf30bf04f389a92922844\n - 79ef78a797403a4ed1a616c68e07fff868a8650a\n - 4f6f38b4cec35e895d91c052b1f5a83d665c2196\n - 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\n - e841a63e47361a572db9a7334af459ddca11347a\n - c28f606df28a9bc8df75a4d5e5837fc5522dd34d\n - 2e94b305d6812a9f96e6781c888e48c7fb157b6b\n - dd44133716b8a241957b912fa6a02efde3ce3025\n - 8793bf166cb89eb55f0593404e4e933ab605e803\n - a39b57032dbb2335499a51e13470a7cd5d86b138\n - 41cc2b15c662bc001c0eb92f6cc222934f0beeea\n - d209430d6af54792371174e70e27dd11d3def7a7\n - 1c6452026c56efd2c94cea7e0f671eb55515edb0\n - c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\n - 4923d460e22fbbf165bbbaba168e5a46b8157d9f\n - f201504bd96e81d0d350c3a8332593ee1c9e09de\n - ddd2db1127632a2a52943a2fe516a2e7d05d70d2\n logsource:\n category: process_creation\n product: windows\n- detection:\n c2_selection:\n EventID: 257\n QNAME:\n - asyspy256.ddns.net\n - hotkillmail9sddcc.ddns.net\n - rosaf112.ddns.net\n - cvdfhjh1231.myftp.biz\n - sz2016rose.ddns.net\n - dffwescwer4325.myftp.biz\n - cvdfhjh1231.ddns.net\n condition: c2_selection\n logsource:\n product: windows\n service: dns-server\n- detection:\n condition: legitimate_executable and not legitimate_process_path\n legitimate_executable:\n sha1:\n - e570585edc69f9074cb5e8a790708336bd45ca0f\n legitimate_process_path:\n Image|contains:\n - :\\Program Files(x86)\\\n - :\\Program Files\\\n logsource:\n category: process_creation\n product: windows\n", "detection_rule_title": "GALLIUM Artefacts", "detection_rule_author": "Tim Burrell", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2842048309751583885}}
{"date_created": "2018-12-11T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_cli_escape.yml", "date_modified": "2020-03-14T00:00:00", "description": "Detects suspicious process that use escape characters", "references": ["https://twitter.com/vysecurity/status/885545634958385153", "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/Hexacorn/status/885570278637678592", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "technique": ["T1140: Deobfuscate/Decode Files or Information"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*h^t^t^p*'\n - '*h\"t\"t\"p*'\n", "detection_rule_title": "Suspicious Commandline Escape", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3710898888497360342}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_bypass_squiblytwo.yml", "date_modified": null, "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", "references": ["https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://twitter.com/mattifestation/status/986280382042595328"], "customer": ["TESTCUSTOMER2", "TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "8d63dadf-b91b-4187-87b6-34a1114577ea", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n CommandLine:\n - wmic * *format:\\\"http*\n - wmic * /format:'http\n - wmic * /format:http*\n Image:\n - '*\\wmic.exe'\n selection2:\n CommandLine:\n - '* *format:\\\"http*'\n - '* /format:''http'\n - '* /format:http*'\n Imphash:\n - 1B1A3F43BF37B5BFE60751F2EE2F326E\n - 37777A96245A3C74EB217308F3546F4C\n - 9D87C9D67CE724033C0B40CC4CA1B206\n", "detection_rule_title": "SquiblyTwo", "detection_rule_author": "Markus Neis / Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 748821495019281621}}
{"date_created": "2019-03-04T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_equationgroup_dll_u_load.yml", "date_modified": null, "description": "Detects a specific tool and export used by EquationGroup", "references": ["https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://securelist.com/apt-slingshot/84312/", "https://twitter.com/cyb3rops/status/972186477512839170"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", "technique": ["T1059: Command-Line Interface", "T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n CommandLine: '*,dll_u'\n Image: '*\\rundll32.exe'\n selection2:\n CommandLine: '* -export dll_u *'\n", "detection_rule_title": "Equation Group DLL_U Load", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3411207515506332421}}
{"date_created": "2018-02-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_exploit_cve_2017_0261.yml", "date_modified": null, "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", "references": ["https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html"], "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "dr_id": "864403a1-36c9-40a2-a982-4c9a45f7d833", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\FLTLDR.exe*'\n ParentImage: '*\\WINWORD.EXE'\n", "detection_rule_title": "Exploit for CVE-2017-0261", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7191311280259246338}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_recon_activity.yml", "date_modified": null, "description": "Detects suspicious command line activity on Windows systems", "references": "not defined", "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "technique": ["T1087: Account Discovery"], "raw_detection_rule": "analysis:\n recommendation: Check if the user that executed the commands is suspicious (e.g.\n service accounts, LOCAL_SYSTEM)\ndetection:\n condition: selection\n selection:\n CommandLine:\n - net group \"domain admins\" /domain\n - net localgroup administrators\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Reconnaissance Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 657932915109011363}}
{"date_created": "2019-10-11T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml", "date_modified": null, "description": "Detects a WMi backdoor in Exchange Transport Agents via WMi event filters", "references": ["https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n ParentImage: '*\\EdgeTransport.exe'\n", "detection_rule_title": "WMI Backdoor Exchange Transport Agent", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4939978636352098497}}
{"date_created": "2019-02-07T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_bcdedit.yml", "date_modified": null, "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe", "references": ["https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "dr_id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", "technique": ["T1070: Indicator Removal on Host", "T1067: Bootkit"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n NewProcessName: '*\\bcdedit.exe'\n ProcessCommandLine:\n - '*delete*'\n - '*deletevalue*'\n - '*import*'\n", "detection_rule_title": "Possible Ransomware or Unauthorized MBR Modifications", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -9209893091602659125}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges", "references": ["https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "6c5808ee-85a2-4e56-8137-72e5876a5096", "technique": ["T1134: Access Token Manipulation"], "raw_detection_rule": "detection:\n condition: selection and not rundllexception\n rundllexception:\n CommandLine|contains: DavSetCookie\n Image|endswith: \\rundll32.exe\n selection:\n ParentUser:\n - NT AUTHORITY\\NETWORK SERVICE\n - NT AUTHORITY\\LOCAL SERVICE\n User: NT AUTHORITY\\SYSTEM\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n", "detection_rule_title": "Detection of Possible Rotten Potato", "detection_rule_author": "Teymur Kheirkhabarov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["EN_0001_cache_sysmon_event_id_1_info", "EN_0002_enrich_sysmon_event_id_1_with_parent_info"], "enrichment_requirements": ["not defined", ["EN_0001_cache_sysmon_event_id_1_info"]]}
{"index": {"_id": -3982396317829210883}}
{"date_created": "2019-02-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_judgement_panda_gtr19.yml", "date_modified": null, "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", "references": ["https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0006: Credential Access", "TA0010: Exfiltration"], "dr_id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", "technique": ["T1098: Account Manipulation", "T1002: Data Compressed"], "raw_detection_rule": "detection:\n condition: selection1 or selection2\n selection1:\n CommandLine:\n - '*\\ldifde.exe -f -n *'\n - '*\\7za.exe a 1.7z *'\n - '* eprod.ldf'\n - '*\\aaaa\\procdump64.exe*'\n - '*\\aaaa\\netsess.exe*'\n - '*\\aaaa\\7za.exe*'\n - '*copy .\\1.7z \\\\*'\n - '*copy \\\\client\\c$\\aaaa\\\\*'\n selection2:\n Image: C:\\Users\\Public\\7za.exe\n", "detection_rule_title": "Judgement Panda Exfil Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8825561609093237766}}
{"date_created": "2018-03-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_ping_hex_ip.yml", "date_modified": null, "description": "Detects a ping command that uses a hex encoded IP address", "references": ["https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "technique": ["T1140: Deobfuscate/Decode Files or Information", "T1027: Obfuscated Files or Information"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*\\ping.exe 0x*'\n - '*\\ping 0x*'\nfields:\n- ParentCommandLine\n", "detection_rule_title": "Ping Hex IP", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5263182418629931555}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", "references": ["https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "15619216-e993-4721-b590-4c520615a67d", "technique": ["T1134: Access Token Manipulation"], "raw_detection_rule": "detection:\n condition: selection_1 and selection_2 and not filter1\n filter1:\n CommandLine|contains: MpCmdRun\n selection_1:\n ParentImage|endswith: \\services.exe\n selection_2:\n - CommandLine|contains:\n - cmd\n - comspec\n - CommandLine|contains|all:\n - cmd\n - /c\n - echo\n - \\pipe\\\n - CommandLine|contains|all:\n - '%COMSPEC%'\n - /c\n - echo\n - \\pipe\\\n - CommandLine|contains|all:\n - rundll32\n - .dll,a\n - '/p:'\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Meterpreter or Cobalt Strike Getsystem Service Start", "detection_rule_author": "Teymur Kheirkhabarov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2248193940428430470}}
{"date_created": "2018-03-13T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_taskmgr_parent.yml", "date_modified": null, "description": "Detects the creation of a process from Windows task manager", "references": "not defined", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "3d7679bd-0c00-440c-97b0-3f204273e6c7", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - '*\\resmon.exe'\n - '*\\mmc.exe'\n - '*\\taskmgr.exe'\n selection:\n ParentImage: '*\\taskmgr.exe'\nfields:\n- Image\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Taskmgr as Parent", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6116098078838210307}}
{"date_created": "2018-04-06T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_shell_spawn_susp_program.yml", "date_modified": "2019-02-05T00:00:00", "description": "Detects a suspicious child process of a Windows shell", "references": ["https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "technique": ["T1064: Scripting"], "raw_detection_rule": "detection:\n condition: selection and not falsepositives\n falsepositives:\n CurrentDirectory: '*\\ccmcache\\\\*'\n selection:\n Image:\n - '*\\schtasks.exe'\n - '*\\nslookup.exe'\n - '*\\certutil.exe'\n - '*\\bitsadmin.exe'\n - '*\\mshta.exe'\n ParentImage:\n - '*\\mshta.exe'\n - '*\\powershell.exe'\n - '*\\rundll32.exe'\n - '*\\cscript.exe'\n - '*\\wscript.exe'\n - '*\\wmiprvse.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Windows Shell Spawning Suspicious Program", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6270922442278509645}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_netsh_packet_capture.yml", "date_modified": null, "description": "Detects capture a network trace via netsh.exe trace functionality", "references": ["https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "d3c3861d-c504-4c77-ba55-224ba82d0118", "technique": ["T1040: Network Sniffing"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains|all:\n - netsh\n - trace\n - start\n", "detection_rule_title": "Capture a Network Trace with netsh.exe", "detection_rule_author": "Kutepov Anton, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5880781878462366249}}
{"date_created": "2019-12-20T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_wocao.yml", "date_modified": null, "description": "Detects activity mentioned in Operation Wocao report", "references": ["https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", "technique": ["not defined"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n condition: selection\n selection:\n EventID: 4799\n GroupName: Administrators\n ProcessName: '*\\checkadmin.exe'\n logsource:\n product: windows\n service: security\n- detection:\n condition: selection\n selection:\n CommandLine|contains:\n - checkadmin.exe 127.0.0.1 -all\n - netsh advfirewall firewall add rule name=powershell dir=in\n - cmd /c powershell.exe -ep bypass -file c:\\s.ps1\n - /tn win32times /f\n - create win32times binPath=\n - \\c$\\windows\\system32\\devmgr.dll\n - ' -exec bypass -enc JgAg'\n - type *keepass\\KeePass.config.xml\n - iie.exe iie.txt\n - reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\\n logsource:\n category: process_creation\n product: windows\n", "detection_rule_title": "Operation Wocao Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5051501703471390101}}
{"date_created": "2017-06-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_plugx_susp_exe_locations.yml", "date_modified": null, "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", "references": ["http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "aeab5ec5-be14-471a-80e8-e344418305c2", "technique": ["T1073: DLL Side-Loading"], "raw_detection_rule": "detection:\n condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame\n and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or\n ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc\n ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc\n ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not\n filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview\n and not filter_oleview ) or ( selection_rc and not filter_rc )\n filter_cammute:\n Image: '*\\Lenovo\\Communication Utility\\\\*'\n filter_chrome_frame:\n Image: '*\\Google\\Chrome\\application\\\\*'\n filter_devemu:\n Image: '*\\Microsoft Device Emulator\\\\*'\n filter_gadget:\n Image: '*\\Windows Media Player\\\\*'\n filter_hcc:\n Image: '*\\HTML Help Workshop\\\\*'\n filter_hkcmd:\n Image:\n - '*\\System32\\\\*'\n - '*\\SysNative\\\\*'\n - '*\\SysWowo64\\\\*'\n filter_mc:\n Image:\n - '*\\Microsoft Visual Studio*'\n - '*\\Microsoft SDK*'\n - '*\\Windows Kit*'\n filter_msmpeng:\n Image:\n - '*\\Microsoft Security Client\\\\*'\n - '*\\Windows Defender\\\\*'\n - '*\\AntiMalware\\\\*'\n filter_msseces:\n Image:\n - '*\\Microsoft Security Center\\\\*'\n - '*\\Microsoft Security Client\\\\*'\n - '*\\Microsoft Security Essentials\\\\*'\n filter_oinfo:\n Image: '*\\Common Files\\Microsoft Shared\\\\*'\n filter_oleview:\n Image:\n - '*\\Microsoft Visual Studio*'\n - '*\\Microsoft SDK*'\n - '*\\Windows Kit*'\n - '*\\Windows Resource Kit\\\\*'\n filter_rc:\n Image:\n - '*\\Microsoft Visual Studio*'\n - '*\\Microsoft SDK*'\n - '*\\Windows Kit*'\n - '*\\Windows Resource Kit\\\\*'\n - '*\\Microsoft.NET\\\\*'\n selection_cammute:\n Image: '*\\CamMute.exe'\n selection_chrome_frame:\n Image: '*\\chrome_frame_helper.exe'\n selection_devemu:\n Image: '*\\dvcemumanager.exe'\n selection_gadget:\n Image: '*\\Gadget.exe'\n selection_hcc:\n Image: '*\\hcc.exe'\n selection_hkcmd:\n Image: '*\\hkcmd.exe'\n selection_mc:\n Image: '*\\Mc.exe'\n selection_msmpeng:\n Image: '*\\MsMpEng.exe'\n selection_msseces:\n Image: '*\\msseces.exe'\n selection_oinfo:\n Image: '*\\OInfoP11.exe'\n selection_oleview:\n Image: '*\\OleView.exe'\n selection_rc:\n Image: '*\\rc.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Executable Used by PlugX in Uncommon Location", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1470830459920287377}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_mshta_spawn_shell.yml", "date_modified": null, "description": "Detects a Windows command line executable started from MSHTA.", "references": ["https://www.trustedsec.com/july-2015/malicious-htas/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "technique": ["T1170: Mshta"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*\\cmd.exe'\n - '*\\powershell.exe'\n - '*\\wscript.exe'\n - '*\\cscript.exe'\n - '*\\sh.exe'\n - '*\\bash.exe'\n - '*\\reg.exe'\n - '*\\regsvr32.exe'\n - '*\\BITSADMIN*'\n ParentImage: '*\\mshta.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "MSHTA Spawning Windows Shell", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6820084408919061901}}
{"date_created": "2018-06-07T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_lethalhta.yml", "date_modified": null, "description": "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", "technique": ["T1170: Mshta"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image: '*\\mshta.exe'\n ParentImage: '*\\svchost.exe'\n", "detection_rule_title": "MSHTA Spwaned by SVCHOST", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5570246797567936859}}
{"date_created": "2019-12-22T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_hktl_createminidump.yml", "date_modified": null, "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "references": ["https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n condition: 1 of them\n selection1:\n Image|contains: \\CreateMiniDump.exe\n selection2:\n Imphash: 4a07f944a83e8a7c2525efa35dd30e2f\n logsource:\n category: process_creation\n product: windows\n- detection:\n condition: 1 of them\n selection:\n EventID: 11\n TargetFileName|contains: '*\\lsass.dmp'\n logsource:\n product: windows\n service: sysmon\n", "detection_rule_title": "CreateMiniDump Hacktool", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8379501165958882249}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_cmd_http_appdata.yml", "date_modified": null, "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", "references": ["https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "1ac8666b-046f-4201-8aba-1951aaec03a3", "technique": ["T1059: Command-Line Interface"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - cmd.exe /c *http://*%AppData%\n - cmd.exe /c *https://*%AppData%\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Command Line Execution with Suspicious URL and AppData Strings", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3171746695730286839}}
{"date_created": "2017-11-10T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_mal_adwind.yml", "date_modified": "2018-12-11T00:00:00", "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "references": ["https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", "technique": ["T1064: Scripting"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection:\n CommandLine:\n - '*\\AppData\\Roaming\\Oracle*\\java*.exe *'\n - '*cscript.exe *Retrive*.vbs *'\n logsource:\n category: process_creation\n product: windows\n- detection:\n selection:\n EventID: 11\n TargetFilename:\n - '*\\AppData\\Roaming\\Oracle\\bin\\java*.exe'\n - '*\\Retrive*.vbs'\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection:\n Details: '%AppData%\\Roaming\\Oracle\\bin\\\\*'\n EventID: 13\n TargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*\n logsource:\n product: windows\n service: sysmon\ndetection:\n condition: selection\n", "detection_rule_title": "Adwind RAT / JRAT", "detection_rule_author": "Florian Roth, Tom Ueltschi", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate", "DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4878508375882604608}}
{"date_created": "2019-10-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_file_permission_modifications.yml", "date_modified": "2019-11-08T00:00:00", "description": "Detects a file or folder permissions modifications", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", "technique": ["T1222: File and Directory Permissions Modification"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains: /grant\n Image|endswith:\n - \\takeown.exe\n - \\cacls.exe\n - \\icacls.exe\n - CommandLine|contains: -r\n Image|endswith: \\attrib.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "File or Folder Permissions Modifications", "detection_rule_author": "Jakob Weinzettl, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8190070994641487068}}
{"date_created": "2018-03-17T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_tscon_rdp_redirect.yml", "date_modified": "2018-12-11T00:00:00", "description": "Detects a suspicious RDP session redirect using tscon.exe", "references": ["http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0004: Privilege Escalation"], "dr_id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "technique": ["T1076: Remote Desktop Protocol"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine: '* /dest:rdp-tcp:*'\n", "detection_rule_title": "Suspicious RDP Redirect Using TSCON", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 318989871236998272}}
{"date_created": "2019-10-23T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_dsquery_domain_trust_discovery.yml", "date_modified": "2019-11-08T00:00:00", "description": "Detects a discovery of domain trusts", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "77815820-246c-47b8-9741-e0def3f57308", "technique": ["T1482: Domain Trust Discovery"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains|all:\n - -filter\n - trustedDomain\n Image|endswith: \\dsquery.exe\n - CommandLine|contains: domain_trusts\n Image|endswith: \\nltest.exe\n", "detection_rule_title": "Domain Trust Discovery", "detection_rule_author": "Jakob Weinzettl, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6190929153540266507}}
{"date_created": "2017-07-20T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_apt_zxshell.yml", "date_modified": null, "description": "Detects a ZxShell start by the called and well-known function name", "references": ["https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "technique": ["T1059: Command-Line Interface", "T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Command:\n - rundll32.exe *,zxFunction*\n - rundll32.exe *,RemoteDiskXXXXX\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "ZxShell Malware", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 707060609313762088}}
{"date_created": "2019-11-14T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_msiexec_cwd.yml", "date_modified": null, "description": "Detects suspicious msiexec process starts in an uncommon directory", "references": ["https://twitter.com/200_okay_/status/1194765831911215104"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\WinSxS\\\\*\n selection:\n Image: '*\\msiexec.exe'\n", "detection_rule_title": "Suspicious MsiExec Directory", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7291667900262170900}}
{"date_created": "2019-11-01T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_firewall_disable.yml", "date_modified": null, "description": "Detects netsh commands that turns off the Windows firewall", "references": ["https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - netsh firewall set opmode mode=disable\n - netsh advfirewall set * state off\n", "detection_rule_title": "Firewall Disabled via Netsh", "detection_rule_author": "Fatih Sirin", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3312479176973441867}}
{"date_created": "2019-06-26T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_double_extension.yml", "date_modified": null, "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", "references": ["https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://twitter.com/blackorbird/status/1140519090961825792"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image:\n - '*.doc.exe'\n - '*.docx.exe'\n - '*.xls.exe'\n - '*.xlsx.exe'\n - '*.ppt.exe'\n - '*.pptx.exe'\n - '*.rtf.exe'\n - '*.pdf.exe'\n - '*.txt.exe'\n - '* .exe'\n - '*______.exe'\n", "detection_rule_title": "Suspicious Double Extension", "detection_rule_author": "Florian Roth (rule), @blu3_team (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 318989871236998272}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_trust_discovery.yml", "date_modified": "2019-11-11T00:00:00", "description": "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "3bad990e-4848-4a78-9530-b427d854aac0", "technique": ["T1482: Domain Trust Discovery"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - CommandLine|contains: domain_trusts\n Image|endswith: \\nltest.exe\n - CommandLine|contains: trustedDomain\n Image|endswith: \\dsquery.exe\n", "detection_rule_title": "Domain Trust Discovery", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6752430838622882564}}
{"date_created": "2019-06-15T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_renamed_binary_highly_relevant.yml", "date_modified": null, "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "references": ["https://attack.mitre.org/techniques/T1036/", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - '*\\powershell.exe'\n - '*\\powershell_ise.exe'\n - '*\\psexec.exe'\n - '*\\psexec64.exe'\n - '*\\cscript.exe'\n - '*\\wscript.exe'\n - '*\\mshta.exe'\n - '*\\regsvr32.exe'\n - '*\\wmic.exe'\n - '*\\certutil.exe'\n - '*\\rundll32.exe'\n - '*\\cmstp.exe'\n - '*\\msiexec.exe'\n selection:\n OriginalFileName:\n - powershell.exe\n - powershell_ise.exe\n - psexec.exe\n - psexec.c\n - cscript.exe\n - wscript.exe\n - mshta.exe\n - regsvr32.exe\n - wmic.exe\n - certutil.exe\n - rundll32.exe\n - cmstp.exe\n - msiexec.exe\n", "detection_rule_title": "Highly Relevant Renamed Binary", "detection_rule_author": "Matthew Green - @mgreen27, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5800420498253213656}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_query_registry.yml", "date_modified": "2019-11-04T00:00:00", "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml"], "customer": ["None"], "tactic": ["TA0007: Discovery"], "dr_id": "970007b7-ce32-49d0-a4a4-fbef016950bd", "technique": ["T1012: Query Registry", "T1007: System Service Discovery"], "raw_detection_rule": "detection:\n condition: selection_1 and selection_2\n selection_1:\n CommandLine|contains:\n - query\n - save\n - export\n Image|endswith: \\reg.exe\n selection_2:\n CommandLine|contains:\n - currentVersion\\windows\n - currentVersion\\runServicesOnce\n - currentVersion\\runServices\n - winlogon\\\n - currentVersion\\shellServiceObjectDelayLoad\n - currentVersion\\runOnce\n - currentVersion\\runOnceEx\n - currentVersion\\run\n - currentVersion\\policies\\explorer\\run\n - currentcontrolset\\services\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\n", "detection_rule_title": "Query Registry", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4507666627877192970}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_odbcconf.yml", "date_modified": "2019-11-07T00:00:00", "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml", "https://twitter.com/Hexacorn/status/1187143326673330176"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "65d2be45-8600-4042-b4c0-577a1ff8a60e", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection_1 or selection_2\n selection_1:\n CommandLine|contains:\n - -f\n - regsvr\n Image|endswith: \\odbcconf.exe\n selection_2:\n Image|endswith: \\rundll32.exe\n ParentImage|endswith: \\odbcconf.exe\n", "detection_rule_title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", "detection_rule_author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5123373492368171694}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_indirect_cmd.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml", "https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "fa47597e-90e9-41cd-ab72-c3b74cfb0d02", "technique": ["T1202: Indirect Command Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n ParentImage|endswith:\n - \\pcalua.exe\n - \\forfiles.exe\nfields:\n- ComputerName\n- User\n- ParentCommandLine\n- CommandLine\n", "detection_rule_title": "Indirect Command Execution", "detection_rule_author": "E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 9132288405967767094}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_remote_powershell_session_process.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - Image|endswith: \\wsmprovhost.exe\n - ParentImage|endswith: \\wsmprovhost.exe\nfields:\n- ComputerName\n- User\n- CommandLine\n", "detection_rule_title": "Remote PowerShell Session", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6505676357902265553}}
{"date_created": "2019-12-28T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_svchost_no_cli.yml", "date_modified": null, "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", "references": ["https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "16c37b52-b141-42a5-a3ea-bbe098444397", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: (selection1 and selection2) and not filter\n filter:\n ParentImage:\n - '*\\rpcnet.exe'\n - '*\\rpcnetp.exe'\n selection1:\n CommandLine: null\n selection2:\n Image: '*\\svchost.exe'\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspect Svchost Activity", "detection_rule_author": "David Burkett", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 9012080505892056870}}
{"date_created": "2018-08-25T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_powershell_dll_execution.yml", "date_modified": null, "description": "Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll", "references": ["https://github.com/p3nt4/PowerShdll/blob/master/README.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "6812a10b-60ea-420c-832f-dfcc33b646ba", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: (selection1 or selection2) and selection3\n selection1:\n Image:\n - '*\\rundll32.exe'\n selection2:\n Description:\n - '*Windows-Hostprozess (Rundll32)*'\n selection3:\n CommandLine:\n - '*Default.GetString*'\n - '*FromBase64String*'\n", "detection_rule_title": "Detection of PowerShell Execution via DLL", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3835279746802231474}}
{"date_created": "2019-10-12T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_devtoolslauncher.yml", "date_modified": "2019-11-04T00:00:00", "description": "The Devtoolslauncher.exe executes other binary", "references": ["https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml", "https://twitter.com/_felamos/status/1179811992841797632"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "technique": ["T1218: Signed Binary Proxy Execution"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine|contains: LaunchForDeploy\n Image|endswith: \\devtoolslauncher.exe\n", "detection_rule_title": "Devtoolslauncher.exe Executes Specified Binary", "detection_rule_author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7347863924882133335}}
{"date_created": "2019-01-29T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_netsh_port_fwd_3389.yml", "date_modified": null, "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "technique": ["T1021: Remote Services"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - netsh i* p*=3389 c*\n", "detection_rule_title": "Netsh RDP Port Forwarding", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6762536362671970388}}
{"date_created": "2020-03-25T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_exploit_cve_2020_10189.yml", "date_modified": null, "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", "references": ["https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-10189", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189", "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "846b866e-2a57-46ee-8e16-85fa92759be7", "technique": ["T1190: Exploit Public-Facing Application"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Image|endswith:\n - '*\\cmd.exe'\n - '*\\powershell.exe'\n - '*\\bitsadmin.exe'\n ParentImage|endswith: DesktopCentral_Server\\jre\\bin\\java.exe\n", "detection_rule_title": "Exploited CVE-2020-10189 Zoho ManageEngine", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4553402756461724271}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_rasdial_activity.yml", "date_modified": null, "description": "Detects suspicious process related to rasdial.exe", "references": ["https://twitter.com/subTee/status/891298217907830785"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "technique": ["T1064: Scripting"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - rasdial\n", "detection_rule_title": "Suspicious RASdial Activity", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 687694457626999653}}
{"date_created": "2019-01-16T00:00:00", "sigma_rule_path": "es/windows/process_creation/win_susp_rundll32_activity.yml", "date_modified": null, "description": "Detects suspicious process related to rundll32 based on arguments", "references": ["http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "e593cf51-88db-4ee1-b920-37e89012a3c9", "technique": ["T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CommandLine:\n - '*\\rundll32.exe* url.dll,*OpenURL *'\n - '*\\rundll32.exe* url.dll,*OpenURLA *'\n - '*\\rundll32.exe* url.dll,*FileProtocolHandler *'\n - '*\\rundll32.exe* zipfldr.dll,*RouteTheCall *'\n - '*\\rundll32.exe* Shell32.dll,*Control_RunDLL *'\n - '*\\rundll32.exe javascript:*'\n - '* url.dll,*OpenURL *'\n - '* url.dll,*OpenURLA *'\n - '* url.dll,*FileProtocolHandler *'\n - '* zipfldr.dll,*RouteTheCall *'\n - '* Shell32.dll,*Control_RunDLL *'\n - '* javascript:*'\n - '*.RegisterXLL*'\n", "detection_rule_title": "Suspicious Rundll32 Activity", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2946835843110240871}}
{"date_created": "2018-03-15T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_stickykey_like_backdoor.yml", "date_modified": null, "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "references": ["https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "dr_id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "technique": ["T1015: Accessibility Features"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection_registry:\n EventID: 13\n EventType: SetValue\n TargetObject:\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger'\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger'\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger'\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger'\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger'\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger'\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection_process:\n CommandLine:\n - '*cmd.exe sethc.exe *'\n - '*cmd.exe utilman.exe *'\n - '*cmd.exe osk.exe *'\n - '*cmd.exe Magnify.exe *'\n - '*cmd.exe Narrator.exe *'\n - '*cmd.exe DisplaySwitch.exe *'\n ParentImage:\n - '*\\winlogon.exe'\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: 1 of them\n", "detection_rule_title": "Sticky Key Like Backdoor Usage", "detection_rule_author": "Florian Roth, @twjackomo", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2733543647681048100}}
{"date_created": "2018-07-16T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_cmstp_execution.yml", "date_modified": null, "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "references": ["http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/"], "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "9d26fede-b526-4413-b069-6e24b6d07167", "technique": ["T1191: CMSTP"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection2:\n EventID: 12\n TargetObject: '*\\cmmgr32.exe*'\n selection3:\n EventID: 13\n TargetObject: '*\\cmmgr32.exe*'\n selection4:\n CallTrace: '*cmlua.dll*'\n EventID: 10\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection1:\n ParentImage: '*\\cmstp.exe'\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\n- Details\n", "detection_rule_title": "CMSTP Execution", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0014_10_windows_sysmon_ProcessAccess", "DN_0016_12_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0007_windows_sysmon_ProcessAccess", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7036579715283464213}}
{"date_created": "2019-05-15T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_rdp.yml", "date_modified": null, "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", "technique": ["T1210: Exploitation of Remote Services"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - '*\\mstsc.exe'\n - '*\\RTSApp.exe'\n - '*\\RTS2App.exe'\n - '*\\RDCMan.exe'\n - '*\\ws_TunnelService.exe'\n - '*\\RSSensor.exe'\n - '*\\RemoteDesktopManagerFree.exe'\n - '*\\RemoteDesktopManager.exe'\n - '*\\RemoteDesktopManager64.exe'\n - '*\\mRemoteNG.exe'\n - '*\\mRemote.exe'\n - '*\\Terminals.exe'\n - '*\\spiceworks-finder.exe'\n - '*\\FSDiscovery.exe'\n - '*\\FSAssessment.exe'\n - '*\\MobaRTE.exe'\n - '*\\chrome.exe'\n - '*\\thor.exe'\n - '*\\thor64.exe'\n selection:\n DestinationPort: 3389\n EventID: 3\n Initiated: 'true'\n", "detection_rule_title": "Suspicious Outbound RDP Connections", "detection_rule_author": "Markus Neis - Swisscom", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6748509442882873415}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml", "date_modified": "2019-11-13T00:00:00", "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", "references": ["https://twitter.com/0gtweet/status/1182516740955226112"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "technique": ["T1089: Disabling Security Tools"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - EventID: 12\n TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n - EventID: 14\n NewName: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\n", "detection_rule_title": "Disable Security Events Logging Adding Reg Key MiniNt", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0016_12_windows_sysmon_RegistryEvent", "DN_0018_14_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6416855961599869606}}
{"date_created": "2017-03-04T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_malware_verclsid_shellcode.yml", "date_modified": null, "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", "references": ["https://twitter.com/JohnLaTwC/status/837743453039534080"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "dr_id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n combination1:\n CallTrace: '*|UNKNOWN(*VBE7.DLL*'\n combination2:\n CallTrace: '*|UNKNOWN*'\n SourceImage: '*\\Microsoft Office\\\\*'\n condition: selection and 1 of combination*\n selection:\n EventID: 10\n GrantedAccess: '0x1FFFFF'\n TargetImage: '*\\verclsid.exe'\n", "detection_rule_title": "Malware Shellcode in Verclsid Target Process", "detection_rule_author": "John Lambert (tech), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1083661879892562644}}
{"date_created": "2019-10-27T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_in_memory_assembly_execution.yml", "date_modified": null, "description": "Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.", "references": ["https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "5f113a8f-8b61-41ca-b90f-d374fa7e4a39", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection_01 OR (selection_02 AND granted_access)\n granted_access:\n GrantedAccess:\n - '0x1F0FFF'\n - '0x1F1FFF'\n - '0x143A'\n - '0x1410'\n - '0x1010'\n - '0x1F2FFF'\n - '0x1F3FFF'\n - '0x1FFFFF'\n selection_01:\n CallTrace:\n - C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)\n - '*UNKNOWN(*)|UNKNOWN(*)'\n EventID: 10\n selection_02:\n CallTrace: '*UNKNOWN*'\n EventID: 10\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\n- CallTrace\n", "detection_rule_title": "Suspicious In-Memory Module Execution", "detection_rule_author": "Perez Diego (@darkquassar), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3494076279086858083}}
{"date_created": "2018-06-25T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_powershell_rundll32.yml", "date_modified": null, "description": "Detects PowerShell remote thread creation in Rundll32.exe", "references": ["https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "99b97608-3e21-4bfe-8217-2a127c396a0e", "technique": ["T1085: Rundll32", "T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 8\n SourceImage: '*\\powershell.exe'\n TargetImage: '*\\rundll32.exe'\n", "detection_rule_title": "PowerShell Rundll32 Remote Thread Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5626042298974065118}}
{"date_created": "2017-03-13T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml", "date_modified": null, "description": "Detects certain DLL loads when Mimikatz gets executed", "references": ["https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0006: Credential Access"], "dr_id": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selector | near dllload1 and dllload2 and not exclusion\n dllload1:\n ImageLoaded: '*\\vaultcli.dll'\n dllload2:\n ImageLoaded: '*\\wlanapi.dll'\n exclusion:\n ImageLoaded:\n - ntdsapi.dll\n - netapi32.dll\n - imm32.dll\n - samlib.dll\n - combase.dll\n - srvcli.dll\n - shcore.dll\n - ntasn1.dll\n - cryptdll.dll\n - logoncli.dll\n selector:\n EventID: 7\n Image: C:\\Windows\\System32\\rundll32.exe\n timeframe: 30s\n", "detection_rule_title": "Mimikatz In-Memory", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5348529104238964253}}
{"date_created": "2019-06-04T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_renamed_jusched.yml", "date_modified": null, "description": "Detects renamed jusched.exe used by cobalt group", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: (selection1 or selection2) and not filter\n filter:\n Image|endswith:\n - \\jusched.exe\n selection1:\n Description: Java Update Scheduler\n selection2:\n Description: Java(TM) Update Scheduler\n", "detection_rule_title": "Renamed jusched.exe", "detection_rule_author": "Markus Neis, Swisscom", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2375195579802142766}}
{"date_created": "2020-02-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml", "date_modified": null, "description": "Detects Kerberos DLL being loaded by an Office Product", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image:\n - '*\\winword.exe*'\n - '*\\powerpnt.exe*'\n - '*\\excel.exe*'\n - '*\\outlook.exe*'\n ImageLoaded:\n - '*\\kerberos.dll*'\n", "detection_rule_title": "Active Directory Kerberos DLL Loaded Via Office Applications", "detection_rule_author": "Antonlovesdnb", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1899173648687556120}}
{"date_created": "2018-07-24T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_ghostpack_safetykatz.yml", "date_modified": null, "description": "Detects possible SafetyKatz Behaviour", "references": ["https://github.com/GhostPack/SafetyKatz"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "e074832a-eada-4fd7-94a1-10642b130e16", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 11\n TargetFilename: '*\\Temp\\debug.bin'\n", "detection_rule_title": "Detection of SafetyKatz", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7839707186020041340}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml", "date_modified": "2019-11-13T00:00:00", "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", "references": ["https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", "technique": ["T1103: AppInit DLLs"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - EventID:\n - 12\n - 13\n TargetObject:\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls'\n - '*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls'\n - EventID: 14\n NewName:\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls'\n - '*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls'\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\n", "detection_rule_title": "New DLL Added to AppInit_DLLs Registry Key", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0016_12_windows_sysmon_RegistryEvent", "DN_0018_14_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3405165501072994512}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith: \\powershell.exe\n selection:\n EventID: 17\n PipeName|startswith: \\PSHost\nfields:\n- ComputerName\n- User\n- Image\n- PipeName\n", "detection_rule_title": "Alternate PowerShell Hosts Pipe", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0020_17_windows_sysmon_PipeEvent"], "logging_policy": ["LP_0009_windows_sysmon_PipeEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5417815426267594280}}
{"date_created": "2019-11-18T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_renamed_procdump.yml", "date_modified": null, "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", "references": ["https://docs.microsoft.com/en-us/sysinternals/downloads/procdump"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "technique": ["T1036: Masquerading"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - '*\\procdump.exe'\n - '*\\procdump64.exe'\n selection:\n OriginalFileName: procdump\n", "detection_rule_title": "Renamed ProcDump", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5013838167907564342}}
{"date_created": "2019-12-31T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_hack_wce.yml", "date_modified": null, "description": "Detects the use of Windows Credential Editor (WCE)", "references": ["https://www.ampliasecurity.com/research/windows-credentials-editor/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "7aa7009a-28b9-4344-8c1f-159489a390df", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n condition: 1 of them\n selection1:\n Imphash:\n - a53a02b997935fd8eedcb5f7abab9b9f\n - e96a73c7bf33a464c510ede582318bf2\n selection2:\n CommandLine|endswith: .exe -S\n ParentImage|endswith: \\services.exe\n logsource:\n category: process_creation\n product: windows\n- detection:\n condition: selection\n selection:\n EventID: 13\n TargetObject|contains: Services\\WCESERVICE\\Start\n logsource:\n product: windows\n service: sysmon\n", "detection_rule_title": "Windows Credential Editor", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8654916884251028291}}
{"date_created": "2017-08-28T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_sysinternals_eula_accepted.yml", "date_modified": null, "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry", "references": ["https://twitter.com/Moti_B/status/1008587936735035392"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "technique": ["not defined"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection1:\n EventID: 13\n TargetObject: '*\\EulaAccepted'\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection2:\n CommandLine: '* -accepteula*'\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: 1 of them\n", "detection_rule_title": "Usage of Sysinternals Tools", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4788552269052844734}}
{"date_created": "2019-04-15T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_wmi_susp_scripting.yml", "date_modified": null, "description": "Detects suspicious scripting in WMI Event Consumers", "references": ["https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Destination:\n - '*new-object system.net.webclient).downloadstring(*'\n - '*new-object system.net.webclient).downloadfile(*'\n - '*new-object net.webclient).downloadstring(*'\n - '*new-object net.webclient).downloadfile(*'\n - '* iex(*'\n - '*WScript.shell*'\n - '* -nop *'\n - '* -noprofile *'\n - '* -decode *'\n - '* -enc *'\n EventID: 20\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious Scripting in a WMI Consumer", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0023_20_windows_sysmon_WmiEvent"], "logging_policy": ["LP_0010_windows_sysmon_WmiEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2888348712270063713}}
{"date_created": "2020-01-02T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_invoke_phantom.yml", "date_modified": null, "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", "references": ["https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "technique": ["T1089: Disabling Security Tools"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CallTrace:\n - '*unknown*'\n EventID: 10\n GrantedAccess: '0x1f3fff'\n TargetImage: '*\\windows\\system32\\svchost.exe'\n", "detection_rule_title": "Suspect Svchost Memory Asccess", "detection_rule_author": "Tim Burrell", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3732001580352045056}}
{"date_created": "2020-02-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml", "date_modified": null, "description": "Detects CLR DLL being loaded by an Office Product", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "d13c43f0-f66b-4279-8b2c-5912077c1780", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image:\n - '*\\winword.exe'\n - '*\\powerpnt.exe'\n - '*\\excel.exe'\n - '*\\outlook.exe'\n ImageLoaded:\n - '*\\clr.dll*'\n", "detection_rule_title": "CLR DLL Loaded Via Office Applications", "detection_rule_author": "Antonlovesdnb", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6833021081282790583}}
{"date_created": "2018-04-11T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_win_reg_persistence.yml", "date_modified": null, "description": "Detects persistence registry keys", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence", "TA0005: Defense Evasion"], "dr_id": "36803969-5421-41ec-b92f-8500f79c23b0", "technique": ["T1183: Image File Execution Options Injection"], "raw_detection_rule": "detection:\n condition: selection_reg1\n selection_reg1:\n EventID: 13\n EventType: SetValue\n TargetObject:\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag'\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode'\n - '*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess'\n", "detection_rule_title": "Registry Persistence Mechanisms", "detection_rule_author": "Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5522787777104795513}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_possible_dns_rebinding.yml", "date_modified": "2019-11-13T00:00:00", "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", "references": ["https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325"], "customer": ["None"], "tactic": ["TA0011: Command and Control"], "dr_id": "eb07e747-2552-44cd-af36-b659ae0958e4", "technique": ["T1043: Commonly Used Port"], "raw_detection_rule": "detection:\n condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip)\n | count(QueryName) by ComputerName > 3\n dns_answer:\n EventID: 22\n QueryName: '*'\n QueryStatus: '0'\n filter_int_ip:\n QueryResults|startswith:\n - (::ffff:)?10.\n - (::ffff:)?192.168.\n - (::ffff:)?172.16.\n - (::ffff:)?172.17.\n - (::ffff:)?172.18.\n - (::ffff:)?172.19.\n - (::ffff:)?172.20.\n - (::ffff:)?172.21.\n - (::ffff:)?172.22.\n - (::ffff:)?172.23.\n - (::ffff:)?172.24.\n - (::ffff:)?172.25.\n - (::ffff:)?172.26.\n - (::ffff:)?172.27.\n - (::ffff:)?172.28.\n - (::ffff:)?172.29.\n - (::ffff:)?172.30.\n - (::ffff:)?172.31.\n - (::ffff:)?127.\n timeframe: 30s\n", "detection_rule_title": "Possible DNS Rebinding", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0085_22_windows_sysmon_DnsQuery"], "logging_policy": ["LP_0011_windows_sysmon_DnsQuery"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6899006091426557454}}
{"date_created": "2020-04-14T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_registry_persistence_search_order.yml", "date_modified": null, "description": "Detects potential COM object hijacking leveraging the COM Search Order", "references": ["https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", "technique": ["T1038: DLL Search Order Hijacking"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Details:\n - '%%systemroot%%\\system32\\\\*'\n - '%%systemroot%%\\SysWow64\\\\*'\n - '*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuthLib64.dll'\n - '*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncShell64.dll'\n - '*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\Microsoft.Teams.AddinLoader.dll'\n selection:\n EventID: 13\n TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\InProcServer32\\(Default)\n", "detection_rule_title": "Windows Registry Persistence COM Search Order Hijacking", "detection_rule_author": "Maxime Thiebaut (@0xThiebaut)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8108674006926370567}}
{"date_created": "2017-03-13T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_powershell_network_connection.yml", "date_modified": null, "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", "references": ["https://www.youtube.com/watch?v=DLtJTxMWZ2o"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "1f21ec3f-810d-4b0e-8045-322202e22b4b", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.0.0.1\n DestinationIsIpv6: 'false'\n User: NT AUTHORITY\\SYSTEM\n selection:\n EventID: 3\n Image: '*\\powershell.exe'\n Initiated: 'true'\n", "detection_rule_title": "PowerShell Network Connections", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4074076751780580698}}
{"date_created": "2019-02-21T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_tsclient_filewrite_startup.yml", "date_modified": null, "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", "references": "not defined", "customer": ["None"], "tactic": ["not defined"], "dr_id": "52753ea4-b3a0-4365-910d-36cff487b789", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 11\n Image: '*\\mstsc.exe'\n TargetFileName: '*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*'\n", "detection_rule_title": "Hijack Legit RDP Session to Move Laterally", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8051295129277737869}}
{"date_created": "2018-11-30T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_cobaltstrike_process_injection.yml", "date_modified": "2019-11-08T00:00:00", "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", "references": ["https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 8\n TargetProcessAddress|endswith:\n - 0B80\n - 0C7C\n - 0C88\n", "detection_rule_title": "CobaltStrike Process Injection", "detection_rule_author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3109080320219073979}}
{"date_created": "2019-05-21T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_renamed_psexec.yml", "date_modified": null, "description": "Detects the execution of a renamed PsExec often used by attackers or malware", "references": ["https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - '*\\PsExec.exe'\n - '*\\PsExec64.exe'\n selection:\n Description: Execute processes remotely\n Product: Sysinternals PsExec\n", "detection_rule_title": "Renamed PsExec", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2999022570513708638}}
{"date_created": "2019-04-14T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_apt_oceanlotus_registry.yml", "date_modified": null, "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", "references": ["https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", "technique": ["T1112: Modify Registry"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 13\n TargetObject:\n - HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n - HKU\\\\*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n - '*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application'\n - '*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon'\n - '*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application'\n - '*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon'\n - '*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application'\n - '*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon'\n - HKU\\\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\*\n - HKU\\\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\\*\n - HKU\\\\*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\*\n", "detection_rule_title": "OceanLotus Registry Activity", "detection_rule_author": "megan201296", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 268570521900875937}}
{"date_created": "2017-06-01T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_apt_pandemic.yml", "date_modified": null, "description": "Detects Pandemic Windows Implant", "references": ["https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "technique": ["T1105: Remote File Copy"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n selection1:\n EventID: 13\n TargetObject:\n - HKLM\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*\n logsource:\n product: windows\n service: sysmon\n- detection:\n selection2:\n Command: loaddll -a *\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: 1 of them\nfields:\n- EventID\n- CommandLine\n- ParentCommandLine\n- Image\n- User\n- TargetObject\n", "detection_rule_title": "Pandemic Registry Key", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -806145932751518272}}
{"date_created": "2017-02-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_driver_load.yml", "date_modified": null, "description": "Detects a driver load from a temporary directory", "references": "not defined", "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "technique": ["T1050: New Service"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 6\n ImageLoaded: '*\\Temp\\\\*'\n", "detection_rule_title": "Suspicious Driver Load from Temp", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0010_6_windows_sysmon_driver_loaded"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8412965764809693289}}
{"date_created": "2019-01-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml", "date_modified": null, "description": "Detects creation or execution of UserInitMprLogonScript persistence method", "references": ["https://attack.mitre.org/techniques/T1037/"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0008: Lateral Movement"], "dr_id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "technique": ["T1037: Logon Scripts"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n condition: exec_selection and not exec_exclusion1 and not exec_exclusion2\n exec_exclusion1:\n Image: '*\\explorer.exe'\n exec_exclusion2:\n CommandLine:\n - '*\\netlogon.bat'\n - '*\\UsrLogon.cmd'\n exec_selection:\n ParentImage: '*\\userinit.exe'\n logsource:\n category: process_creation\n product: windows\n- detection:\n condition: create_keywords_cli\n create_keywords_cli:\n CommandLine: '*UserInitMprLogonScript*'\n logsource:\n category: process_creation\n product: windows\n- detection:\n condition: create_selection_reg and create_keywords_reg\n create_keywords_reg:\n TargetObject: '*UserInitMprLogonScript*'\n create_selection_reg:\n EventID:\n - 11\n - 12\n - 13\n - 14\n logsource:\n product: windows\n service: sysmon\n", "detection_rule_title": "Logon Scripts (UserInitMprLogonScript)", "detection_rule_author": "Tom Ueltschi (@c_APT_ure)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate", "DN_0017_13_windows_sysmon_RegistryEvent", "DN_0016_12_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0018_14_windows_sysmon_RegistryEvent", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 4199615205556427358}}
{"date_created": "2019-04-08T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_service_installed.yml", "date_modified": null, "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)", "references": ["https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "f2485272-a156-4773-82d7-1d178bc4905b", "technique": ["T1089: Disabling Security Tools"], "raw_detection_rule": "detection:\n condition: selection_1 and not selection_2 and not selection_3\n selection_1:\n EventID: 13\n TargetObject:\n - HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath\n - HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath\n selection_2:\n Image|contains:\n - '*\\procexp64.exe'\n - '*\\procexp.exe'\n - '*\\procmon64.exe'\n - '*\\procmon.exe'\n selection_3:\n Details|contains:\n - '*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS'\n", "detection_rule_title": "Suspicious Service Installed", "detection_rule_author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3812678778474846326}}
{"date_created": "2018-03-07T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml", "date_modified": null, "description": "Detects WMI command line event consumers", "references": ["https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n ImageLoaded: wbemcons.dll\n", "detection_rule_title": "WMI Persistence - Command Line Event Consumer", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 273927992458922322}}
{"date_created": "2017-02-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_password_dumper_lsass.yml", "date_modified": null, "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 8\n StartModule: null\n TargetImage: C:\\Windows\\System32\\lsass.exe\n", "detection_rule_title": "Password Dumper Remote Thread in LSASS", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7280683056345650453}}
{"date_created": "2019-11-01T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml", "date_modified": null, "description": "Detects well-known credential dumping tools execution via specific named pipes", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 17\n PipeName|contains:\n - \\lsadump\n - \\cachedump\n - \\wceservicepipe\n", "detection_rule_title": "Cred Dump-Tools Named Pipes", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0020_17_windows_sysmon_PipeEvent"], "logging_policy": ["LP_0009_windows_sysmon_PipeEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8676441221704454881}}
{"date_created": "2019-04-08T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml", "date_modified": null, "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.", "references": ["https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "3da70954-0f2c-4103-adff-b7440368f50e", "technique": ["T1089: Disabling Security Tools"], "raw_detection_rule": "detection:\n condition: selection_1 and not selection_2\n selection_1:\n EventID: 11\n TargetFilename: '*\\AppData\\Local\\Temp\\*\\PROCEXP152.sys'\n selection_2:\n Image|contains:\n - '*\\procexp64.exe'\n - '*\\procexp.exe'\n - '*\\procmon64.exe'\n - '*\\procmon.exe'\n", "detection_rule_title": "Suspicious PROCEXP152.sys File Created In TMP", "detection_rule_author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3681743365907988848}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_narrator_feedback_persistance.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", "references": ["https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", "technique": ["T1060: Registry Run Keys / Startup Folder"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n EventID: 12\n EventType: DeleteValue\n TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute\n selection2:\n EventID: 13\n TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)\n", "detection_rule_title": "Narrator's Feedback-Hub Persistence", "detection_rule_author": "Dmitriy Lifanov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0016_12_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2087050721672372431}}
{"date_created": "2020-02-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml", "date_modified": null, "description": "Detects DSParse DLL being loaded by an Office Product", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "a2a3b925-7bb0-433b-b508-db9003263cc4", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image:\n - '*\\winword.exe'\n - '*\\powerpnt.exe'\n - '*\\excel.exe'\n - '*\\outlook.exe'\n ImageLoaded:\n - '*\\dsparse.dll*'\n", "detection_rule_title": "Active Directory Parsing DLL Loaded Via Office Applications", "detection_rule_author": "Antonlovesdnb", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4660751135526510418}}
{"date_created": "2020-02-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml", "date_modified": null, "description": "Detects any assembly DLL being loaded by an Office Product", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image:\n - '*\\winword.exe*'\n - '*\\powerpnt.exe*'\n - '*\\excel.exe*'\n - '*\\outlook.exe*'\n ImageLoaded:\n - '*C:\\Windows\\assembly\\*'\n", "detection_rule_title": "dotNET DLL Loaded Via Office Applications", "detection_rule_author": "Antonlovesdnb", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 9129178512000457051}}
{"date_created": "2019-11-14T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_in_memory_powershell.yml", "date_modified": "2019-11-30T00:00:00", "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension.", "references": ["https://adsecurity.org/?p=2921", "https://github.com/p3nt4/PowerShdll"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith:\n - \\powershell.exe\n - \\WINDOWS\\System32\\sdiagnhost.exe\n User: NT AUTHORITY\\SYSTEM\n selection:\n EventID: 7\n ImageLoaded|endswith:\n - \\System.Management.Automation.Dll\n - \\System.Management.Automation.ni.Dll\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n", "detection_rule_title": "In-memory PowerShell", "detection_rule_author": "Tom Kern, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["EN_0001_cache_sysmon_event_id_1_info", "EN_0003_enrich_other_sysmon_events_with_event_id_1_data"], "enrichment_requirements": ["not defined", ["EN_0001_cache_sysmon_event_id_1_info"]]}
{"index": {"_id": 3374348871041819074}}
{"date_created": "2020-02-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_winword_vbadll_load.yml", "date_modified": null, "description": "Detects DLL's Loaded Via Word Containing VBA Macros", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image:\n - '*\\winword.exe*'\n - '*\\powerpnt.exe*'\n - '*\\excel.exe*'\n - '*\\outlook.exe*'\n ImageLoaded:\n - '*\\VBE7.DLL*'\n - '*\\VBEUI.DLL*'\n - '*\\VBE7INTL.DLL*'\n", "detection_rule_title": "VBA DLL Loaded Via Microsoft Word", "detection_rule_author": "Antonlovesdnb", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7970826438610512477}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_regsvr32_network_activity.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", "references": ["https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md"], "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "dr_id": "c7e91a02-d771-4a6d-a700-42587e0b1095", "technique": ["T1117: Regsvr32"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 3\n - 22\n Image|endswith: \\regsvr32.exe\nfields:\n- ComputerName\n- User\n- Image\n- DestinationIp\n- DestinationPort\n", "detection_rule_title": "Regsvr32 Network Activity", "detection_rule_author": "Dmitriy Lifanov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection", "DN_0085_22_windows_sysmon_DnsQuery"], "logging_policy": ["LP_0005_windows_sysmon_network_connection", "LP_0011_windows_sysmon_DnsQuery"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2480069895686179612}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_lsass_memdump.yml", "date_modified": null, "description": "Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10", "references": ["https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n CallTrace:\n - '*dbghelp.dll*'\n - '*dbgcore.dll*'\n EventID: 10\n GrantedAccess: '0x1fffff'\n TargetImage: C:\\windows\\system32\\lsass.exe\n", "detection_rule_title": "LSASS Memory Dump", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 9132288405967767094}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_remote_powershell_session_network.yml", "date_modified": null, "description": "Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n User: NT AUTHORITY\\NETWORK SERVICE\n selection:\n DestinationPort:\n - 5985\n - 5986\n EventID: 3\n", "detection_rule_title": "Remote PowerShell Session", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2719504579717964523}}
{"date_created": "2020-02-04T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_hack_dumpert.yml", "date_modified": null, "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "references": ["https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n condition: selection\n selection:\n Imphash: 09D278F9DE118EF09163C6140255C690\n logsource:\n category: process_creation\n product: windows\n- detection:\n condition: selection\n selection:\n EventID: 11\n TargetFilename: C:\\Windows\\Temp\\dumpert.dmp\n logsource:\n product: windows\n service: sysmon\n", "detection_rule_title": "Dumpert Process Dumper", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection", "DN_0009_5_windows_sysmon_process_terminated", "DN_0015_11_windows_sysmon_FileCreate", "DN_0010_6_windows_sysmon_driver_loaded", "DN_0019_15_windows_sysmon_FileCreateStreamHash", "DN_0012_8_windows_sysmon_CreateRemoteThread", "DN_0023_20_windows_sysmon_WmiEvent", "DN_0024_21_windows_sysmon_WmiEvent", "DN_0008_4_windows_sysmon_sysmon_service_state_changed", "DN_0013_9_windows_sysmon_RawAccessRead", "DN_0017_13_windows_sysmon_RegistryEvent", "DN_0014_10_windows_sysmon_ProcessAccess", "DN_0085_22_windows_sysmon_DnsQuery", "DN_0006_2_windows_sysmon_process_changed_a_file_creation_time", "DN_0011_7_windows_sysmon_image_loaded", "DN_0016_12_windows_sysmon_RegistryEvent", "DN_0022_19_windows_sysmon_WmiEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0021_18_windows_sysmon_PipeEvent", "DN_0018_14_windows_sysmon_RegistryEvent", "DN_0020_17_windows_sysmon_PipeEvent"], "logging_policy": ["LP_0005_windows_sysmon_network_connection", "LP_0008_windows_sysmon_FileCreate", "LP_0010_windows_sysmon_WmiEvent", "LP_0007_windows_sysmon_ProcessAccess", "LP_0011_windows_sysmon_DnsQuery", "LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation", "LP_0009_windows_sysmon_PipeEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5970877768746677868}}
{"date_created": "2017-05-08T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_dns_serverlevelplugindll.yml", "date_modified": null, "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", "references": ["https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "e61e8a88-59a9-451c-874e-70fcc9740d67", "technique": ["T1073: DLL Side-Loading"], "raw_detection_rule": "action: global\nadditions:\n- detection:\n dnsregmod:\n EventID: 13\n TargetObject: '*\\services\\DNS\\Parameters\\ServerLevelPluginDll'\n logsource:\n product: windows\n service: sysmon\n- detection:\n dnsadmin:\n CommandLine: dnscmd.exe /config /serverlevelplugindll *\n logsource:\n category: process_creation\n product: windows\ndetection:\n condition: 1 of them\nfields:\n- EventID\n- CommandLine\n- ParentCommandLine\n- Image\n- User\n- TargetObject\n", "detection_rule_title": "DNS ServerLevelPluginDll Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5076378465164091692}}
{"date_created": "2018-11-22T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_file_characteristics.yml", "date_modified": "2019-11-09T00:00:00", "description": "Detects Executables without FileVersion,Description,Product,Company likely created with py2exe", "references": ["https://securelist.com/muddywater/88059/", "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "technique": ["T1064: Scripting"], "raw_detection_rule": "detection:\n condition: 1 of them\n selection1:\n Description: \\?\n FileVersion: \\?\n selection2:\n Description: \\?\n Product: \\?\n selection3:\n Company: \\?\n Description: \\?\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "Suspicious File Characteristics Due to Missing Fields", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 5469963785986196317}}
{"date_created": "2018-06-03T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_ads_executable.yml", "date_modified": null, "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", "references": ["https://twitter.com/0xrawsec/status/1002478725605273600?s=21"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "technique": ["T1027: Obfuscated Files or Information"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Imphash:\n - '00000000000000000000000000000000'\n - null\n selection:\n EventID: 15\nfields:\n- TargetFilename\n- Image\n", "detection_rule_title": "Executable in ADS", "detection_rule_author": "Florian Roth, @0xrawsec", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0019_15_windows_sysmon_FileCreateStreamHash"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4917014972210876012}}
{"date_created": "2020-03-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_desktop_ini.yml", "date_modified": null, "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "references": ["https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "81315b50-6b60-4d8f-9928-3466e1022515", "technique": ["T1023: Shortcut Modification"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - C:\\Windows\\explorer.exe\n - C:\\Windows\\System32\\msiexec.exe\n - C:\\Windows\\System32\\mmc.exe\n selection:\n EventID: 11\n TargetFilename|endswith: \\desktop.ini\n", "detection_rule_title": "Suspicious desktop.ini Action", "detection_rule_author": "Maxime Thiebaut (@0xThiebaut)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8986349370690154374}}
{"date_created": "2018-02-10T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_quarkspw_filedump.yml", "date_modified": null, "description": "Detects a dump file written by QuarksPwDump password dumper", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 11\n TargetFilename: '*\\AppData\\Local\\Temp\\SAM-*.dmp*'\n", "detection_rule_title": "QuarksPwDump Dump File", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3323216711380831331}}
{"date_created": "2017-03-17T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_uac_bypass_sdclt.yml", "date_modified": null, "description": "Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand", "references": ["https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "dr_id": "5b872a46-3b90-45c1-8419-f675db8053aa", "technique": ["T1088: Bypass User Account Control"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 13\n TargetObject: HKU\\\\*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand\n", "detection_rule_title": "UAC Bypass via Sdclt", "detection_rule_author": "Omer Yampel", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3986376225696476392}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml", "date_modified": null, "description": "Raw disk access using illegitimate tools, possible defence evasion", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "db809f10-56ce-4420-8c86-d6a7d793c79c", "technique": ["T1006: File System Logical Offsets"], "raw_detection_rule": "detection:\n condition: selection and not filter_1 and not filter_2\n filter_1:\n Device|contains: floppy\n filter_2:\n - Image|endswith:\n - \\wmiprvse.exe\n - \\sdiagnhost.exe\n - \\searchindexer.exe\n - \\csrss.exe\n - \\defrag.exe\n - \\smss.exe\n - \\vssvc.exe\n - \\compattelrunner.exe\n - \\wininit.exe\n - \\autochk.exe\n - \\taskhost.exe\n - \\dfsrs.exe\n - \\vds.exe\n - \\lsass.exe\n selection:\n EventID: 9\nfields:\n- ComputerName\n- Image\n- ProcessID\n- Device\n", "detection_rule_title": "Raw Disk Access Using Illegitimate Tools", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0013_9_windows_sysmon_RawAccessRead"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1952128088110658093}}
{"date_created": "2019-02-01T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_cactustorch.yml", "date_modified": null, "description": "Detects remote thread creation from CACTUSTORCH as described in references.", "references": ["https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "2e4e488a-6164-4811-9ea1-f960c7359c40", "technique": ["T1055: Process Injection", "T1064: Scripting"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 8\n SourceImage:\n - '*\\System32\\cscript.exe'\n - '*\\System32\\wscript.exe'\n - '*\\System32\\mshta.exe'\n - '*\\winword.exe'\n - '*\\excel.exe'\n StartModule: null\n TargetImage: '*\\SysWOW64\\\\*'\n", "detection_rule_title": "CACTUSTORCH Remote Thread Creation", "detection_rule_author": "@SBousseaden (detection), Thomas Patzke (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3238988895547740878}}
{"date_created": "2018-08-30T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_win_binary_susp_com.yml", "date_modified": null, "description": "Detects an executable in the Windows folder accessing suspicious domains", "references": ["https://twitter.com/M_haggis/status/900741347035889665", "https://twitter.com/M_haggis/status/1032799638213066752"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "technique": ["T1105: Remote File Copy"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n DestinationHostname:\n - '*dl.dropboxusercontent.com'\n - '*.pastebin.com'\n - '*.githubusercontent.com'\n EventID: 3\n Image: C:\\Windows\\\\*\n Initiated: 'true'\n", "detection_rule_title": "Microsoft Binary Suspicious Communication Endpoint", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -1930383416634577230}}
{"date_created": "2019-11-01T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml", "date_modified": "2019-11-13T00:00:00", "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 11\n TargetFilename|contains:\n - \\pwdump\n - \\kirbi\n - \\pwhashes\n - \\wce_ccache\n - \\wce_krbtkts\n - \\fgdump-log\n TargetFilename|endswith:\n - \\test.pwd\n - \\lsremora64.dll\n - \\lsremora.dll\n - \\fgexec.exe\n - \\wceaux.dll\n - \\SAM.out\n - \\SECURITY.out\n - \\SYSTEM.out\n - \\NTDS.out\n - \\DumpExt.dll\n - \\DumpSvc.exe\n - \\cachedump64.exe\n - \\cachedump.exe\n - \\pstgdump.exe\n - \\servpw.exe\n - \\servpw64.exe\n - \\pwdump.exe\n - \\procdump64.exe\n", "detection_rule_title": "Cred Dump Tools Dropped Files", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -558415888615084950}}
{"date_created": "2017-08-24T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_win_binary_github_com.yml", "date_modified": null, "description": "Detects an executable in the Windows folder accessing github.com", "references": ["https://twitter.com/M_haggis/status/900741347035889665", "https://twitter.com/M_haggis/status/1032799638213066752"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", "technique": ["T1105: Remote File Copy"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n DestinationHostname:\n - '*.github.com'\n - '*.githubusercontent.com'\n EventID: 3\n Image: C:\\Windows\\\\*\n Initiated: 'true'\n", "detection_rule_title": "Microsoft Binary Github Communication", "detection_rule_author": "Michael Haag (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -637343584491374968}}
{"date_created": "2017-03-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_malware_backconnect_ports.yml", "date_modified": null, "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", "references": ["https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo"], "customer": ["None"], "tactic": ["TA0011: Command and Control"], "dr_id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", "technique": ["T1043: Commonly Used Port"], "raw_detection_rule": "detection:\n condition: selection and not ( filter1 or filter2 )\n filter1:\n Image: '*\\Program Files*'\n filter2:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.*\n DestinationIsIpv6: 'false'\n selection:\n DestinationPort:\n - '4443'\n - '2448'\n - '8143'\n - '1777'\n - '1443'\n - '243'\n - '65535'\n - '13506'\n - '3360'\n - '200'\n - '198'\n - '49180'\n - '13507'\n - '6625'\n - '4444'\n - '4438'\n - '1904'\n - '13505'\n - '13504'\n - '12102'\n - '9631'\n - '5445'\n - '2443'\n - '777'\n - '13394'\n - '13145'\n - '12103'\n - '5552'\n - '3939'\n - '3675'\n - '666'\n - '473'\n - '5649'\n - '4455'\n - '4433'\n - '1817'\n - '100'\n - '65520'\n - '1960'\n - '1515'\n - '743'\n - '700'\n - '14154'\n - '14103'\n - '14102'\n - '12322'\n - '10101'\n - '7210'\n - '4040'\n - '9943'\n EventID: 3\n Initiated: 'true'\n", "detection_rule_title": "Suspicious Typical Malware Back Connect Ports", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8125952303854026283}}
{"date_created": "2020-02-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml", "date_modified": null, "description": "Detects any GAC DLL being loaded by an Office Product", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "90217a70-13fc-48e4-b3db-0d836c5824ac", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image:\n - '*\\winword.exe*'\n - '*\\powerpnt.exe*'\n - '*\\excel.exe*'\n - '*\\outlook.exe*'\n ImageLoaded:\n - '*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL*'\n", "detection_rule_title": "GAC DLL Loaded Via Office Applications", "detection_rule_author": "Antonlovesdnb", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -335293567346620608}}
{"date_created": "2019-01-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_wmi_event_subscription.yml", "date_modified": null, "description": "Detects creation of WMI event subscription persistence method", "references": ["https://attack.mitre.org/techniques/T1084/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "0f06a3a5-6a09-413f-8743-e6cf35561297", "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "raw_detection_rule": "detection:\n condition: selector\n selector:\n EventID:\n - 19\n - 20\n - 21\n", "detection_rule_title": "WMI Event Subscription", "detection_rule_author": "Tom Ueltschi (@c_APT_ure)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0023_20_windows_sysmon_WmiEvent", "DN_0024_21_windows_sysmon_WmiEvent", "DN_0022_19_windows_sysmon_WmiEvent"], "logging_policy": ["LP_0010_windows_sysmon_WmiEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8517083372263009212}}
{"date_created": "2019-10-21T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_asep_reg_keys_modification.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects modification of autostart extensibility point (ASEP) in registry", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "17f878b8-9968-4578-b814-c4217fc5768c", "technique": ["T1060: Registry Run Keys / Startup Folder"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 13\n TargetObject|contains:\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n", "detection_rule_title": "Autorun Keys Modification", "detection_rule_author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4256231975055350159}}
{"date_created": "2018-03-07T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml", "date_modified": null, "description": "Detects file writes of WMI script event consumer", "references": ["https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 11\n Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n", "detection_rule_title": "WMI Persistence - Script Event Consumer File Write", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8029139978107313789}}
{"date_created": "2017-11-04T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_rundll32_net_connections.yml", "date_modified": null, "description": "Detects a rundll32 that communicates with public IP addresses", "references": ["https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "dr_id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "technique": ["T1085: Rundll32"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.*\n selection:\n EventID: 3\n Image: '*\\rundll32.exe'\n Initiated: 'true'\n", "detection_rule_title": "Rundll32 Internet Connection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7496229167540319488}}
{"date_created": "2019-10-28T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml", "date_modified": null, "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.", "references": ["https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992"], "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0005: Defense Evasion"], "dr_id": "602a1f13-c640-4d73-b053-be9a2fa58b77", "technique": ["T1073: DLL Side-Loading", "T1038: DLL Search Order Hijacking", "T1112: Modify Registry"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n EventID: 7\n Image:\n - '*\\svchost.exe'\n ImageLoaded:\n - C:\\Windows\\WinSxS\\*\n selection:\n EventID: 7\n Image:\n - '*\\svchost.exe'\n ImageLoaded:\n - '*\\tsmsisrv.dll'\n - '*\\tsvipsrv.dll'\n - '*\\wlbsctrl.dll'\n", "detection_rule_title": "Svchost DLL Search Order Hijack", "detection_rule_author": "SBousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -8505138178830634251}}
{"date_created": "2017-11-06T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_mal_namedpipes.yml", "date_modified": null, "description": "Detects the creation of a named pipe used by known APT malware", "references": ["Various sources"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "dr_id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 17\n - 18\n PipeName:\n - \\isapi_http\n - \\isapi_dg\n - \\isapi_dg2\n - \\sdlrpc\n - \\ahexec\n - \\winsession\n - \\lsassw\n - \\46a676ab7f179e511e30dd2dc41bd388\n - \\9f81f59bc58452127884ce513865ed20\n - \\e710f28d59aa529d6792ca6ff0ca1b34\n - \\rpchlp_3\n - \\NamePipe_MoreWindows\n - \\pcheap_reuse\n - \\msagent_*\n - \\gruntsvc\n", "detection_rule_title": "Malicious Named Pipe", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0021_18_windows_sysmon_PipeEvent", "DN_0020_17_windows_sysmon_PipeEvent"], "logging_policy": ["LP_0009_windows_sysmon_PipeEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7615245460683750194}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_powershell_execution_moduleload.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects execution of PowerShell", "references": ["https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "867613fb-fa60-4497-a017-a82df74a172c", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Description: system.management.automation\n EventID: 7\n ImageLoaded|contains: system.management.automation\nfields:\n- ComputerName\n- Image\n- ProcessID\n- ImageLoaded\n", "detection_rule_title": "PowerShell Execution", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6829579448136333852}}
{"date_created": "2019-08-11T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_createremotethread_loadlibrary.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "052ec6f6-1adc-41e6-907a-f1c813478bee", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 8\n StartFunction: LoadLibraryA\n StartModule|endswith: \\kernel32.dll\n", "detection_rule_title": "CreateRemoteThread API and LoadLibrary", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -3818947421737074462}}
{"date_created": "2019-10-23T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_registry_persistence_key_linking.yml", "date_modified": "2019-11-07T00:00:00", "description": "Detects COM object hijacking via TreatAs subkey", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "technique": ["T1122: Component Object Model Hijacking"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 12\n TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\TreatAs\n", "detection_rule_title": "Windows Registry Persistence COM Key Linking", "detection_rule_author": "Kutepov Anton, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0016_12_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2460633931302249531}}
{"date_created": "2017-02-16T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_cred_dump_lsass_access.yml", "date_modified": "2019-11-08T00:00:00", "description": "Detects process access LSASS memory which is typical for credentials dumping tools", "references": ["https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n ProcessName|endswith:\n - \\wmiprvse.exe\n - \\taskmgr.exe\n - \\procexp64.exe\n - \\procexp.exe\n - \\lsm.exe\n - \\csrss.exe\n - \\wininit.exe\n - \\vmtoolsd.exe\n selection:\n EventID: 10\n GrantedAccess|contains:\n - '0x40'\n - '0x1000'\n - '0x1400'\n - '0x100000'\n - '0x1410'\n - '0x1010'\n - '0x1438'\n - '0x143a'\n - '0x1418'\n - '0x1f0fff'\n - '0x1f1fff'\n - '0x1f2fff'\n - '0x1f3fff'\n TargetImage|endswith: \\lsass.exe\nfields:\n- ComputerName\n- User\n- SourceImage\n", "detection_rule_title": "Credentials Dumping Tools Accessing LSASS Memory", "detection_rule_author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2551059257797381188}}
{"date_created": "2018-07-18T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml", "date_modified": null, "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", "references": ["https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "technique": ["T1060: Registry Run Keys / Startup Folder"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Details:\n - C:\\Windows\\Temp\\\\*\n - C:\\ProgramData\\\\*\n - '*\\AppData\\\\*'\n - C:\\$Recycle.bin\\\\*\n - C:\\Temp\\\\*\n - C:\\Users\\Public\\\\*\n - C:\\Users\\Default\\\\*\n EventID: 13\n TargetObject: '*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\nfields:\n- Image\n- ParentImage\n", "detection_rule_title": "Registry Persistence via Explorer Run Key", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2997796949228190399}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "f67f6c57-257d-4919-a416-69cd31f9aac3", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith: \\powershell.exe\n selection:\n Description: system.management.automation\n EventID: 7\n ImageLoaded|contains: system.management.automation\n", "detection_rule_title": "Alternate PowerShell Hosts Module Load", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3633374803161392377}}
{"date_created": "2017-03-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_prog_location_network_connection.yml", "date_modified": null, "description": "Detects programs with network connections running in suspicious files system locations", "references": ["https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 3\n Image:\n - '*\\$Recycle.bin'\n - '*\\Users\\All Users\\\\*'\n - '*\\Users\\Default\\\\*'\n - '*\\Users\\Public\\\\*'\n - '*\\Users\\Contacts\\\\*'\n - '*\\Users\\Searches\\\\*'\n - C:\\Perflogs\\\\*\n - '*\\config\\systemprofile\\\\*'\n - '*\\Windows\\Fonts\\\\*'\n - '*\\Windows\\IME\\\\*'\n - '*\\Windows\\addins\\\\*'\n", "detection_rule_title": "Suspicious Program Location with Network Connections", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7364696954702672377}}
{"date_created": "2019-12-26T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_winword_wmidll_load.yml", "date_modified": null, "description": "Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/", "https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "a457f232-7df9-491d-898f-b5aabd2cbe2f", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image:\n - '*\\winword.exe'\n - '*\\powerpnt.exe'\n - '*\\excel.exe'\n - '*\\outlook.exe'\n ImageLoaded:\n - '*\\wmiutils.dll'\n - '*\\wbemcomn.dll'\n - '*\\wbemprox.dll'\n - '*\\wbemdisp.dll'\n - '*\\wbemsvc.dll'\n", "detection_rule_title": "Windows Mangement Instrumentation DLL Loaded Via Microsoft Word", "detection_rule_author": "Michael R. (@nahamike01)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6324095458684570409}}
{"date_created": "2018-01-07T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_image_load.yml", "date_modified": null, "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "technique": ["T1073: DLL Side-Loading"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image:\n - '*\\notepad.exe'\n ImageLoaded:\n - '*\\samlib.dll'\n - '*\\WinSCard.dll'\n", "detection_rule_title": "Possible Process Hollowing Image Loading", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -4039550796137900876}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml", "date_modified": "2019-11-13T00:00:00", "description": "Loading unsigned image (DLL, EXE) into LSASS process", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 7\n Image|endswith: \\lsass.exe\n Signed: 'false'\n", "detection_rule_title": "Unsigned Image Loaded Into LSASS Process", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1384928371099040434}}
{"date_created": "2019-10-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml", "date_modified": "2019-10-15T00:00:00", "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", "references": ["https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "34aa0252-6039-40ff-951f-939fd6ce47d8", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection_registry\n selection_registry:\n Details|contains:\n - 00000429\n - 00050429\n - 0000042a\n EventID: 13\n TargetObject:\n - '*\\Keyboard Layout\\Preload\\*'\n - '*\\Keyboard Layout\\Substitutes\\*'\n", "detection_rule_title": "Suspicious Keyboard Layout Load", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 916258652742383135}}
{"date_created": "2019-10-01T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_download_run_key.yml", "date_modified": null, "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", "references": ["https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", "technique": ["T1060: Registry Run Keys / Startup Folder"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 13\n Image:\n - '*\\Downloads\\\\*'\n - '*\\Temporary Internet Files\\Content.Outlook\\\\*'\n - '*\\Local Settings\\Temporary Internet Files\\\\*'\n TargetObject: '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*'\n", "detection_rule_title": "Suspicious RUN Key from Download", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8128316061623163678}}
{"date_created": "2019-10-27T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_suspicious_remote_thread.yml", "date_modified": "2019-11-13T00:00:00", "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.", "references": ["Personal research, statistical analysis", "https://lolbas-project.github.io"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "66d31e5f-52d6-40a4-9615-002d3789a119", "technique": ["T1055: Process Injection"], "raw_detection_rule": "detection:\n condition: selection AND NOT filter\n filter:\n SourceImage|contains: Visual Studio\n selection:\n EventID: 8\n SourceImage|endswith:\n - \\bash.exe\n - \\cvtres.exe\n - \\defrag.exe\n - \\dnx.exe\n - \\esentutl.exe\n - \\excel.exe\n - \\expand.exe\n - \\explorer.exe\n - \\find.exe\n - \\findstr.exe\n - \\forfiles.exe\n - \\git.exe\n - \\gpupdate.exe\n - \\hh.exe\n - \\iexplore.exe\n - \\installutil.exe\n - \\lync.exe\n - \\makecab.exe\n - \\mDNSResponder.exe\n - \\monitoringhost.exe\n - \\msbuild.exe\n - \\mshta.exe\n - \\msiexec.exe\n - \\mspaint.exe\n - \\outlook.exe\n - \\ping.exe\n - \\powerpnt.exe\n - \\powershell.exe\n - \\provtool.exe\n - \\python.exe\n - \\regsvr32.exe\n - \\robocopy.exe\n - \\runonce.exe\n - \\sapcimc.exe\n - \\schtasks.exe\n - \\smartscreen.exe\n - \\spoolsv.exe\n - \\tstheme.exe\n - \\userinit.exe\n - \\vssadmin.exe\n - \\vssvc.exe\n - \\w3wp.exe*\n - \\winlogon.exe\n - \\winscp.exe\n - \\wmic.exe\n - \\word.exe\n - \\wscript.exe\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\nnotes:\n- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite\n for process injection for .NET in-memory offensive tools.\n", "detection_rule_title": "Suspicious Remote Thread Created", "detection_rule_author": "Perez Diego (@darkquassar), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 2204954325916333435}}
{"date_created": "2019-10-16T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_lsass_dll_load.yml", "date_modified": null, "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "b3503044-60ce-4bf4-bbcb-e3db98788823", "technique": ["T1177: LSASS Driver"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 12\n - 13\n TargetObject:\n - '*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*'\n - '*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*'\n", "detection_rule_title": "DLL Load via LSASS", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0016_12_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8012622415472590248}}
{"date_created": "2019-09-12T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_rdp_registry_modification.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "41904ebe-d56c-4904-b9ad-7a77bdf154b3", "technique": ["T1112: Modify Registry"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n Details: DWORD (0x00000000)\n EventID: 13\n TargetObject|endswith:\n - \\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\n - \\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections\nfields:\n- ComputerName\n- Image\n- EventType\n- TargetObject\n", "detection_rule_title": "RDP Registry Modification", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6700287864097944994}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_webshell_creation_detect.yml", "date_modified": "2019-11-04T00:00:00", "description": "Possible webshell file creation on a static web site", "references": ["PT ESC rule and personal experience"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "technique": ["T1100: Web Shell"], "raw_detection_rule": "detection:\n condition: selection_1 and ( selection_2 and selection_3 ) or selection_1 and (\n selection_4 and selection_5 ) or selection_1 and selection_6\n selection_1:\n EventID: 11\n selection_2:\n TargetFilename|contains: \\inetpub\\wwwroot\\\n selection_3:\n TargetFilename|contains:\n - .asp\n - .ashx\n - .ph\n selection_4:\n TargetFilename|contains:\n - \\www\\\n - \\htdocs\\\n - \\html\\\n selection_5:\n TargetFilename|contains: .ph\n selection_6:\n - TargetFilename|endswith: .jsp\n - TargetFilename|contains|all:\n - \\cgi-bin\\\n - .pl\n", "detection_rule_title": "Windows Webshell Creation", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -5713064403652957213}}
{"date_created": "2018-04-07T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_powershell_exploit_scripts.yml", "date_modified": null, "description": "Detects the creation of known powershell scripts for exploitation", "references": ["https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "technique": ["T1086: PowerShell"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 11\n TargetFilename:\n - '*\\Invoke-DllInjection.ps1'\n - '*\\Invoke-WmiCommand.ps1'\n - '*\\Get-GPPPassword.ps1'\n - '*\\Get-Keystrokes.ps1'\n - '*\\Get-VaultCredential.ps1'\n - '*\\Invoke-CredentialInjection.ps1'\n - '*\\Invoke-Mimikatz.ps1'\n - '*\\Invoke-NinjaCopy.ps1'\n - '*\\Invoke-TokenManipulation.ps1'\n - '*\\Out-Minidump.ps1'\n - '*\\VolumeShadowCopyTools.ps1'\n - '*\\Invoke-ReflectivePEInjection.ps1'\n - '*\\Get-TimedScreenshot.ps1'\n - '*\\Invoke-UserHunter.ps1'\n - '*\\Find-GPOLocation.ps1'\n - '*\\Invoke-ACLScanner.ps1'\n - '*\\Invoke-DowngradeAccount.ps1'\n - '*\\Get-ServiceUnquoted.ps1'\n - '*\\Get-ServiceFilePermission.ps1'\n - '*\\Get-ServicePermission.ps1'\n - '*\\Invoke-ServiceAbuse.ps1'\n - '*\\Install-ServiceBinary.ps1'\n - '*\\Get-RegAutoLogon.ps1'\n - '*\\Get-VulnAutoRun.ps1'\n - '*\\Get-VulnSchTask.ps1'\n - '*\\Get-UnattendedInstallFile.ps1'\n - '*\\Get-WebConfig.ps1'\n - '*\\Get-ApplicationHost.ps1'\n - '*\\Get-RegAlwaysInstallElevated.ps1'\n - '*\\Get-Unconstrained.ps1'\n - '*\\Add-RegBackdoor.ps1'\n - '*\\Add-ScrnSaveBackdoor.ps1'\n - '*\\Gupt-Backdoor.ps1'\n - '*\\Invoke-ADSBackdoor.ps1'\n - '*\\Enabled-DuplicateToken.ps1'\n - '*\\Invoke-PsUaCme.ps1'\n - '*\\Remove-Update.ps1'\n - '*\\Check-VM.ps1'\n - '*\\Get-LSASecret.ps1'\n - '*\\Get-PassHashes.ps1'\n - '*\\Show-TargetScreen.ps1'\n - '*\\Port-Scan.ps1'\n - '*\\Invoke-PoshRatHttp.ps1'\n - '*\\Invoke-PowerShellTCP.ps1'\n - '*\\Invoke-PowerShellWMI.ps1'\n - '*\\Add-Exfiltration.ps1'\n - '*\\Add-Persistence.ps1'\n - '*\\Do-Exfiltration.ps1'\n - '*\\Start-CaptureServer.ps1'\n - '*\\Invoke-ShellCode.ps1'\n - '*\\Get-ChromeDump.ps1'\n - '*\\Get-ClipboardContents.ps1'\n - '*\\Get-FoxDump.ps1'\n - '*\\Get-IndexedItem.ps1'\n - '*\\Get-Screenshot.ps1'\n - '*\\Invoke-Inveigh.ps1'\n - '*\\Invoke-NetRipper.ps1'\n - '*\\Invoke-EgressCheck.ps1'\n - '*\\Invoke-PostExfil.ps1'\n - '*\\Invoke-PSInject.ps1'\n - '*\\Invoke-RunAs.ps1'\n - '*\\MailRaider.ps1'\n - '*\\New-HoneyHash.ps1'\n - '*\\Set-MacAttribute.ps1'\n - '*\\Invoke-DCSync.ps1'\n - '*\\Invoke-PowerDump.ps1'\n - '*\\Exploit-Jboss.ps1'\n - '*\\Invoke-ThunderStruck.ps1'\n - '*\\Invoke-VoiceTroll.ps1'\n - '*\\Set-Wallpaper.ps1'\n - '*\\Invoke-InveighRelay.ps1'\n - '*\\Invoke-PsExec.ps1'\n - '*\\Invoke-SSHCommand.ps1'\n - '*\\Get-SecurityPackages.ps1'\n - '*\\Install-SSP.ps1'\n - '*\\Invoke-BackdoorLNK.ps1'\n - '*\\PowerBreach.ps1'\n - '*\\Get-SiteListPassword.ps1'\n - '*\\Get-System.ps1'\n - '*\\Invoke-BypassUAC.ps1'\n - '*\\Invoke-Tater.ps1'\n - '*\\Invoke-WScriptBypassUAC.ps1'\n - '*\\PowerUp.ps1'\n - '*\\PowerView.ps1'\n - '*\\Get-RickAstley.ps1'\n - '*\\Find-Fruit.ps1'\n - '*\\HTTP-Login.ps1'\n - '*\\Find-TrustedDocuments.ps1'\n - '*\\Invoke-Paranoia.ps1'\n - '*\\Invoke-WinEnum.ps1'\n - '*\\Invoke-ARPScan.ps1'\n - '*\\Invoke-PortScan.ps1'\n - '*\\Invoke-ReverseDNSLookup.ps1'\n - '*\\Invoke-SMBScanner.ps1'\n - '*\\Invoke-Mimikittenz.ps1'\n", "detection_rule_title": "Malicious PowerShell Commandlet Names", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8481688817591444007}}
{"date_created": "2019-08-22T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_renamed_powershell.yml", "date_modified": null, "description": "Detects the execution of a renamed PowerShell often used by attackers or malware", "references": ["https://twitter.com/christophetd/status/1164506034720952320"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image:\n - '*\\powershell.exe'\n - '*\\powershell_ise.exe'\n selection:\n Company: Microsoft Corporation\n Description: Windows PowerShell\n", "detection_rule_title": "Renamed PowerShell", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8832711916123983418}}
{"date_created": "2019-08-10T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_wmi_module_load.yml", "date_modified": "2019-11-10T00:00:00", "description": "Detects non wmiprvse loading WMI modules", "references": ["https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md"], "customer": ["None"], "tactic": ["TA0002: Execution"], "dr_id": "671bb7e3-a020-4824-a00e-2ee5b55f385e", "technique": ["T1047: Windows Management Instrumentation"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith:\n - \\WmiPrvSe.exe\n - \\WmiPrvSE.exe\n - \\WmiAPsrv.exe\n - \\svchost.exe\n selection:\n EventID: 7\n ImageLoaded|endswith:\n - \\wmiclnt.dll\n - \\WmiApRpl.dll\n - \\wmiprov.dll\n - \\wmiutils.dll\n - \\wbemcomn.dll\n - \\wbemprox.dll\n - \\WMINet_Utils.dll\n - \\wbemsvc.dll\n - \\fastprox.dll\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\n", "detection_rule_title": "WMI Modules Loaded", "detection_rule_author": "Roberto Rodriguez @Cyb3rWard0g", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1742928601533591991}}
{"date_created": "2019-02-16T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_rdp_reverse_tunnel.yml", "date_modified": null, "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", "references": ["https://twitter.com/SBousseaden/status/1096148422984384514"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0011: Command and Control"], "dr_id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "technique": ["T1076: Remote Desktop Protocol"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n DestinationIp:\n - 127.*\n - ::1\n EventID: 3\n Image: '*\\svchost.exe'\n Initiated: 'true'\n SourcePort: 3389\n", "detection_rule_title": "RDP Over Reverse SSH Tunnel", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -6657839689947181149}}
{"date_created": "2020-02-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_registry_trust_record_modification.yml", "date_modified": "2020-02-19T00:00:00", "description": "Alerts on trust record modification within the registry, indicating usage of macros", "references": ["https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html"], "customer": ["None"], "tactic": ["TA0001: Initial Access"], "dr_id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", "technique": ["T1193: Spearphishing Attachment"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 12\n TargetObject|contains: TrustRecords\n", "detection_rule_title": "Windows Registry Trust Record Modification", "detection_rule_author": "Antonlovesdnb", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0016_12_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 8747825422428030326}}
{"date_created": "2017-03-19T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_uac_bypass_eventvwr.yml", "date_modified": null, "description": "Detects UAC bypass method using Windows event viewer", "references": ["https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "dr_id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "technique": ["T1088: Bypass User Account Control"], "raw_detection_rule": "detection:\n condition: methregistry or ( methprocess and not filterprocess )\n filterprocess:\n Image: '*\\mmc.exe'\n methprocess:\n EventID: 1\n ParentImage: '*\\eventvwr.exe'\n methregistry:\n EventID: 13\n TargetObject: HKU\\\\*\\mscfile\\shell\\open\\command\nfields:\n- CommandLine\n- ParentCommandLine\n", "detection_rule_title": "UAC Bypass via Event Viewer", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -7388064970067395280}}
{"date_created": "2019-10-27T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_minidumwritedump_lsass.yml", "date_modified": "2019-11-13T00:00:00", "description": "Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "dd5ab153-beaa-4315-9647-65abc5f71541", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)\n filter:\n Image|contains: Visual Studio\n signedprocess:\n EventID: 7\n ImageLoaded|endswith:\n - \\dbghelp.dll\n - \\dbgcore.dll\n Image|endswith:\n - \\msbuild.exe\n - \\cmd.exe\n - \\svchost.exe\n - \\rundll32.exe\n - \\powershell.exe\n - \\word.exe\n - \\excel.exe\n - \\powerpnt.exe\n - \\outlook.exe\n - \\monitoringhost.exe\n - \\wmic.exe\n - \\msiexec.exe\n - \\bash.exe\n - \\wscript.exe\n - \\cscript.exe\n - \\mshta.exe\n - \\regsvr32.exe\n - \\schtasks.exe\n - \\dnx.exe\n - \\regsvcs.exe\n - \\sc.exe\n - \\scriptrunner.exe\n unsignedprocess:\n EventID: 7\n ImageLoaded|endswith:\n - \\dbghelp.dll\n - \\dbgcore.dll\n Signed: 'FALSE'\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\n", "detection_rule_title": "Dumping Lsass.exe Memory with MiniDumpWriteDump API", "detection_rule_author": "Perez Diego (@darkquassar), oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": -2263568911794830629}}
{"date_created": "2019-10-25T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml", "date_modified": "2019-11-13T00:00:00", "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.", "references": ["http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "technique": ["T1182: AppCert DLLs"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n - EventID:\n - 12\n - 13\n TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\n - EventID: 14\n NewName: HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\n", "detection_rule_title": "New DLL Added to AppCertDlls Registry Key", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0016_12_windows_sysmon_RegistryEvent", "DN_0018_14_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 1643215978865731635}}
{"date_created": "2019-01-18T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_ssp_added_lsa_config.yml", "date_modified": null, "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", "references": ["https://attack.mitre.org/techniques/T1101/", "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "technique": ["T1011: Exfiltration Over Other Network Medium"], "raw_detection_rule": "detection:\n condition: selection_registry and not exclusion_images\n exclusion_images:\n - Image: C:\\Windows\\system32\\msiexec.exe\n - Image: C:\\Windows\\syswow64\\MsiExec.exe\n selection_registry:\n EventID: 13\n TargetObject:\n - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages\n - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages\n", "detection_rule_title": "Security Support Provider (SSP) Added to LSA Configuration", "detection_rule_author": "iwillkeepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7113909668554153854}}
{"date_created": "2018-08-25T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_run_key_img_folder.yml", "date_modified": "2020-02-26T00:00:00", "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", "references": ["https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "technique": ["T1060: Registry Run Keys / Startup Folder"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Details|contains:\n - \\AppData\\Local\\Microsoft\\OneDrive\\\n selection:\n Details:\n - '*C:\\Windows\\Temp\\\\*'\n - '*\\AppData\\\\*'\n - '%AppData%\\\\*'\n - '*C:\\$Recycle.bin\\\\*'\n - '*C:\\Temp\\\\*'\n - '*C:\\Users\\Public\\\\*'\n - '%Public%\\\\*'\n - '*C:\\Users\\Default\\\\*'\n - '*C:\\Users\\Desktop\\\\*'\n - wscript*\n - cscript*\n EventID: 13\n TargetObject:\n - '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*'\n - '*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\*'\nfields:\n- Image\n", "detection_rule_title": "New RUN Key Pointing to Suspicious Folder", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 568765829371253847}}
{"date_created": "2019-10-26T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml", "date_modified": "2019-11-11T00:00:00", "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", "references": ["https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/"], "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "dr_id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "technique": ["T1058: Service Registry Permissions Weakness"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 13\n IntegrityLevel: Medium\n TargetObject|contains: \\services\\\n TargetObject|endswith:\n - \\ImagePath\n - \\FailureCommand\n - \\Parameters\\ServiceDll\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n", "detection_rule_title": "Possible Privilege Escalation via Service Permissions Weakness", "detection_rule_author": "Teymur Kheirkhabarov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["EN_0001_cache_sysmon_event_id_1_info", "EN_0003_enrich_other_sysmon_events_with_event_id_1_data"], "enrichment_requirements": ["not defined", ["EN_0001_cache_sysmon_event_id_1_info"]]}
{"index": {"_id": 1442525653066421727}}
{"date_created": "2019-03-24T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_susp_adsi_cache_usage.yml", "date_modified": null, "description": "detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", "references": ["https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger"], "customer": ["None"], "tactic": ["TA0003: Persistence"], "dr_id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "technique": ["T1041: Exfiltration Over Command and Control Channel"], "raw_detection_rule": "detection:\n condition: selection_1 and not selection_2\n selection_1:\n EventID: 11\n TargetFilename: '*\\Local\\Microsoft\\Windows\\SchCache\\*.sch'\n selection_2:\n Image|contains:\n - C:\\windows\\system32\\svchost.exe\n - C:\\windows\\system32\\dllhost.exe\n - C:\\windows\\system32\\mmc.exe\n - C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n", "detection_rule_title": "Suspicious ADSI-Cache Usage By Unknown Tool", "detection_rule_author": "xknow @xknow_infosec", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6343053640738411628}}
{"date_created": "2019-10-22T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml", "date_modified": "2019-11-13T00:00:00", "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", "references": ["https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"], "customer": ["None"], "tactic": ["TA0006: Credential Access"], "dr_id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "technique": ["T1003: Credential Dumping"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 11\n TargetFilename|contains: lsass\n TargetFilename|endswith: dmp\nfields:\n- ComputerName\n- TargetFileName\n", "detection_rule_title": "LSASS Memory Dump File Creation", "detection_rule_author": "Teymur Kheirkhabarov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 168844232377346245}}
{"date_created": "2017-05-15T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_dhcp_calloutdll.yml", "date_modified": null, "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", "references": ["https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", "technique": ["T1073: DLL Side-Loading", "T1112: Modify Registry"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 13\n TargetObject:\n - '*\\Services\\DHCPServer\\Parameters\\CalloutDlls'\n - '*\\Services\\DHCPServer\\Parameters\\CalloutEnabled'\n", "detection_rule_title": "DHCP Callout DLL Installation", "detection_rule_author": "Dimitrios Slamaris", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 7338521171939765029}}
{"date_created": "2019-10-24T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml", "date_modified": "2019-11-13T00:00:00", "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", "references": ["https://github.com/GhostPack/Rubeus8"], "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "dr_id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", "technique": ["T1208: Kerberoasting"], "raw_detection_rule": "detection:\n condition: selection and not filter\n filter:\n Image|endswith:\n - \\lsass.exe\n - \\opera.exe\n - \\chrome.exe\n - \\firefox.exe\n selection:\n DestinationPort: 88\n EventID: 3\n Initiated: 'true'\n", "detection_rule_title": "Suspicious Outbound Kerberos Connection", "detection_rule_author": "Ilyas Ochkov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6457119881034811094}}
{"date_created": "2019-05-20T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_mimikatz_trough_winrm.yml", "date_modified": null, "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", "references": ["https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0002: Execution"], "dr_id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "technique": ["T1003: Credential Dumping", "T1028: Windows Remote Management"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID: 10\n SourceImage: C:\\Windows\\system32\\wsmprovhost.exe\n TargetImage: C:\\windows\\system32\\lsass.exe\n", "detection_rule_title": "Mimikatz through Windows Remote Management", "detection_rule_author": "Patryk Prauze - ING Tech", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 6723394369332777456}}
{"date_created": "2017-11-06T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_apt_turla_namedpipes.yml", "date_modified": null, "description": "Detects a named pipe used by Turla group samples", "references": ["Internal Research"], "customer": ["None"], "tactic": ["not defined"], "dr_id": "739915e4-1e70-4778-8b8a-17db02f66db1", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection\n selection:\n EventID:\n - 17\n - 18\n PipeName:\n - \\atctl\n - \\userpipe\n - \\iehelper\n - \\sdlrpc\n - \\comnap\n", "detection_rule_title": "Turla Group Named Pipes", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0021_18_windows_sysmon_PipeEvent", "DN_0020_17_windows_sysmon_PipeEvent"], "logging_policy": ["LP_0009_windows_sysmon_PipeEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
{"index": {"_id": 3456537972273325244}}
{"date_created": "2019-04-03T00:00:00", "sigma_rule_path": "es/windows/sysmon/sysmon_rdp_settings_hijack.yml", "date_modified": null, "description": "Detects changes to RDP terminal service sensitive settings", "references": ["https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html"], "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "dr_id": "171b67e1-74b4-460e-8d55-b331f3e32d67", "technique": ["not defined"], "raw_detection_rule": "detection:\n condition: selection_reg\n selection_reg:\n EventID: 13\n TargetObject:\n - '*\\services\\TermService\\Parameters\\ServiceDll*'\n - '*\\Control\\Terminal Server\\fSingleSessionPerUser*'\n - '*\\Control\\Terminal Server\\fDenyTSConnections*'\n", "detection_rule_title": "RDP Sensitive Settings Changed", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}