Sigma rules for Wintego Systems
166 rules · scoped to actor · back to Wintego Systems
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/base64'
CommandLine|contains: '-d' # Also covers "--decode"
condition: selection
falsepositives:
- Legitimate activities
level: low
title: Potential PowerShell Obfuscation Using Character Join
id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
related:
- id: 96cd126d-f970-49c4-848a-da3a09f55c55
type: derived
status: test
description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-09
tags:
- attack.execution
- attack.stealth
- attack.t1027
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# Example:
# Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct"))
# Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression"))
ScriptBlockText|contains|all:
- '-Alias' # For both "New-Alias" and "Set-Alias"
- ' -Value (-join('
condition: selection
falsepositives:
- Unknown
level: low
title: Potential PowerShell Obfuscation Using Alias Cmdlets
id: 96cd126d-f970-49c4-848a-da3a09f55c55
related:
- id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
type: derived
status: test
description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
references:
- https://github.com/1337Rin/Swag-PSO
author: frack113
date: 2023-01-08
modified: 2025-10-22
tags:
- attack.execution
- attack.stealth
- attack.t1027
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Set-Alias '
- 'New-Alias '
filter_main_cim:
ScriptBlockText:
- 'Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
- 'Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low
title: Potential Encoded PowerShell Patterns In CommandLine
id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
related:
- id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
type: similar
status: test
description: Detects specific combinations of encoding methods in PowerShell via the commandline
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-01-26
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_to_1:
CommandLine|contains:
- 'ToInt'
- 'ToDecimal'
- 'ToByte'
- 'ToUint'
- 'ToSingle'
- 'ToSByte'
selection_to_2:
CommandLine|contains:
- 'ToChar'
- 'ToString'
- 'String'
selection_gen_1:
CommandLine|contains|all:
- 'char'
- 'join'
selection_gen_2:
CommandLine|contains|all:
- 'split'
- 'join'
condition: selection_img and (all of selection_to_* or 1 of selection_gen_*)
falsepositives:
- Unknown
level: low
title: Network Sniffing - MacOs
id: adc9bcc4-c39c-4f6b-a711-1884017bf043
status: test
description: |
Detects the usage of tooling to sniff network traffic.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2022-11-26
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/tcpdump'
- '/tshark'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
title: Network Sniffing - Linux
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: test
description: |
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2022-12-18
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: linux
service: auditd
detection:
selection_1:
type: 'execve'
a0: 'tcpdump'
a1: '-c'
a3|contains: '-i'
selection_2:
type: 'execve'
a0: 'tshark'
a1: '-c'
a3: '-i'
condition: 1 of selection_*
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
title: DNS Query Request To OneLaunch Update Service
id: df68f791-ad95-447f-a271-640a0dab9cf8
status: test
description: |
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
When the OneLaunch application is installed it will attempt to get updates from this domain.
references:
- https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
- https://malware.guide/browser-hijacker/remove-onelaunch-virus/
author: Josh Nickels
date: 2024-02-26
tags:
- attack.credential-access
- attack.collection
- attack.t1056
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName: 'update.onelaunch.com'
Image|endswith: '\OneLaunch.exe'
condition: selection
falsepositives:
- Unlikely
level: low
title: Suspicious Network Communication With IPFS
id: eb6c2004-1cef-427f-8885-9042974e5eb6
status: test
description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
references:
- https://blog.talosintelligence.com/ipfs-abuse/
- https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11
- https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
author: Gavin Knapp
date: 2023-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1056
logsource:
category: proxy
detection:
selection:
cs-uri|re: '(?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+'
condition: selection
falsepositives:
- Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.
level: low
title: Failed Authentications From Countries You Do Not Operate Out Of
id: 28870ae4-6a13-4616-bd1a-235a7fad7458
status: test
description: Detect failed authentications from countries you do not operate out of.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
selection1:
Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
condition: not selection and not selection1
falsepositives:
- If this was approved by System Administrator.
level: low
title: Cisco LDP Authentication Failures
id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
status: test
description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: ldp
definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
detection:
selection_protocol:
- 'LDP'
selection_keywords:
- 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
- 'TCPMD5AuthenFail'
condition: selection_protocol and selection_keywords
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
title: Cisco BGP Authentication Failures
id: 56fa3cd6-f8d6-4520-a8c7-607292971886
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: bgp
definition: 'Requirements: cisco bgp logs need to be enabled and ingested'
detection:
keywords_bgp_cisco:
'|all':
- ':179' # Protocol
- 'IP-TCP-3-BADAUTH'
condition: keywords_bgp_cisco
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
title: Huawei BGP Authentication Failures
id: a557ffe6-ac54-43d2-ae69-158027082350
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: huawei
service: bgp
definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
detection:
keywords_bgp_huawei:
'|all':
- ':179' # Protocol
- 'BGP_AUTH_FAILED'
condition: keywords_bgp_huawei
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
title: Juniper BGP Missing MD5
id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
status: test
description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: juniper
service: bgp
definition: 'Requirements: juniper bgp logs need to be enabled and ingested'
detection:
keywords_bgp_juniper:
'|all':
- ':179' # Protocol
- 'missing MD5 digest'
condition: keywords_bgp_juniper
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
title: MSSQL Server Failed Logon
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
related:
- id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
type: similar
status: test
description: Detects failed logon attempts from clients to MSSQL server.
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: Nasreddine Bencherchali (Nextron Systems), j4son
date: 2023-10-11
modified: 2024-06-26
tags:
- attack.credential-access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 18456
condition: selection
falsepositives:
- This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
level: low
title: Suspicious Connection to Remote Account
id: 1883444f-084b-419b-ac62-e0d0c5b3693f
status: test
description: |
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
author: frack113
date: 2021-12-27
tags:
- attack.credential-access
- attack.t1110.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
- 'System.Net.NetworkCredential'
- 'System.DirectoryServices.Protocols.LdapConnection'
condition: selection
falsepositives:
- Unknown
level: low
title: Github Self Hosted Runner Changes Detected
id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
status: test
description: |
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
it should be validated from GitHub UI because the log entry may not provide full context.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
- https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
tags:
- attack.impact
- attack.discovery
- attack.collection
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
- attack.stealth
- attack.t1526
- attack.t1213.003
- attack.t1078.004
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'org.remove_self_hosted_runner'
- 'org.runner_group_created'
- 'org.runner_group_removed'
- 'org.runner_group_runner_removed'
- 'org.runner_group_runners_added'
- 'org.runner_group_runners_updated'
- 'org.runner_group_updated'
- 'repo.register_self_hosted_runner'
- 'repo.remove_self_hosted_runner'
condition: selection
falsepositives:
- Allowed self-hosted runners changes in the environment.
- A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
- An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.
level: low