Tool
Hunt pack: INC Ransom
1,177 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to INC Ransom - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,177google_safebrowsing_file_contacts_tor_exit_node
A malicious file contacting a known Tor Exit Node.
Show query
rule google_safebrowsing_file_contacts_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "A malicious file contacting a known Tor Exit Node."
rule_id = "mr_f6733319-50b3-477e-bad6-96bb4c14c632"
rule_name = "Google Safebrowsing File Contacts Tor Exit Node"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
data_source = "microsoft defender atp, crowdstrike, microsoft sysmon"
severity = "Critical"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 != ""
$network.principal.process.file.sha256 = $file_hash
$network.principal.hostname = $hostname
$network.target.ip = $ip
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"
$safebrowse.graph.metadata.threat.category = "SOFTWARE_MALICIOUS"
$safebrowse.graph.entity.file.sha256 = $file_hash
// Tor IP listing provided by GCTI Feed
$gcti.graph.entity.artifact.ip = $ip
$gcti.graph.metadata.entity_type = "IP_ADDRESS"
$gcti.graph.metadata.source_type = "GLOBAL_CONTEXT"
$gcti.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti.graph.metadata.product_name = "GCTI Feed"
match:
$hostname over 1h
outcome:
$risk_score = 95
$event_count = count_distinct($network.metadata.id)
//added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
//$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti and $safebrowse
}hacktool_dumpert_process_dumper_default_file
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Show query
rule hacktool_dumpert_process_dumper_default_file {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "HackTool - Dumpert Process Dumper Default File"
sigma_uuid = "93d94efc-d7ad-4161-ad7d-1638c4f908d8"
sigma_status = "test"
rule_id = "mr_13ac04a7-8853-42c9-a243-9da5dc05cb66"
tactic = "TA0006"
technique = "T1003.001"
data_source = "Sysmon"
platform = "Windows"
severity = "Critical"
priority = "Critical"
false_positives = "Very unlikely"
events:
$file.metadata.event_type = "FILE_CREATION"
re.regex($file.target.file.full_path, `dumpert.dmp$`) nocase
$file.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($file.principal.user.userid = "user" and $file.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($file.principal.hostname)
$principal_process_pid = array_distinct($file.principal.process.pid)
$principal_process_command_line = array_distinct($file.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($file.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($file.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($file.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($file.principal.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$target_file_sha256 = array_distinct($file.target.file.sha256)
$target_file_full_path = array_distinct($file.target.file.full_path)
condition:
$file
}hacktool_dumpert_process_dumper_exec
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Show query
rule hacktool_dumpert_process_dumper_exec {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml"
rule_name = "HackTool - Dumpert Process Dumper Execution"
sigma_uuid = "2704ab9e-afe2-4854-a3b1-0c0706d03578"
sigma_status = "test"
rule_id = "mr_39c682b6-b50e-4d22-95de-c9d579c8fc44"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Critical"
priority = "Critical"
false_positives = "Very unlikely"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
$process.target.process.file.file_metadata.pe.import_hash = "09D278F9DE118EF09163C6140255C690" nocase or
$process.target.process.file.pe_file.imphash = "09D278F9DE118EF09163C6140255C690" nocase or
strings.contains(strings.to_lower($process.target.process.command_line), "dumpert.dll")
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}potential_cred_dumping_via_lsass_silentprocessexit_technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Show query
rule potential_cred_dumping_via_lsass_silentprocessexit_technique {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Potential Credential Dumping Via LSASS SilentProcessExit Technique"
sigma_uuid = "55e29995-75e7-451a-bef0-6225e2f13597"
sigma_status = "test"
rule_id = "mr_bc2279f0-9b27-485d-b392-ff6f13ae68df"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Critical"
priority = "Critical"
false_positives = "Unlikely"
events:
$registry.metadata.event_type = "REGISTRY_MODIFICATION"
//$registry.metadata.product_event_type = "13"
strings.contains(strings.to_lower($registry.target.registry.registry_key), "microsoft\\windows nt\\currentversion\\silentprocessexit\\lsass.exe")
$registry.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($registry.principal.user.userid = "user" and $registry.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($registry.principal.hostname)
$principal_process_pid = array_distinct($registry.principal.process.pid)
$principal_process_file_full_path = array_distinct($registry.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($registry.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($registry.principal.user.userid)
$target_registry_key = array_distinct($registry.target.registry.registry_key)
$target_registry_value = array_distinct($registry.target.registry.registry_value_data)
condition:
$registry
}rw_mimikatz_T1003
Detects the process mimikatz being issued from the command line.
Show query
rule rw_mimikatz_T1003 {
meta:
author = "Google Cloud Security"
description = "Detects the process mimikatz being issued from the command line."
rule_id = "mr_fa96ead4-7f1f-4dbb-bacb-a526f985c12f"
rule_name = "MITRE ATT&CK T1003 RW Mimikatz"
tactic = "TA0006"
technique = "T1003"
type = "alert"
platform = "Windows"
data_source = "microsoft sysmon, microsoft windows events"
severity = "Critical"
priority = "High"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.metadata.event_type = $event_type
$process.target.process.command_line = /mimikatz/ nocase
match:
$event_type over 5m
outcome:
$risk_score = 95
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}sap_user_creates_and_uses_new_user
Detects a user creating a new account (AU7) and subsequently logging into it (AU1, AU5) from the same terminal within a short timeframe.
Show query
rule sap_user_creates_and_uses_new_user {
meta:
author = "Google Cloud Security"
description = "Detects a user creating a new account (AU7) and subsequently logging into it (AU1, AU5) from the same terminal within a short timeframe."
severity = "Critical"
tactic = "TA0003"
technique = "T1136"
events:
$create.metadata.log_type = "SAP_SECURITY_AUDIT"
$create.additional.fields["msg_1"] = "AU7"
$creator = $create.principal.user.userid
$login.metadata.log_type = "SAP_SECURITY_AUDIT"
$login.additional.fields["msg_1"] = /^AU1$|^AU5$/
//join
$new_user = $create.additional.fields["param1_1"]
$new_user = $login.principal.user.userid
$terminal = $create.principal.ip
$terminal = $login.principal.ip
$sid = $create.target.application
$sid = $login.target.application
//sequence
$create.metadata.event_timestamp.seconds <= $login.metadata.event_timestamp.seconds
//exclusions
not $create.principal.user.userid in %sap_admin_users.user
match:
$terminal, $sid over 30m
outcome:
$risk_score = 85
$creating_user = array_distinct($creator)
$created_user = array_distinct($new_user)
$description = array_distinct($create.metadata.description)
condition:
$create and $login
}vt_relationships_file_contacts_tor_ip
Alert on known Hash contacting Tor IP with VT Relationships.
Show query
rule vt_relationships_file_contacts_tor_ip {
meta:
author = "Google Cloud Security"
description = "Alert on known Hash contacting Tor IP with VT Relationships."
rule_id = "mr_a6f8b114-8fdb-4f39-8820-8961dcbb1079"
rule_name = "VT Relationships File Contacts Tor IP"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "vt, tor"
data_source = "microsoft defender atp"
severity = "Critical"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 = $file_hash
$network.target.ip = $ip
$network.principal.hostname = $hostname
// Uses VirusTotal integration via entity graph, this section maps to principal process file hash
$vt.graph.metadata.entity_type = "FILE"
$vt.graph.metadata.source_type = "GLOBAL_CONTEXT"
$vt.graph.metadata.vendor_name = "VirusTotal"
$vt.graph.metadata.product_name = "VirusTotal Relationships"
$vt.graph.entity.file.sha256 = $file_hash
// Uses VirusTotal integration via entity graph, this section maps the hash to the ip address it contacts
$vt.graph.relations.entity_type = "IP_ADDRESS"
$vt.graph.relations.relationship = "CONTACTS"
$vt.graph.relations.entity.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti.graph.entity.artifact.ip = $ip
$gcti.graph.metadata.entity_type = "IP_ADDRESS"
$gcti.graph.metadata.source_type = "GLOBAL_CONTEXT"
$gcti.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti.graph.metadata.product_name = "GCTI Feed"
match:
$hostname over 5m
outcome:
$risk_score = max(
if($gcti.graph.metadata.threat.confidence = "HIGH_CONFIDENCE", 70) +
// Unauthorized target geographies
if($network.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$event_count = count_distinct($network.metadata.id)
$count_file_hash = count_distinct($file_hash)
$count_tor_ips = count_distinct($ip)
$tor_geoip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
$tor_geoip_state = array_distinct($network.target.ip_geo_artifact.location.state)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
//$target_process_pid = array_distinct($network.target.process.pid)
//$target_process_command_line = array_distinct($network.target.process.command_line)
//$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
//$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
//$target_user_userid = array_distinct($network.target.user.userid)
$target_url = array_distinct($network.target.url)
condition:
$network and $vt and $gcti
}aws_api_call_outside_of_organization
Detects API Calls from AWS accounts that are not part of the organization.
Show query
rule aws_api_call_outside_of_organization {
meta:
author = "Google Cloud Security"
description = "Detects API Calls from AWS accounts that are not part of the organization."
rule_id = "mr_205120b7-6654-410a-ab6d-e40484e2fafb"
rule_name = "AWS API Call Outside Of Organization"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$cloudtrail.metadata.vendor_name = "AMAZON"
$cloudtrail.metadata.product_name = "AWS CloudTrail"
// Requires a Reference List named aws_accounts with a list of approved and known AWS Account IDs
not $cloudtrail.principal.user.group_identifiers in %aws_accounts
not $cloudtrail.target.user.group_identifiers in %aws_accounts
$cloudtrail.additional.fields["recipientAccountId"] = $accountId
match:
$accountId over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($cloudtrail.metadata.id)
$network_http_user_agent = array_distinct($cloudtrail.network.http.user_agent)
$principal_ip = array_distinct($cloudtrail.principal.ip)
$principal_ip_country = array_distinct($cloudtrail.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($cloudtrail.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($cloudtrail.principal.user.user_display_name)
$recipient_aws_account_id = array_distinct($cloudtrail.additional.fields["recipientAccountId"])
$aws_region = array_distinct($cloudtrail.principal.location.name)
$product_event_type = array_distinct($cloudtrail.metadata.product_event_type)
$target_resource_name = array_distinct($cloudtrail.target.resource.name)
$target_resource_product_object_id = array_distinct($cloudtrail.target.resource.product_object_id)
condition:
$cloudtrail
}aws_ec2_user_data_modified
Detect modifications to user data script on an EC2 instance.
Show query
rule aws_ec2_user_data_modified {
meta:
author = "Google Cloud Security"
description = "Detect modifications to user data script on an EC2 instance."
rule_id = "mr_3167a29e-abbb-4d72-9f33-93df151d0224"
rule_name = "AWS EC2 User Data Modified"
mitre_attack_tactic = "Privilege Escalation"
mitre_attack_technique = "Boot or Logon Initialization Scripts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1037/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$cloudtrail.metadata.vendor_name = "AMAZON"
$cloudtrail.metadata.product_name = "AWS CloudTrail"
$cloudtrail.metadata.product_event_type = "ModifyInstanceAttribute"
$cloudtrail.target.resource.attribute.labels["Request Parameters User Data"] != ""
$cloudtrail.security_result.action = "ALLOW"
$cloudtrail.target.resource_ancestors.product_object_id = $instanceId
match:
$instanceId over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Privilege Escalation"
$mitre_attack_technique = "Boot or Logon Initialization Scripts"
$mitre_attack_technique_id = "T1037"
$event_count = count_distinct($cloudtrail.metadata.id)
$network_http_user_agent = array_distinct($cloudtrail.network.http.user_agent)
$principal_ip = array_distinct($cloudtrail.principal.ip)
$principal_ip_country = array_distinct($cloudtrail.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($cloudtrail.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($cloudtrail.principal.user.user_display_name)
$recipient_aws_account_id = array_distinct($cloudtrail.additional.fields["recipientAccountId"])
$aws_region = array_distinct($cloudtrail.principal.location.name)
$target_resource_name = array_distinct($cloudtrail.target.resource.name)
$target_resource_product_object_id = array_distinct($cloudtrail.target.resource.product_object_id)
condition:
$cloudtrail
}aws_guardduty_black_hole_traffic_detected
Amazon GuardDuty detects an Amazon EC2 instance or a container attempting to communicate with a black hole IP address.
Show query
rule aws_guardduty_black_hole_traffic_detected {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects an Amazon EC2 instance or a container attempting to communicate with a black hole IP address."
rule_id = "mr_8ac55f38-9c11-4f51-89cd-c40e9b6238b3"
rule_name = "AWS GuardDuty Black Hole Traffic Detected"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "Application Layer Protocol"
mitre_attack_url = "https://attack.mitre.org/techniques/T1071/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /BlackholeTraffic/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Command and Control"
$mitre_attack_technique = "Application Layer Protocol"
$mitre_attack_technique_id = "T1071"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}aws_guardduty_command_and_control_activity_detected
Amazon GuardDuty detects Command and control activity in Amazon EC2, AWS Lambda or Amazon EKS Runtimes.
Show query
rule aws_guardduty_command_and_control_activity_detected {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects Command and control activity in Amazon EC2, AWS Lambda or Amazon EKS Runtimes."
rule_id = "mr_dc0c33c7-35e3-44e2-b149-99212f3e54c6"
rule_name = "AWS GuardDuty Command And Control Activity Detected"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "Application Layer Protocol"
mitre_attack_url = "https://attack.mitre.org/techniques/T1071/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /C&CActivity/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Command and Control"
$mitre_attack_technique = "Application Layer Protocol"
$mitre_attack_technique_id = "T1071"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}aws_guardduty_malicious_or_suspicious_file_executed
Amazon GuardDuty detects a malicious or suspicious file on an Amazon EC2 instance or a container workload.
Show query
rule aws_guardduty_malicious_or_suspicious_file_executed {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects a malicious or suspicious file on an Amazon EC2 instance or a container workload."
rule_id = "mr_a5d8f51c-d0de-4169-99e2-d3eaa02b266c"
rule_name = "AWS GuardDuty Malicious Or Suspicious File Executed"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "User Execution: Malicious File"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/002/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /MaliciousFile|SuspiciousFile/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Execution"
$mitre_attack_technique = "User Execution: Malicious File"
$mitre_attack_technique_id = "T1204.002"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}aws_guardduty_tor_network_activity_detected
Amazon GuardDuty detects Tor Network activity in an AWS account.
Show query
rule aws_guardduty_tor_network_activity_detected {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects Tor Network activity in an AWS account."
rule_id = "mr_abbc8f85-d4a3-4579-b444-19e6944f49d1"
rule_name = "AWS GuardDuty Tor Network Activity Detected"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "Proxy: Multi-hop Proxy"
mitre_attack_url = "https://attack.mitre.org/techniques/T1090/003/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /TorIPCaller|TorRelay|TorClient/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Command and Control"
$mitre_attack_technique = "Proxy: Multi-hop Proxy"
$mitre_attack_technique_id = "T1090.003"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}aws_iam_administrator_access_policy_attached
Detects when AWS IAM AdministratorAccess policy is attached to a user, group or role which can be used for privilege escalation.
Show query
rule aws_iam_administrator_access_policy_attached {
meta:
author = "Google Cloud Security"
description = "Detects when AWS IAM AdministratorAccess policy is attached to a user, group or role which can be used for privilege escalation."
rule_id = "mr_52c6643b-f6ce-4299-9fb6-05554901800c"
rule_name = "AWS IAM Administrator Access Policy Attached"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$cloudtrail.metadata.vendor_name = "AMAZON"
$cloudtrail.metadata.product_name = "AWS CloudTrail"
(
$cloudtrail.metadata.product_event_type = "AttachUserPolicy" or
$cloudtrail.metadata.product_event_type = "AttachGroupPolicy" or
$cloudtrail.metadata.product_event_type = "AttachRolePolicy"
)
$cloudtrail.target.resource.name = "arn:aws:iam::aws:policy/AdministratorAccess"
$cloudtrail.security_result.action = "ALLOW"
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($cloudtrail.metadata.id)
$network_http_user_agent = $cloudtrail.network.http.user_agent
$principal_ip = array_distinct($cloudtrail.principal.ip)
$principal_ip_country = array_distinct($cloudtrail.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($cloudtrail.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $cloudtrail.principal.user.user_display_name
$recipient_aws_account_id = $cloudtrail.additional.fields["recipientAccountId"]
$aws_region = $cloudtrail.principal.location.name
$target_resource_name = $cloudtrail.target.resource.name
$target_resource_product_object_id = $cloudtrail.target.resource.product_object_id
condition:
$cloudtrail
}aws_kms_key_disabled_or_scheduled_for_deletion
Detect when a KMS (Key Management Service) key is disabled or scheduled for deletion.
Show query
rule aws_kms_key_disabled_or_scheduled_for_deletion {
meta:
author = "Google Cloud Security"
description = "Detect when a KMS (Key Management Service) key is disabled or scheduled for deletion."
rule_id = "mr_b1947fef-7b98-4c10-8303-d6c9c032d84e"
rule_name = "AWS KMS Key Disabled Or Scheduled For Deletion"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "Data Destruction"
mitre_attack_url = "https://attack.mitre.org/techniques/T1485/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$cloudtrail.metadata.vendor_name = "AMAZON"
$cloudtrail.metadata.product_name = "AWS CloudTrail"
$cloudtrail.metadata.product_event_type = "DisableKey" or $cloudtrail.metadata.product_event_type = "ScheduleKeyDeletion"
$cloudtrail.security_result.action = "ALLOW"
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Impact"
$mitre_attack_technique = "Data Destruction"
$mitre_attack_technique_id = "T1485"
$event_count = count_distinct($cloudtrail.metadata.id)
$network_http_user_agent = $cloudtrail.network.http.user_agent
$principal_ip = array_distinct($cloudtrail.principal.ip)
$principal_ip_country = array_distinct($cloudtrail.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($cloudtrail.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $cloudtrail.principal.user.user_display_name
$recipient_aws_account_id = $cloudtrail.additional.fields["recipientAccountId"]
$aws_region = $cloudtrail.principal.location.name
$target_resource_name = $cloudtrail.target.resource.name
$target_resource_product_object_id = $cloudtrail.target.resource.product_object_id
condition:
$cloudtrail
}aws_successful_api_from_tor_exit_node
Detects successful API executions from a Tor exit node.
Show query
rule aws_successful_api_from_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "Detects successful API executions from a Tor exit node."
rule_id = "mr_17232c2a-188e-4d6e-85b6-836cdc779655"
rule_name = "AWS Successful API From Tor Exit Node"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "User Execution"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$api.metadata.vendor_name = "AMAZON"
$api.metadata.product_name = "AWS CloudTrail"
$api.security_result.action = "ALLOW"
$api.principal.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti_feed.graph.entity.artifact.ip = $ip
$gcti_feed.graph.metadata.entity_type = "IP_ADDRESS"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 5m
outcome:
$risk_score = max(
//Baseline
35 +
// Unauthorized geographies
if($api.principal.ip_geo_artifact.location.country_or_region = "Cuba", 40) +
if($api.principal.ip_geo_artifact.location.country_or_region = "Iran", 40) +
if($api.principal.ip_geo_artifact.location.country_or_region = "North Korea" , 40) +
if($api.principal.ip_geo_artifact.location.country_or_region = "Russia", 40) +
if($api.principal.ip_geo_artifact.location.country_or_region = "Syria", 40)
)
$mitre_attack_tactic = "Execution"
$mitre_attack_technique = "User Execution"
$mitre_attack_technique_id = "T1204"
$event_count = count_distinct($api.metadata.id)
$network_http_user_agent = array_distinct($api.network.http.user_agent)
$principal_ip = array_distinct($api.principal.ip)
$principal_ip_country = array_distinct($api.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($api.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($api.principal.user.user_display_name)
$dc_principal_user_display_name = count_distinct($api.principal.user.user_display_name)
$is_mfa_used = array_distinct($api.extensions.auth.auth_details)
$target_resource_name = array_distinct($api.target.resource.name)
$target_resource_product_object_id = array_distinct($api.target.resource.product_object_id)
condition:
$api and $gcti_feed
}base64_encoded_powershell_command_detected
Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string
Show query
rule base64_encoded_powershell_command_detected {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Base64 Encoded PowerShell Command Detected"
sigma_uuid = "e32d4572-9826-4738-b651-95fa63747e8a"
sigma_status = "test"
rule_id = "mr_a3603334-35e3-4050-b94e-f79aeccb899a"
tactic = "TA0002"
technique = "T1059.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Administrative script libraries"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
strings.contains(strings.to_lower($process.target.process.command_line), "::frombase64string(")
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}blackbyte_ransomware_registry
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
Show query
rule blackbyte_ransomware_registry {
meta:
author = "frack113"
description = "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Blackbyte Ransomware Registry"
rule_id = "mr_83d31958-2537-4ac7-bee2-1d6e193c892f"
sigma_uuid = "83314318-052a-4c90-a1ad-660ece38d276"
sigma_status = "test"
tactic = "TA0005"
technique = "T1112"
type = "Detection"
data_source = "Windows Registry"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
(
$reg.target.registry.registry_key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy" nocase or
$reg.target.registry.registry_key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" nocase or
$reg.target.registry.registry_key = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" nocase
) and $reg.target.registry.registry_value_data = "DWORD (0x00000001)" nocase
$reg.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($reg.principal.user.userid = "user" and $reg.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($reg.principal.hostname)
$principal_process_pid = array_distinct($reg.principal.process.pid)
$principal_process_file_full_path = array_distinct($reg.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($reg.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($reg.principal.user.userid)
$target_registry_key = array_distinct($reg.target.registry.registry_key)
$target_registry_value_data = array_distinct($reg.target.registry.registry_value_data)
$log_type = array_distinct(strings.concat($reg.metadata.log_type,"/",$reg.metadata.product_event_type))
condition:
$reg
}create_dump_process_dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Show query
rule create_dump_process_dump {
meta:
author = "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"
description = "Detects uses of the createdump.exe LOLOBIN utility to dump process memory"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "CreateDump Process Dump"
sigma_uuid = "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48"
sigma_status = "test"
rule_id = "mr_20772389-ecc9-4598-9241-843172e1dd43"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Command lines that use the same flags"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($process.target.process.file.full_path, `\\createdump\.exe$`) nocase or
$process.src.process.file.full_path = "createdump.exe" nocase
)
(
strings.contains(strings.to_lower($process.target.process.command_line), " -u ") or
strings.contains(strings.to_lower($process.target.process.command_line), " --full ") or
strings.contains(strings.to_lower($process.target.process.command_line), " -f ") or
strings.contains(strings.to_lower($process.target.process.command_line), " --name ") or
strings.contains(strings.to_lower($process.target.process.command_line), ".dmp ")
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}cred_dump_tools_dropped_files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Show query
rule cred_dump_tools_dropped_files {
meta:
author = "Teymur Kheirkhabarov, oscd.community"
description = "Files with well-known filenames (parts of credential dump software or files produced by them) creation"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Cred Dump Tools Dropped Files"
sigma_uuid = "8fbf3271-1ef6-4e94-8210-03c2317947f6"
sigma_status = "test"
rule_id = "mr_1ba84a4c-c6cf-49ee-902d-5e9e6efcaac0"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Legitimate Administrator using tool for password recovery"
events:
$file.metadata.event_type = "FILE_CREATION"
(
re.regex($file.target.file.full_path, `\\(fgdump-log|kirbi|pwdump|pwhashes|wce_ccache|wce_krbtkt)`) nocase or
re.regex($file.target.file.full_path, `\\(cachedump\.exe|cachedump64\.exe|DumpExt\.dll|DumpSvc\.exe|Dumpy\.exe|fgexec\.exe|lsremora\.dll|lsremora64\.dll|NTDS\.out|procdump64\.exe|pstgdump\.exe|pwdump\.exe|SAM\.out|SECURITY\.out|servpw\.exe|servpw64\.exe|SYSTEM\.out|test\.pwd|wceaux\.dll)$`) nocase
)
$file.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($file.principal.user.userid = "user" and $file.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($file.principal.hostname)
$principal_process_pid = array_distinct($file.principal.process.pid)
$principal_process_command_line = array_distinct($file.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($file.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($file.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($file.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($file.principal.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$target_file_sha256 = array_distinct($file.target.file.sha256)
$target_file_full_path = array_distinct($file.target.file.full_path)
condition:
$file
}credential_dumping_attempt_via_werfault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up
Show query
rule credential_dumping_attempt_via_werfault {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Credential Dumping Attempt Via WerFault"
sigma_uuid = "e5b33f7d-eb93-48b6-9851-09e1e610b6d7"
sigma_status = "test"
rule_id = "mr_b3448ab7-b1a2-41f7-9cd4-151c3cb2e2d6"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Actual failures in lsass.exe that trigger a crash dump (unlikely), unknown cases in which WerFault accesses lsass.exe"
events:
$process.metadata.event_type = "PROCESS_OPEN"
re.regex($process.target.process.file.full_path, `\\lsass\.exe$`) nocase
re.regex($process.principal.process.file.full_path, `\\werfault\.exe$`) nocase
$process.target.resource.name = "0x1FFFFF" nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}gcp_free_gmail_domains_added_to_iam_policy
Detect when free Google Email addressess are added to IAM Policy such as gmail.com, googlemail.com or googlegroups.com.
Show query
rule gcp_free_gmail_domains_added_to_iam_policy {
meta:
author = "Google Cloud Security"
description = "Detect when free Google Email addressess are added to IAM Policy such as gmail.com, googlemail.com or googlegroups.com."
rule_id = "mr_eec293b2-75d6-48f1-871d-182d67345a9c"
rule_name = "GCP Free Gmail Domains Added To IAM Policy"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Create Account: Cloud Account"
mitre_attack_url = "https://attack.mitre.org/techniques/T1136/003/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "High"
priority = "High"
events:
$gcp.metadata.event_type = "USER_RESOURCE_UPDATE_PERMISSIONS"
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
$gcp.metadata.product_event_type = "SetIamPolicy"
$gcp.metadata.product_name = "Google Cloud Platform"
$gcp.metadata.vendor_name = "Google Cloud Platform"
$gcp.security_result.action = "ALLOW"
$gcp.target.resource.attribute.labels["ser_binding_deltas_action"] = "ADD"
$gcp.target.resource.attribute.labels["ser_binding_deltas_member"] = /.*@gmail\.com|.*@googlemail\.com|.*@googlegroups\.com/ nocase
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Create Account: Cloud Account"
$mitre_attack_technique_id = "T1136.003"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_id = $gcp.principal.user.userid
$principal_user_display_name = $gcp.principal.user.user_display_name
$target_resource_name = $gcp.target.resource.name
$event_name = $gcp.metadata.product_event_type
$target_email_addresses = array_distinct($gcp.target.user.email_addresses)
condition:
$gcp
}gcp_multiple_kms_keys_disabled_or_destroyed
Detect when multiple KMS crypto key versions are disabled or destroyed from GCP Cloud KMS.
Show query
rule gcp_multiple_kms_keys_disabled_or_destroyed {
meta:
author = "Google Cloud Security"
description = "Detect when multiple KMS crypto key versions are disabled or destroyed from GCP Cloud KMS."
rule_id = "mr_1457dcf4-b20b-4ec0-a295-d04074889991"
rule_name = "GCP Multiple KMS Keys Disabled Or Destroyed"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "Data Destruction"
mitre_attack_url = "https://attack.mitre.org/techniques/T1485/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "High"
priority = "High"
events:
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
(
$gcp.metadata.product_event_type = "DestroyCryptoKeyVersion" or
(
$gcp.metadata.product_event_type = "UpdateCryptoKeyVersion" and
$gcp.target.resource.attribute.labels["req_cryptokey_version_state"] = "DISABLED"
)
)
$gcp.target.application = "cloudkms.googleapis.com"
$gcp.security_result.action = "ALLOW"
$gcp.target.user.userid = $user_id
match:
$user_id over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Impact"
$mitre_attack_technique = "Data Destruction"
$mitre_attack_technique_id = "T1485"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_id = array_distinct($gcp.principal.user.userid)
$principal_user_display_name = array_distinct($gcp.principal.user.user_display_name)
$target_resource_name = array_distinct($gcp.target.resource.name)
condition:
#gcp >= 10
}gcp_multiple_secrets_deleted
Detect when multiple secrets or secret versions are deleted from GCP Secret Manager.
Show query
rule gcp_multiple_secrets_deleted {
meta:
author = "Google Cloud Security"
description = "Detect when multiple secrets or secret versions are deleted from GCP Secret Manager."
rule_id = "mr_c91c9fe8-6569-4764-a8d8-9b88dd3b7f77"
rule_name = "GCP Multiple Secrets Deleted"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "Data Destruction"
mitre_attack_url = "https://attack.mitre.org/techniques/T1485/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "High"
priority = "High"
events:
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
(
$gcp.metadata.product_event_type = "google.cloud.secretmanager.v1.SecretManagerService.DestroySecretVersion" or
$gcp.metadata.product_event_type = "google.cloud.secretmanager.v1.SecretManagerService.DeleteSecret"
)
$gcp.target.application = "secretmanager.googleapis.com"
$gcp.security_result.action = "ALLOW"
$gcp.target.user.userid = $user_id
match:
$user_id over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Impact"
$mitre_attack_technique = "Data Destruction"
$mitre_attack_technique_id = "T1485"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_id = array_distinct($gcp.principal.user.userid)
$principal_user_display_name = array_distinct($gcp.principal.user.user_display_name)
$target_resource_name = array_distinct($gcp.target.resource.name)
condition:
#gcp >= 10
}gcp_successful_api_from_tor_exit_node
Detects successful API executions from a Tor exit node.
Show query
rule gcp_successful_api_from_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "Detects successful API executions from a Tor exit node."
rule_id = "mr_5912e2be-4366-4f34-a770-0ac8358f2cb9"
rule_name = "GCP Successful API Call From Tor Exit Node"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "User Execution"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "High"
priority = "High"
events:
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
$gcp.security_result.action = "ALLOW"
$gcp.principal.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti_feed.graph.entity.artifact.ip = $ip
$gcti_feed.graph.metadata.entity_type = "IP_ADDRESS"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 5m
outcome:
$risk_score = max(
//Baseline
35 +
// Unauthorized geographies
if($gcp.principal.ip_geo_artifact.location.country_or_region = "Cuba", 40) +
if($gcp.principal.ip_geo_artifact.location.country_or_region = "Iran", 40) +
if($gcp.principal.ip_geo_artifact.location.country_or_region = "North Korea" , 40) +
if($gcp.principal.ip_geo_artifact.location.country_or_region = "Russia", 40) +
if($gcp.principal.ip_geo_artifact.location.country_or_region = "Syria", 40)
)
$mitre_attack_tactic = "Execution"
$mitre_attack_technique = "User Execution"
$mitre_attack_technique_id = "T1204"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($gcp.principal.user.user_display_name)
$dc_principal_user_display_name = count_distinct($gcp.principal.user.user_display_name)
$target_resource_name = array_distinct($gcp.target.resource.name)
condition:
$gcp and $gcti_feed
}gcp_workload_identity_pool_disabled_or_deleted
Detect when GCP Workload identity pools are disabled or deleted. Disabling or deleting a pool will prevent any connected identities from accessing all GCP resources.
Show query
rule gcp_workload_identity_pool_disabled_or_deleted {
meta:
author = "Google Cloud Security"
description = "Detect when GCP Workload identity pools are disabled or deleted. Disabling or deleting a pool will prevent any connected identities from accessing all GCP resources."
rule_id = "mr_265fbe68-80c6-48b0-a211-dca6bcef0fd2"
rule_name = "GCP Workload Identity Pool Disabled Or Deleted"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "High"
priority = "High"
events:
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
(
$gcp.metadata.product_event_type = "google.iam.v1.WorkloadIdentityPools.DeleteWorkloadIdentityPool" or
(
$gcp.metadata.product_event_type = "google.iam.v1.WorkloadIdentityPools.UpdateWorkloadIdentityPool" and
$gcp.target.resource.attribute.labels["req_identityPool_disabled"] = "true"
)
)
$gcp.target.application = "iam.googleapis.com"
$gcp.security_result.action = "ALLOW"
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_id = $gcp.principal.user.userid
$principal_user_display_name = $gcp.principal.user.user_display_name
$target_resource_name = $gcp.target.resource.name
$event_name = $gcp.metadata.product_event_type
condition:
$gcp
}gcti_benign_binaries_contacts_tor_exit_node
Alert on Benign Binary contacting a TOR IP
Show query
rule gcti_benign_binaries_contacts_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "Alert on Benign Binary contacting a TOR IP"
rule_id = "mr_8bb13cf7-d66b-41f2-9bbc-0a1884a77f70"
rule_name = "GCTI Benign Binaries Contacts Tor Exit Node"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "tor, benign binaries"
data_source = "crowdstrike"
severity = "High"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 = $benign_hash
$network.target.ip = $ip
// Benign Files provided by GCTI Feed
$gcti_feed.graph.entity.file.sha256 = $benign_hash
$gcti_feed.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.entity_type = "FILE"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Benign Binaries"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Tor IP listing provided by GCTI Feed
$tor.graph.entity.artifact.ip = $ip
$tor.graph.metadata.entity_type = "IP_ADDRESS"
$tor.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$tor.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$tor.graph.metadata.product_name = "GCTI Feed"
$tor.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 5m
outcome:
$risk_score = max(
if($tor.graph.metadata.threat.confidence = "HIGH_CONFIDENCE", 70) +
// Unauthorized target geographies
if($network.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$event_count = count_distinct($network.metadata.id)
$tor_ip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
// Commented out target.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti_feed and $tor
}gcti_tor_exit_nodes
Alert traffic destined for known Tor exit nodes
Show query
rule gcti_tor_exit_nodes {
meta:
author = "Google Cloud Security"
description = "Alert traffic destined for known Tor exit nodes"
rule_id = "mr_1d31f0e4-8cd9-4fc2-ae87-e91a435fe34f"
rule_name = "GCTI Tor Exit Nodes"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "tor"
data_source = "crowdstrike, microsoft sysmon, microsoft defender atp"
severity = "High"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.security_result.action = "ALLOW"
$network.target.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti_feed.graph.entity.artifact.ip = $ip
$gcti_feed.graph.metadata.entity_type = "IP_ADDRESS"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 1h
outcome:
$risk_score = 85
$event_count = count_distinct($network.metadata.id)
$tor_geoip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
$tor_geoip_state = array_distinct($network.target.ip_geo_artifact.location.state)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
// Commented out target.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
//$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti_feed
}github_enterprise_deleted
Detects when a GitHub enterprise is deleted.
Show query
rule github_enterprise_deleted {
meta:
author = "Google Cloud Security"
description = "Detects when a GitHub enterprise is deleted."
rule_id = "mr_6443a51b-c381-4504-9b45-9d8b5e9531d7"
rule_name = "GitHub Enterprise Deleted"
assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization"
type = "alert"
severity = "High"
priority = "High"
platform = "GitHub"
data_source = "github"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "Data Destruction"
mitre_attack_url = "https://attack.mitre.org/versions/v14/techniques/T1485/"
mitre_attack_version = "v14"
reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise"
events:
$github.metadata.vendor_name = "GITHUB" nocase
$github.metadata.product_name = "GITHUB"
$github.metadata.product_event_type = "business.delete"
$github.principal.user.userid = $user_id
$github.target.user.company_name = $github_enterprise_name
match:
$user_id, $github_enterprise_name over 30m
outcome:
$risk_score = max(85)
$mitre_attack_tactic = "Impact"
$mitre_attack_technique = "Data Destruction"
$mitre_attack_technique_id = "T1485"
$event_count = count_distinct($github.metadata.id)
$principal_ip = array_distinct($github.principal.ip)
$principal_user_userid = array_distinct($github.principal.user.userid)
$principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($github.principal.location.city)
$security_result_summary = array_distinct($github.security_result.summary)
condition:
$github
}google_workspace_multiple_files_deleted_from_google_drive
Identifies when a user deletes multiple files from Google Drive, which may indicate data destruction.
Show query
rule google_workspace_multiple_files_deleted_from_google_drive {
meta:
author = "Google Cloud Security"
description = "Identifies when a user deletes multiple files from Google Drive, which may indicate data destruction."
rule_id = "mr_efa7bd41-506c-49b9-85a0-d799f0345ecf"
rule_name = "Google Workspace Multiple Files Deleted From Google Drive"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "Data Destruction"
mitre_attack_url = "https://attack.mitre.org/techniques/T1485/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "High"
priority = "High"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "drive"
(
$ws.metadata.product_event_type = "trash" or
$ws.metadata.product_event_type = "delete"
)
$ws.principal.user.userid = $user_id
match:
$user_id over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Impact"
$mitre_attack_technique = "Data Destruction"
$mitre_attack_technique_id = "T1567"
$event_count = count_distinct($ws.metadata.id)
$product_event_type = array_distinct($ws.metadata.product_event_type)
$userid = array_distinct($ws.principal.user.userid)
$doc_type = array_distinct($ws.src.resource.attribute.labels["doc_type"])
$owner = array_distinct($ws.target.resource.attribute.labels["owner"])
$doc_name = array_distinct($ws.target.resource.name)
$doc_id = array_distinct($ws.target.resource.product_object_id)
$count_docs = count_distinct($ws.target.resource.product_object_id)
condition:
// Customize the value of $count_docs to set the alerting threshold for your environment
$ws and $count_docs > 10
}google_workspace_saml_idp_configuration_change
Identifies SAML provider configuration changes in Google Workspace. Security teams can monitor for changes to SAML provider configuration that may weaken the organization's security posture.
Show query
rule google_workspace_saml_idp_configuration_change {
meta:
author = "Google Cloud Security"
description = "Identifies SAML provider configuration changes in Google Workspace. Security teams can monitor for changes to SAML provider configuration that may weaken the organization's security posture."
rule_id = "mr_1a321683-9c52-4928-a654-e0677df97c09"
rule_name = "Google Workspace SAML IDP Configuration Change"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "High"
priority = "High"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.security_result.category_details = "SAML2_SERVICE_PROVIDER_CONFIG_SETTINGS"
$ws.metadata.product_event_type = /SAML2_SERVICE_PROVIDER_CONFIG/
$ws.principal.user.userid = $userid
match:
$userid over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$mitre_attack_technique_id = "T1078"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$principal_user_id = array_distinct($ws.principal.user.userid)
$saml_entity_id = array_distinct($ws.about.labels["saml2_service_provider_entity_id"])
$saml_name = array_distinct($ws.about.labels["saml2_service_provider_name"])
$product_event_type = array_distinct($ws.metadata.product_event_type)
condition:
$ws
}hacktool_generic_process_access
Detects process access requests from hacktool processes based on their default image name
Show query
rule hacktool_generic_process_access {
meta:
author = "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel"
description = "Detects process access requests from hacktool processes based on their default image name"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "HackTool - Generic Process Access"
sigma_uuid = "d0d2f720-d14f-448d-8242-51ff396a334e"
sigma_status = "test"
rule_id = "mr_1e8861fd-060a-4162-8e00-fa2b2a27e1e2"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unlikely"
events:
$process.metadata.event_type = "PROCESS_OPEN"
(
//reference lists for this rule are found in the reference_lists folder in community
$process.principal.process.file.full_path IN regex %hacktool_regex nocase or
$process.principal.process.file.full_path IN regex %hacktool_contains nocase
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}hacktool_mimikatz_execution
Detection well-known mimikatz command line arguments
Show query
rule hacktool_mimikatz_execution {
meta:
author = "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton"
description = "Detection well-known mimikatz command line arguments"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "HackTool - Mimikatz Execution"
sigma_uuid = "a642964e-bead-4bed-8910-1bb4d63e3b4d"
sigma_status = "test"
rule_id = "mr_d173bc90-2dcf-418d-a40c-bb7792f6300a"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unlikely"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
strings.contains(strings.to_lower($process.target.process.command_line), "dumpcreds") or
strings.contains(strings.to_lower($process.target.process.command_line), "mimikatz") or
strings.contains(strings.to_lower($process.target.process.command_line), "::aadcookie") or
strings.contains(strings.to_lower($process.target.process.command_line), "::detours") or
strings.contains(strings.to_lower($process.target.process.command_line), "::memssp") or
strings.contains(strings.to_lower($process.target.process.command_line), "::mflt") or
strings.contains(strings.to_lower($process.target.process.command_line), "::ncroutemon") or
strings.contains(strings.to_lower($process.target.process.command_line), "::ngcsign") or
strings.contains(strings.to_lower($process.target.process.command_line), "::printnightmare") or
strings.contains(strings.to_lower($process.target.process.command_line), "::skeleton") or
strings.contains(strings.to_lower($process.target.process.command_line), "::preshutdown") or
strings.contains(strings.to_lower($process.target.process.command_line), "::mstsc") or
strings.contains(strings.to_lower($process.target.process.command_line), "::multirdp") or
strings.contains(strings.to_lower($process.target.process.command_line), "rpc::") or
strings.contains(strings.to_lower($process.target.process.command_line), "token::") or
strings.contains(strings.to_lower($process.target.process.command_line), "crypto::") or
strings.contains(strings.to_lower($process.target.process.command_line), "dpapi::") or
strings.contains(strings.to_lower($process.target.process.command_line), "sekurlsa::") or
strings.contains(strings.to_lower($process.target.process.command_line), "kerberos::") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsadump::") or
strings.contains(strings.to_lower($process.target.process.command_line), "privilege::") or
strings.contains(strings.to_lower($process.target.process.command_line), "process::") or
strings.contains(strings.to_lower($process.target.process.command_line), "vault::")
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}hacktool_sharp_successor_execution
SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators linked to SharpSuccessor activity, which may signal privilege escalation attempts in Active Directory environments.
Show query
rule hacktool_sharp_successor_execution {
meta:
author = "Georg Lauenstein - suresecure GmbH, Mohamed Abdelfattah - suresecure GmbH"
description = "SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators linked to SharpSuccessor activity, which may signal privilege escalation attempts in Active Directory environments."
rule_id = "mr_be51aa7d-b4b8-4d8c-9998-0aa3194e98c3"
rule_name = "Hacktool - SharpSuccessor Execution"
tactic = "TA0004"
technique = "T1068"
references = "https://academy.bluraven.io/blog/detecting-badsuccessor, https://github.com/logangoins/SharpSuccessor"
type = "alert"
platform = "Windows, EDR"
data_source = "Microsoft Sysmon, Windows Security Event Log, Microsoft Defender XDR"
severity = "High"
priority = "High"
events:
(
$sharp_successor_execution.metadata.event_type = "PROCESS_LAUNCH"
and (
$sharp_successor_execution.src.process.file.full_path = "SharpSuccessor.exe" nocase or
$sharp_successor_execution.target.asset.software.description = "SharpSuccessor" nocase or
$sharp_successor_execution.target.process.file.full_path = /\\SharpSuccessor\.exe/ nocase or
$sharp_successor_execution.principal.process.file.full_path = /\\SharpSuccessor\.exe/ nocase or
$sharp_successor_execution.target.process.command_line = /SharpSuccessor/ nocase
)
)
or
( // Microsoft-Windows-Security-Auditing -- EventCode: 4673
$sharp_successor_execution.metadata.event_type = "SERVICE_UNSPECIFIED"
and (
$sharp_successor_execution.metadata.description = "A privileged service was called" and
$sharp_successor_execution.target.process.command_line = /SharpSuccessor/ nocase
)
)
// Capture the hostname where the event occurred
$sharp_successor_execution.principal.hostname = $hostname
match:
$hostname over 10m
outcome:
$risk_score = 65
$event_count = count_distinct($sharp_successor_execution.metadata.id)
$principal_process_pid = array_distinct($sharp_successor_execution.principal.process.pid)
$principal_process_command_line = array_distinct($sharp_successor_execution.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($sharp_successor_execution.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($sharp_successor_execution.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($sharp_successor_execution.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($sharp_successor_execution.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($sharp_successor_execution.target.process.pid)
$target_process_command_line = array_distinct($sharp_successor_execution.target.process.command_line)
$target_process_file_sha256 = array_distinct($sharp_successor_execution.target.process.file.sha256)
$target_process_file_full_path = array_distinct($sharp_successor_execution.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($sharp_successor_execution.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($sharp_successor_execution.principal.user.userid)
condition:
$sharp_successor_execution
}high_risk_user_download_executable_from_macro
Executable downloaded by Microsoft Excel by user with GCP entity relationship
Show query
rule high_risk_user_download_executable_from_macro {
meta:
author = "Google Cloud Security"
description = "Executable downloaded by Microsoft Excel by user with GCP entity relationship"
rule_id = "mr_352c77a7-67b6-4dfb-95e5-75fef8fa4a6c"
rule_name = "High Risk User Download Executable From Macro"
type = "alert"
data_source = "zscaler nss, crowdstrike"
tags = "user entity, resource entity"
severity = "High"
priority = "High"
platform = "Windows"
assumption = "This rule assumes that GCP DLP has been deployed and resources have been assigned to a user context"
tactic = "TA0002"
technique = "T1204.002"
events:
// proxy event with suspected executable download
$proxy_event.metadata.event_type = "NETWORK_HTTP"
$proxy_event.target.url = /.*\.exe$/ or
$proxy_event.network.received_bytes > 102400
$proxy_event.principal.user.userid = $user
$proxy_event.principal.user.userid != /test/
$proxy_event.target.hostname = $hostname
// correlate with EDR event indicating Excel activity
$edr_event.target.user.userid = $user
$edr_event.target.process.file.full_path = /excel/ nocase
($edr_event.metadata.event_type = "NETWORK_HTTP" or $edr_event.metadata.event_type = "NETWORK_CONNECTION")
$edr_event.target.hostname = $hostname
// first hop into entity graph to find the permissions
$user_entity.graph.entity.user.userid = $user
$user_entity.graph.metadata.entity_type = "USER"
$user_entity.graph.metadata.source_type = "ENTITY_CONTEXT"
$user_entity.graph.relations.entity.resource.name != ""
$user_entity.graph.relations.entity.resource.name = $table_name
// second hop for the table context
$table_context.graph.entity.resource.product_object_id = $table_name
$table_context.graph.metadata.entity_type = "RESOURCE"
$table_context.graph.metadata.source_type = "ENTITY_CONTEXT"
$table_context.graph.metadata.product_name = "GCP DLP CONTEXT"
match:
$user, $hostname over 5m
outcome:
$risk_score = max(if($table_context.graph.entity.resource.attribute.labels.value = "US_SOCIAL_SECURITY_NUMBER", 80))
$entity_resource_name = array_distinct($table_context.graph.entity.resource.name)
// added to populate alert graph with additional context
$principal_hostname = array_distinct($proxy_event.principal.hostname)
// Commented out target.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_hostname = array_distinct($proxy_event.target.hostname)
$principal_process_pid = array_distinct($edr_event.principal.process.pid)
$principal_process_command_line = array_distinct($edr_event.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($edr_event.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($edr_event.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($edr_event.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($edr_event.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($edr_event.target.process.pid)
$target_process_command_line = array_distinct($edr_event.target.process.command_line)
$target_process_file_sha256 = array_distinct($edr_event.target.process.file.sha256)
$target_process_file_full_path = array_distinct($edr_event.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($edr_event.target.process.product_specific_process_id)
$target_process_parent_process_product_specific_process_id = array_distinct($edr_event.target.process.parent_process.product_specific_process_id)
// Commented out principal.user.userid because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_user_userid = array_distinct($edr_event.principal.user.userid)
$target_user_userid = array_distinct($edr_event.target.user.userid)
$target_url = array_distinct($proxy_event.target.url)
condition:
$proxy_event and $edr_event and $user_entity and $table_context
}lsass_dump_keyword_command_line
Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process
Show query
rule lsass_dump_keyword_command_line {
meta:
author = "E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
description = "Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "LSASS Dump Keyword In CommandLine"
sigma_uuid = "ffa6861c-4461-4f59-8a41-578c39f3f23e"
sigma_status = "test"
rule_id = "mr_b7e51852-e836-4020-9ea4-7d9f9ace350f"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Windows Event, Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unlikely"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
(
strings.contains(strings.to_lower($process.target.process.command_line), "lsass.dmp") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsass.zip") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsass.rar") or
strings.contains(strings.to_lower($process.target.process.command_line), "andrew.dmp") or
strings.contains(strings.to_lower($process.target.process.command_line), "coredump.dmp") or
strings.contains(strings.to_lower($process.target.process.command_line), "notlsass.zip") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsass_2") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsassdump") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsassdmp")
)
or
(
strings.contains(strings.to_lower($process.target.process.command_line), "lsass") and
strings.contains(strings.to_lower($process.target.process.command_line), ".dmp")
)
or
(
strings.contains(strings.to_lower($process.target.process.command_line), "sqldmpr") and
strings.contains(strings.to_lower($process.target.process.command_line), ".mdmp")
)
or
(
strings.contains(strings.to_lower($process.target.process.command_line), "nanodump") and
strings.contains(strings.to_lower($process.target.process.command_line), ".dmp")
)
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}lsass_memory_access_by_tool_dump_keyword_name
Detects LSASS process access requests from a source process with the dump keyword in its image name
Show query
rule lsass_memory_access_by_tool_dump_keyword_name {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects LSASS process access requests from a source process with the dump keyword in its image name"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "LSASS Memory Access by Tool With Dump Keyword In Name"
sigma_uuid = "9bd012ee-0dff-44d7-84a0-aa698cfd87a3"
sigma_status = "test"
rule_id = "mr_98164cc1-0051-49c1-b915-421b3c119bfe"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Rare programs that contain the word dump in their name and access lsass"
events:
$process.metadata.event_type = "PROCESS_OPEN"
re.regex($process.target.process.file.full_path, `\\lsass.exe$`) nocase
strings.contains(strings.to_lower($process.principal.process.file.full_path), "dump")
re.regex($process.target.resource.name, `(10|30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2|FF)$`) nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}lsass_memory_dump_comsvcs_dll
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass
Show query
rule lsass_memory_dump_comsvcs_dll {
meta:
author = "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"
description = "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Lsass Memory Dump via Comsvcs DLL"
sigma_uuid = "a49fa4d5-11db-418c-8473-1e014a8dd462"
sigma_status = "test"
rule_id = "mr_4efe14fb-53fb-49ba-b137-f5d70cb6adb9"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$process.metadata.event_type = "PROCESS_OPEN"
re.regex($process.target.process.file.full_path, `\\lsass\.exe$`) nocase
re.regex($process.principal.process.file.full_path, `\\rundll32\.exe$`) nocase
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "comsvcs.dll")
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}lsass_process_memory_dump_file_creation
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
Show query
rule lsass_process_memory_dump_file_creation {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "LSASS Process Memory Dump Files"
sigma_uuid = "a5a2d357-1ab8-4675-a967-ef9990a59391"
sigma_status = "test"
rule_id = "mr_8fd8cb2b-18dc-468d-acdf-899da9f6de43"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$file.metadata.event_type = "FILE_CREATION"
(
re.regex($file.target.file.full_path, `\\(Andrew\.dmp|Coredump\.dmp|lsass\.dmp|lsass\.rar|lsass\.zip|NotLSASS\.zip|PPLBlade\.dmp|rustive\.dmp)\$`) nocase or
strings.contains($file.target.file.full_path, "\\lsass_2") or
strings.contains($file.target.file.full_path, "\\lsassdmp") or
strings.contains($file.target.file.full_path, "\\lsassdump") or
(
strings.contains(strings.to_lower($file.target.file.full_path), "\\lsass") and
re.regex($file.target.file.full_path, `\.dmp$`) nocase
)
or
(
strings.contains(strings.to_lower($file.target.file.full_path), "sqldmpr") and
re.regex($file.target.file.full_path, `\.mdmp$`) nocase
)
or
(
(
strings.contains(strings.to_lower($file.target.file.full_path), "\\nanodump") or
strings.contains(strings.to_lower($file.target.file.full_path), "\\proc_")
)
and
re.regex($file.target.file.full_path, `\.dmp$`) nocase
)
)
$file.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($file.principal.user.userid = "user" and $file.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($file.principal.hostname)
$principal_process_pid = array_distinct($file.principal.process.pid)
$principal_process_command_line = array_distinct($file.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($file.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($file.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($file.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($file.principal.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$target_file_sha256 = array_distinct($file.target.file.sha256)
$target_file_full_path = array_distinct($file.target.file.full_path)
condition:
$file
}lsass_process_memory_dump_file_creation_taskmgr
Detects the creation of an lsass.dmp file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager
Show query
rule lsass_process_memory_dump_file_creation_taskmgr {
meta:
author = "Swachchhanda Shrawan Poudel"
description = "Detects the creation of an lsass.dmp file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "LSASS Process Memory Dump Creation Via Taskmgr.exe"
sigma_uuid = "69ca12af-119d-44ed-b50f-a47af0ebc364"
sigma_status = "test"
rule_id = "mr_d35a4d98-60fb-49bd-bb40-04d985c4e35b"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Rare case of troubleshooting by an administrator or support that has to be investigated regardless"
events:
$file.metadata.event_type = "FILE_CREATION"
re.regex($file.principal.process.file.full_path, `:\\Windows\\(system32|SysWOW64)\\taskmgr\.exe$`) nocase
(
strings.contains(strings.to_lower($file.target.file.full_path), "\\appdata\\local\\temp\\") and
strings.contains(strings.to_lower($file.target.file.full_path), "\\lsass") and
re.regex($file.target.file.full_path, `\.dmp$`) nocase
)
$file.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($file.principal.user.userid = "user" and $file.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($file.principal.hostname)
$principal_process_pid = array_distinct($file.principal.process.pid)
$principal_process_command_line = array_distinct($file.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($file.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($file.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($file.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($file.principal.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$target_file_sha256 = array_distinct($file.target.file.sha256)
$target_file_full_path = array_distinct($file.target.file.full_path)
condition:
$file
}o365_admin_login_activity_to_uncommon_mscloud_apps
This rule detects O365 login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default
Show query
rule o365_admin_login_activity_to_uncommon_mscloud_apps {
meta:
author = "Google Cloud Security"
description = "This rule detects O365 login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default"
rule_id = "mr_4fa166c8-922a-4dc1-b72d-9bcb2ec7609f"
rule_name = "O365 Admin Login Activity To Uncommon Microsoft Cloud Apps"
assumption = "The lists first_party_ms_cloud_apps and msazure_admin_watchlist are populated as needed"
tactic = "TA0001"
technique = "T1078.004"
reference = "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in"
type = "alert"
platform = "azure"
data_source = "o365"
severity = "High"
priority = "High"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "UserLoggedIn"
$login.metadata.product_name = "Office 365"
NOT $login.target.resource.product_object_id in %first_party_ms_cloud_apps
$login.metadata.vendor_name = "Microsoft"
$login.security_result.action = "ALLOW"
$login.target.user.userid = $userid
//Use the criteria below if you want to isolate activity to a specific watchlist of users
//@domain.com is stripped off to reduce the values in the list to just the username of the email address, can apply to userid or email address fields
re.replace($login.target.user.userid, `@.*$`, "") in %msazure_admin_watchlist
match:
$userid over 5m
outcome:
$risk_score = 65
$event_count = count_distinct($login.metadata.id)
$target_application = array_distinct($login.target.resource.product_object_id)
$security_summary = array_distinct($login.security_result.summary)
$user_agent = array_distinct($login.network.http.user_agent)
$country_region_login_attempt = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
//added to populate alert graph with additional context
$principal_ip = array_distinct($login.principal.ip)
$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login
}onelogin_super_user_privileges_assigned
Detects when a user is assigned super user privileges.
Show query
rule onelogin_super_user_privileges_assigned {
meta:
author = "Google Cloud Security"
description = "Detects when a user is assigned super user privileges."
rule_id = "mr_5a2dc2cc-a66a-413c-83de-99e0ed698849"
rule_name = "OneLogin Super User Privileges Assigned"
reference = "https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010391"
mitre_attack_tactic = "Privilege Escalation"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v15.1"
type = "Alert"
data_source = "OneLogin"
severity = "High"
priority = "High"
events:
$user.metadata.event_type = "USER_CHANGE_PERMISSIONS"
$user.metadata.product_name = "ONELOGIN_SSO"
$user.metadata.vendor_name = "ONELOGIN"
$user.metadata.product_event_type = "72" //user granted permission to a specific privilege
$user.target.resource.name = "Super user"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Privilege Escalation"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$principal_user_userid = array_distinct($user.principal.user.userid)
$principal_user_user_display_name = array_distinct($user.principal.user.user_display_name)
$principal_ip = array_distinct($user.principal.ip)
$principal_ip_country = array_distinct($user.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($user.principal.ip_geo_artifact.location.state)
$target_user_userid = array_distinct($user.target.user.userid)
condition:
$user
}potential_lsass_process_dump_via_procdump
Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable. Procdump dump of lsass using minidump or memory dump options. Covers atomic tests 1 and 8
Show query
rule potential_lsass_process_dump_via_procdump {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable. Procdump dump of lsass using minidump or memory dump options. Covers atomic tests 1 and 8"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
sigma_uuid = "5afee48e-67dd-4e03-a783-f74259dcf998"
sigma_status = "stable"
rule_id = "mr_f7efb1a2-866c-4505-947e-3b06d4240262"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
falsepositives = "Unlikely, because no one should dump an lsass process memory, another tool that uses command line flags similar to ProcDump"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
strings.contains($process.target.process.command_line, " -ma ") or
strings.contains($process.target.process.command_line, " -mm ")
)
strings.contains(strings.to_lower($process.target.process.command_line), " ls")
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}potential_remote_powershell_session_initiated
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
Show query
rule potential_remote_powershell_session_initiated {
meta:
author = "Roberto Rodriguez @Cyb3rWard0g"
description = "Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection."
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Potential Remote PowerShell Session Initiated"
sigma_uuid = "c539afac-c12a-46ed-b1bd-5a5567c9f045"
sigma_status = "test"
rule_id = "mr_7186feaf-ab01-4c41-b17f-994b08b5bc33"
tactic = "TA0008"
technique = "T1021.006"
type = "Hunt"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. Network Service user name of a not-covered localization"
events:
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.metadata.product_event_type = "3"
$net.metadata.product_name = "Microsoft-Windows-Sysmon"
$net.metadata.vendor_name = "Microsoft"
(
$net.target.port = 5985 or
$net.target.port = 5986
)
//Parser extension added for Initiated/true field/value, not currently in Sysmon parser
//Initiated: 'true'
$net.additional.fields["Initiated"] = "true"
net.ip_in_range_cidr($net.principal.ip, "0.0.0.0/0")
NOT (
strings.contains(strings.to_upper($net.principal.user.userid), "NETWORK SERVICE") or
strings.contains(strings.to_upper($net.principal.user.userid), "NETZWERKDIENST") or
strings.contains(strings.to_upper($net.principal.user.userid), "SERVICIO DE RED") or
strings.contains(strings.to_upper($net.principal.user.userid), "SERVIZIO DI RETE")
or
(
strings.contains(strings.to_upper($net.principal.user.userid), "SERVICE R") and
strings.contains(strings.to_upper($net.principal.user.userid), "SEAU")
)
)
NOT (
$net.principal.ip = "::1" or
$net.principal.ip = "127.0.0.1" or
$net.target.ip = "::1" or
$net.target.ip = "127.0.0.1"
)
NOT (
$net.principal.process.file.full_path = "C:\\Program Files\\Avast Software\\Avast\\AvastSvc.exe" nocase or
$net.principal.process.file.full_path = "C:\\Program Files (x86)\\Avast Software\\Avast\\AvastSvc.exe" nocase
)
$net.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($net.principal.user.userid = "user" and $net.principal.hostname = "hostname", 0, 15))
$principal_ip = array_distinct($net.principal.ip)
$principal_port = array_distinct($net.principal.port)
$principal_process_pid = array_distinct($net.principal.process.pid)
$principal_process_command_line = array_distinct($net.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($net.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($net.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($net.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($net.principal.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($net.principal.user.userid)
$target_ip = array_distinct($net.target.ip)
$target_port = array_distinct($net.target.port)
condition:
$net
}potential_tampering_with_rdp_related_registry_keys_via_reg_exe
Detects the execution of reg.exe for enabling/disabling the RDP service on the host by tampering with the CurrentControlSet\\Control\\Terminal Server values
Show query
rule potential_tampering_with_rdp_related_registry_keys_via_reg_exe {
meta:
author = "pH-T (Nextron Systems), @Kostastsale, TheDFIRReport"
description = "Detects the execution of reg.exe for enabling/disabling the RDP service on the host by tampering with the CurrentControlSet\\Control\\Terminal Server values"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Potential Tampering With RDP Related Registry Keys Via Reg.EXE"
sigma_uuid = "0d5675be-bc88-4172-86d3-1e96a4476536"
sigma_status = "test"
rule_id = "mr_60818065-6198-4650-ab78-306267b5f165"
tactic = "TA0005"
technique = "T1112"
type = "Detection"
data_source = "Windows Event Logs"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($process.target.process.file.full_path, `\\reg\.exe$`) nocase or
$process.src.process.file.full_path = "reg.exe" nocase
)
(
strings.contains(strings.to_lower($process.target.process.command_line), " add ") and
strings.contains(strings.to_lower($process.target.process.command_line), "\\currentcontrolset\\control\\terminal server") and
strings.contains(strings.to_upper($process.target.process.command_line), "REG_DWORD") and
strings.contains(strings.to_lower($process.target.process.command_line), " /f")
)
(
(
strings.contains(strings.to_lower($process.target.process.command_line), "licensing core") and
strings.contains(strings.to_lower($process.target.process.command_line), "enableconcurrentsessions")
)
or
(
strings.contains(strings.to_lower($process.target.process.command_line), "winstations\\rdp-tcp") or
strings.contains(strings.to_lower($process.target.process.command_line), "maxinstancecount") or
strings.contains(strings.to_lower($process.target.process.command_line), "fenablewinstation") or
strings.contains(strings.to_lower($process.target.process.command_line), "tsuserenabled") or
strings.contains(strings.to_lower($process.target.process.command_line), "tsenabled") or
strings.contains(strings.to_lower($process.target.process.command_line), "tsapcompat") or
strings.contains(strings.to_lower($process.target.process.command_line), "idlewinstationpoolcount") or
strings.contains(strings.to_lower($process.target.process.command_line), "tsadvertise") or
strings.contains(strings.to_lower($process.target.process.command_line), "allowtsconnections") or
strings.contains(strings.to_lower($process.target.process.command_line), "fsinglesessionperuser") or
strings.contains(strings.to_lower($process.target.process.command_line), "fdenytsconnections")
)
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}process_memory_dump_via_comsvcs_dll
Detects a process memory dump via comsvcs.dll using rundll32, covering multiple different techniques
Show query
rule process_memory_dump_via_comsvcs_dll {
meta:
author = "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)"
description = "Detects a process memory dump via comsvcs.dll using rundll32, covering multiple different techniques"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Process Memory Dump Via Comsvcs.DLL"
sigma_uuid = "646ea171-dded-4578-8a4d-65e9822892e3"
sigma_status = "test"
rule_id = "mr_ad21bd09-c624-48c8-a949-a82a40fbb88c"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unlikely"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
(
(
re.regex($process.target.process.file.full_path, `\\rundll32\.exe$`) nocase or
$process.src.process.file.full_path = "RUNDLL32.EXE" nocase or
strings.contains(strings.to_lower($process.target.process.command_line), "rundll32")
)
and
(
(
strings.contains(strings.to_lower($process.target.process.command_line), "comsvcs") and
strings.contains(strings.to_lower($process.target.process.command_line), "full")
)
or
(
strings.contains($process.target.process.command_line, "#-") or
strings.contains($process.target.process.command_line, "#+") or
strings.contains($process.target.process.command_line, "#24") or
strings.contains(strings.to_lower($process.target.process.command_line), "minidump")
)
)
)
or
(
(
strings.contains($process.target.process.command_line, "24") and
strings.contains(strings.to_lower($process.target.process.command_line), "comsvcs") and
strings.contains(strings.to_lower($process.target.process.command_line), "full")
)
and
(
strings.contains($process.target.process.command_line, " #") or
strings.contains($process.target.process.command_line, ",#") or
strings.contains($process.target.process.command_line, ", #")
)
)
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}process_memory_dump_via_rdrleakdiag
Detects the use of the Microsoft Windows Resource Leak Diagnostic tool rdrleakdiag.exe to dump process memory
Show query
rule process_memory_dump_via_rdrleakdiag {
meta:
author = "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)"
description = "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool rdrleakdiag.exe to dump process memory"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Process Memory Dump via RdrLeakDiag.exe"
sigma_uuid = "edadb1e5-5919-4e4c-8462-a9e643b02c4b"
sigma_status = "test"
rule_id = "mr_89eca7b6-5b7e-4bd1-978e-156bd00f5324"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Windows Event Logs"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unlikely"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($process.target.process.file.full_path, `rdrleakdiag\.exe$`) nocase or
$process.src.process.file.full_path = "RdrLeakDiag.exe" nocase
)
re.regex($process.target.process.command_line, `(/|full)memdmp`) nocase
re.regex($process.target.process.command_line, `/(o|p)`) nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}rdp_sensitive_settings_changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
Show query
rule rdp_sensitive_settings_changed {
meta:
author = "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali"
description = "Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "RDP Sensitive Settings Changed"
rule_id = "mr_4c75375c-7ebf-4f9f-9b30-7aaab63dba8d"
sigma_uuid = "3f6b7b62-61aa-45db-96bd-9c31b36b653c"
sigma_status = "test"
tactic = "TA0005"
//tactic = "TA0003"
technique = "T1112"
type = "Detection"
data_source = "Windows Registry"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Some of the keys mentioned here could be modified by an administrator while setting group policy"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
(
(
(
strings.contains(strings.to_lower($reg.target.registry.registry_key), "\\control\\terminal server\\") or
strings.contains(strings.to_lower($reg.target.registry.registry_key), "\\windows nt\\terminal services\\")
) and
re.regex($reg.target.registry.registry_key, `\\Shadow$`) nocase and
(
$reg.target.registry.registry_value_data = "DWORD (0x00000001)" nocase or
$reg.target.registry.registry_value_data = "DWORD (0x00000002)" nocase or
$reg.target.registry.registry_value_data = "DWORD (0x00000003)" nocase or
$reg.target.registry.registry_value_data = "DWORD (0x00000004)" nocase
)
)
or
(
(
strings.contains(strings.to_lower($reg.target.registry.registry_key), "\\control\\terminal server\\") or
strings.contains(strings.to_lower($reg.target.registry.registry_key), "\\windows nt\\terminal services\\")
) and
(
re.regex($reg.target.registry.registry_key, `\\DisableRemoteDesktopAntiAlias$`) nocase or
re.regex($reg.target.registry.registry_key, `\\DisableSecuritySettings$`) nocase or
re.regex($reg.target.registry.registry_key, `\\fAllowUnsolicited$`) nocase or
re.regex($reg.target.registry.registry_key, `\\fAllowUnsolicitedFullControl$`) nocase
) and
$reg.target.registry.registry_value_data = "DWORD (0x00000001)" nocase
)
or
(
strings.contains(strings.to_lower($reg.target.registry.registry_key), "\\control\\terminal server\\initialprogram") or
strings.contains(strings.to_lower($reg.target.registry.registry_key), "\\control\\terminal server\\winstations\\rdp-tcp\\initialprogram") or
strings.contains(strings.to_lower($reg.target.registry.registry_key), "\\services\\termservice\\parameters\\servicedll") or
strings.contains(strings.to_lower($reg.target.registry.registry_key), "\\windows nt\\terminal services\\initialprogram")
)
)
$reg.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($reg.principal.user.userid = "user" and $reg.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($reg.principal.hostname)
$principal_process_pid = array_distinct($reg.principal.process.pid)
$principal_process_file_full_path = array_distinct($reg.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($reg.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($reg.principal.user.userid)
$target_registry_key = array_distinct($reg.target.registry.registry_key)
$target_registry_value_data = array_distinct($reg.target.registry.registry_value_data)
$log_type = array_distinct(strings.concat($reg.metadata.log_type,"/",$reg.metadata.product_event_type))
condition:
$reg
}renamed_createdump_utility_execution
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
Show query
rule renamed_createdump_utility_execution {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Renamed CreateDump Utility Execution"
sigma_uuid = "1a1ed54a-2ba4-4221-94d5-01dee560d71e"
sigma_status = "test"
rule_id = "mr_d680d855-18b0-4a96-9844-1a1e41a239c9"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Command lines that use the same flags"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
(
$process.src.process.file.full_path = "FX_VER_INTERNALNAME_STR" nocase
)
or
(
strings.contains($process.target.process.command_line, " -u ") and
strings.contains($process.target.process.command_line, " -f ") and
strings.contains($process.target.process.command_line, ".dmp")
)
or
(
strings.contains($process.target.process.command_line, " --full ") and
strings.contains($process.target.process.command_line, " --name ") and
strings.contains($process.target.process.command_line, ".dmp")
)
)
NOT re.regex($process.target.process.file.full_path, `\\createdump\.exe$`) nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}restrictedadminmode_registry_value_tampering
Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Show query
rule restrictedadminmode_registry_value_tampering {
meta:
author = "frack113"
description = "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "RestrictedAdminMode Registry Value Tampering"
rule_id = "mr_c996dba7-ebc0-4472-849c-d6ddebffa601"
sigma_uuid = "d6ce7ebd-260b-4323-9768-a9631c8d4db2"
sigma_status = "test"
tactic = "TA0005"
technique = "T1112"
type = "Detection"
data_source = "Sysmon Windows Registry"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
re.regex($reg.target.registry.registry_key, `System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin$`) nocase
$reg.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($reg.principal.user.userid = "user" and $reg.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($reg.principal.hostname)
$principal_process_pid = array_distinct($reg.principal.process.pid)
$principal_process_file_full_path = array_distinct($reg.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($reg.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($reg.principal.user.userid)
$target_registry_key = array_distinct($reg.target.registry.registry_key)
$target_registry_value_data = array_distinct($reg.target.registry.registry_value_data)
$log_type = array_distinct(strings.concat($reg.metadata.log_type,"/",$reg.metadata.product_event_type))
condition:
$reg
}Showing 1-50 of 1,177