Tool
Hunt pack: INC Ransom
1,177 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to INC Ransom - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,177recon_environment_enumeration_active_directory_cisa_report
Detects group enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
Show query
rule recon_environment_enumeration_active_directory_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects group enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
rule_id = "mr_f7609336-c490-4601-bb75-1a1a142ad1cd"
rule_name = "Recon Environment Enumeration Active Directory CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event logs"
tactic = "TA0007"
technique = "T1069.002"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as desired
(
re.regex($process.target.process.command_line, `(|cmd.*/c).*net.*localgroup.*administrators`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*net.*group.*\/dom`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*net.*group.*Domain.*Admins.*\/dom`) nocase
)
match:
$hostname over 15m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
$unique_command_line_threshold = max(1)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
// modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
$process and #command_line > 3
}recon_environment_enumeration_network_cisa_report
Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
Show query
rule recon_environment_enumeration_network_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
rule_id = "mr_9ca49a46-fb60-4ada-b722-5714d5cb7f53"
rule_name = "Recon Environment Enumeration Network CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event logs"
tactic = "TA0007"
technique = "T1016"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
(
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*arp.*-a`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*curl.*www.ip-api.com`) nocase or
// the following line is a broader look at dnscmd /enumrecords not explicitly called out in the report can comment out if not needed
//re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords.*/zone`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumzones`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords.*/additional`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*ipconfig.*/all`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*firewall.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*show.*v4tov4`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*firewall.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*portproxy.*show.*v4tov4`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netstat.*-ano`) nocase
)
)
or
(
// C2 like Covenant will mask curl command running from PowerShell; added this to detect DNS lookup for this site as another method to identify
$process.metadata.event_type = "NETWORK_DNS" and
$process.network.application_protocol = "DNS" and
$process.network.dns.questions.name = "www.ip-api.com"
)
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line
match:
$hostname over 15m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
$unique_command_line_threshold = 5
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
// modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
$process and #command_line > 5
}recon_environment_enumeration_system_cisa_report
Detects system enumeration events as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
Show query
rule recon_environment_enumeration_system_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects system enumeration events as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
rule_id = "mr_086dede6-33ba-42df-b001-5595ceb0d589"
rule_name = "Recon Environment Enumeration System CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event logs"
tactic = "TA0007"
technique = "T1082"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line
re.regex($process.target.process.command_line, `wevtutil.*qe.*security.*\/rd:true.*\/f:text.*\/q:.*\[System\[\(EventID`) nocase
// below is the more specific command down to the event id, could comment out the about and use this instead if desired
//re.regex($process.target.process.command_line, `wevtutil.*qe.*security.*\/rd:true.*\/f:text.*\/q:\*\[System\[\(EventID=4624\).*TimeCreated\[@SystemTime.*\]\].*EventData\[Data.*\]\]`) nocase
or
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as desired
// other wmic switches like /user and /password, these have been excluded to focus on the commands being issued since local access does not require these
(
re.regex($process.target.process.command_line, `(|cmd.*/c).*ldifde.exe.*-f.*-p.*subtree`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*systeminfo`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*tasklist.*\/v`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*whoami`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*volume.*list.*brief`) nocase or
// cisa report called out wmic volume list brief, below is alternate that removed brief to widen criteria
//re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*volume.*list`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*service.*brief`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*product.*list.*brief`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*baseboard.*list.*full`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*path.*win32_logicaldisk.*get.*(caption|filesystem|freespace|size|volumename)`) nocase
)
match:
$hostname over 15m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
$unique_command_line_threshold = max(5)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
// modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
$process and #command_line > 5
}sap_break_glass_account_login
Alerts whenever a default SAP administrative account (e.g., SAP*, DDIC, TMSADM) logs into the system. These accounts should be locked and used only for emergency 'break-glass' scenarios
Show query
rule sap_break_glass_account_login {
meta:
author = "Google Cloud Security"
description = "Alerts whenever a default SAP administrative account (e.g., SAP*, DDIC, TMSADM) logs into the system. These accounts should be locked and used only for emergency 'break-glass' scenarios"
severity = "Low"
tactic = "TA0001"
technique = "T1078"
events:
$e.metadata.log_type = "SAP_SECURITY_AUDIT"
(
$e.additional.fields["msg_1"] = /^AU1$|^AU5$/ or
$e.metadata.event_type = "USER_LOGIN"
)
$e.principal.user.userid = $userid
$userid = /^DDIC$|^EARLYWATCH$|^SAP\*$|^TMSADM$/ nocase
match:
$userid over 1h
outcome:
$event_count = count_distinct($e.metadata.id)
$risk_score = if($event_count < 10, 20, 40)
$vendor_name = array_distinct($e.metadata.vendor_name)
$product_name = array_distinct($e.metadata.product_name)
$product_severity = array_distinct($e.security_result.severity)
$event_description = array_distinct($e.metadata.description)
$victim_name = array_distinct($e.target.user.userid)
$adversary_name = array_distinct($e.principal.user.userid)
$result_time = min($e.metadata.event_timestamp.seconds)
condition:
$e
}sap_gateway_acl_bypass_attempt
Detects rejected connections by Gateway ACLs (secinfo/reginfo), indicating an attempt to bypass network-layer security.
Show query
rule sap_gateway_acl_bypass_attempt {
meta:
author = "Google Cloud Security"
description = "Detects rejected connections by Gateway ACLs (secinfo/reginfo), indicating an attempt to bypass network-layer security."
severity = "Low"
tactic = "TA0001"
technique = "T1190"
events:
$e.metadata.product_name = "SAP_GATEWAY"
$e.additional.fields["event_action"] = /secinfo|reginfo/ nocase
$e.security_result.action = "BLOCK"
$source_ip = $e.principal.ip
match:
$source_ip over 30m
outcome:
$risk_score = 5
$acl_type = array_distinct($e.additional.fields["event_action"])
$attempted_programs = array_distinct($e.target.process.file.full_path)
$error_details = array_distinct($e.security_result.description)
$user_context = array_distinct($e.principal.user.userid)
$total_denials = count($e.metadata.product_log_id)
condition:
$e
}Azure Automation Account Created
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
persistence in their target's environment.
Azure Automation Runbook Deleted
Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
FTP (File Transfer Protocol) Activity to the Internet
This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer
Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your
network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data
from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose
usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be
unauthorized.
File and Directory Discovery
Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan
follow-on activity.
Kubernetes Unusual Decision by User Agent
This rule detects unusual request responses in Kubernetes audit logs through the use of the
"new_terms" rule type. In production environments, default API requests are typically made by
system components or trusted users, who are expected to have a consistent user agent and
allowed response annotations. By monitoring for anomalies in the username and response
annotations, this rule helps identify potential unauthorized access or misconfigurations
in the Kubernetes environment.
Network Connection via Signed Binary
Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature
validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass
application allowlists and signature validation.
Potential Port Scanning Activity from Compromised Host
This rule detects potential port scanning activity from a compromised host. Port scanning is a common reconnaissance
technique used by attackers to identify open ports and services on a target system. A compromised host may exhibit port
scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable services, or
prepare for further exploitation. This rule identifies potential port scanning activity by monitoring network connection
attempts from a single host to a large number of ports within a short time frame. ESQL rules have limited fields
available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
Process Discovery via Tasklist
Adversaries may attempt to get information about running processes on a system.
SMTP to the Internet
This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an
enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently
abused by threat actors for command and control, or data exfiltration.
Strace Process Activity
Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of
strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or
move laterally.
Suspicious Print Spooler SPL File Created
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including
CVE-2020-1048 and CVE-2020-1337.
System Information Discovery via dmidecode from Parent Shell
This rule detects the use of dmidecode to gather system information from a Linux host when executed from a parent
shell process. Adversaries may use dmidecode to collect detailed hardware and system information, which can aid in
further exploitation or lateral movement within a network, or be used as a fingerprint for a compromised system.
User Discovery via Whoami
The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for
privileged access.
T1053_005_windows_creation_of_scheduled_task
Creation of scheduled task using command line
Show query
rule T1053_005_windows_creation_of_scheduled_task
{
meta:
author = "Google Cloud Security"
description = "Creation of scheduled task using command line"
reference = "https://attack.mitre.org/techniques/T1053/005/"
yara_version = "YL2.0"
rule_version = "1.0"
events:
re.regex($e1.principal.process.command_line, `schtasks /create`) nocase
condition:
$e1
}a_variant_of_data_stealer_trojan_activity
This rule detects a stealer behaviour. Malware deletes itself License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule a_variant_of_data_stealer_trojan_activity {
meta:
author = "Emir Erdogan"
description = "This rule detects a stealer behaviour. Malware deletes itself License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/f9ZYj4C5CNBg"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1129, T1003, T1114, T1012, T1107"
events:
((re.regex($selection.target.process.file.full_path, `.*/ralord\.exe`) or re.regex($selection.target.process.file.full_path, `.*/lodron\.exe`) or re.regex($selection.target.process.file.full_path, `.*/019\.exe`) or re.regex($selection.target.process.file.full_path, `.*/016\.exe`)) and (re.regex($selection.principal.process.file.full_path, `.*/setup_file\.exe`) or re.regex($selection.principal.process.file.full_path, `.*/setup_installer\.exe`)))
condition:
$selection
}agenttesla_rat_detection
AgentTesla RAT Detection License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule agenttesla_rat_detection {
meta:
author = "Emir Erdogan"
description = "AgentTesla RAT Detection License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/bwpRaR1KCq8h"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1053, T1081"
events:
($selection.principal.process.file.full_path = "8cab6413fdc97e9cc90607b3a49175a7.exe" and (re.regex($selection.target.process.file.full_path, `.*RegSvcs\.exe`) or $selection.target.process.file.full_path = "C:\\Windows\\System32\\schtasks.exe") and re.regex($selection.target.process.command_line, `.*/Create /TN \"Updates\\ZwqpnECNvoWf\" /XML \"C:\\Users\\admin\\AppData\\Local\\Temp\\tmp6CEB\.tmp\"`))
condition:
$selection
}amadey_botnet_detection_ta505
This rule detects a bot called Amadey. This one is used in order to collect information victim's environment, though it can also deliver other malware. The threat actor is considered TA505 License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule amadey_botnet_detection_ta505 {
meta:
author = "Ariel Millahuel"
description = "This rule detects a bot called Amadey. This one is used in order to collect information victim's environment, though it can also deliver other malware. The threat actor is considered TA505 License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/oETtTqqsUAmk"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "execution, T1059"
events:
($selection1.metadata.product_event_type = "13" and (re.regex($selection1.target.registry.registry_key, `.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.*`) or re.regex($selection1.target.registry.registry_key, `.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders.*`)) and (re.regex($selection1.metadata.description, `.* rundll32 C:\\Users.*\\AppData\\Local\\Temp\\cred\.dll, Main.*`) or re.regex($selection1.metadata.description, `.* rundll32 C:\\Users.*\\AppData\\Local\\Temp.*\.dll, Main.*`) or re.regex($selection1.metadata.description, `.*C:\\ProgramData\\87e4c89e95.*`) or re.regex($selection1.metadata.description, `.*C:\\ProgramData\\87.*`)))
condition:
$selection1
}amadey_botnet_detection_ta505_part_1
This rule detects a bot called Amadey. This one is used in order to collect information victim's environment, though it can also deliver other malware. The threat actor is considered TA505 License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule amadey_botnet_detection_ta505_part_1 {
meta:
author = "Ariel Millahuel"
description = "This rule detects a bot called Amadey. This one is used in order to collect information victim's environment, though it can also deliver other malware. The threat actor is considered TA505 License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/oETtTqqsUAmk"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection2.target.process.command_line = "rundll32.exe C:\\Users\\admin\\AppData\\Local\\Temp\\cred.dll, Main" or re.regex($selection2.target.process.command_line, `msiexec\.exe STOP=1 /i http://.*\..*\..*\..*/dom.* /q ksw=%TEMP%`) or re.regex($selection2.target.process.command_line, `msiexec\.exe STOP=1 /i https://.*\..*\..*\..*/dom.* /q ksw=%TEMP%`) or $selection2.target.process.command_line = "REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v Startup /t REG_SZ /d C:\\ProgramData\\87e4c89e95" or re.regex($selection2.target.process.command_line, `REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v Startup /t REG_SZ /d C:\\ProgramData\\87.*`)) and ($selection2.metadata.product_event_type = "4688" or $selection2.metadata.product_event_type = "1"))
condition:
$selection2
}appinit_dll_hijacking_sysmon_behaviour
it can be used the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule appinit_dll_hijacking_sysmon_behaviour {
meta:
author = "Emir Erdogan"
description = "it can be used the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/DwmH4mVgWexR"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1103, T1055"
events:
($selection.principal.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" and $selection.target.process.file.full_path = "C:\\Windows\\System32\\reg.exe" and (re.regex($selection.target.process.command_line, `.*HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs.*`) or re.regex($selection.target.process.command_line, `.*HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs.*`) or re.regex($selection.target.process.command_line, `.*HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WindowsAppInit_DLLs.*`) or re.regex($selection.target.process.command_line, `.*HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs.*`)))
condition:
$selection
}apt10_behavior
Detects an ATP10's technique that uses Windows \"certutil.exe\" functionality for payload decoding License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule apt10_behavior {
meta:
author = "Ariel Millahuel"
description = "Detects an ATP10's technique that uses Windows \"certutil.exe\" functionality for payload decoding License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/eG23WH8AEKB0"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `.*/c certutil -decode C:\\ProgramData\\padre1\.txt C:\\ProgramData.*\\GUP\.txt.*`) or re.regex($selection1.target.process.command_line, `.*/c certutil -decode C:\\ProgramData\\padre2\.txt C:\\ProgramData.*\\libcurl\.txt.*`) or re.regex($selection1.target.process.command_line, `.* /c certutil -decode C:\\ProgramData\\padre3\.txt C:\\ProgramData.*\\3F2E3AB9 .*`))) or ($selection1.target.process.file.full_path = "esentutl.exe" and (re.regex($selection1.target.process.command_line, `.* /y C:\\ProgramData.*\\GUP\.txt /d C:\\ProgramData\\GUP\.exe /o .*`) or re.regex($selection1.target.process.command_line, `.* /y C:\\ProgramData.*\\libcurl\.txt /d C:\\ProgramData\\libcurl\.dll /o .*`)))))
condition:
$selection1
}atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal
Detects Atlassian Confluence RCE via Attachment Download. Sample regex added to detect directory traversal, it can be improved. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal {
meta:
author = "Halil Ibrahim Cosgun"
description = "Detects Atlassian Confluence RCE via Attachment Download. Sample regex added to detect directory traversal, it can be improved. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/pCBpTAya0HBi"
version = "0.01"
created = "2021-03-09"
product = "proxy"
mitre = "initial_access, persistence, privilege_escalation, T1190, T1100"
events:
($selection.network.http.method = "POST" and re.regex($selection.target.url, `/plugins/drag-and-drop/upload\.action\?pageId.*&filename=^\(\?!\..*\\/\.\\/\.\)\.{0,200}$.*&size=.*&mimeType=.*atl_token=.*&name=^\(\?!\..*\\/\.\\/\.\)\.{0,200}$.*`))
condition:
$selection
}backdoor_detection_on_sql_servers
An attack targeting the aviation industry has been identified. You can detect the url and ip list of this attack by installing backdoor on SQL servers on your system. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule backdoor_detection_on_sql_servers {
meta:
author = "Furkan Celik"
description = "An attack targeting the aviation industry has been identified. You can detect the url and ip list of this attack by installing backdoor on SQL servers on your system. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Ov3SO6d6u76i"
version = "0.01"
created = "2020/04/01"
product = "proxy"
mitre = "T1086, T1083, T1132, T1088"
events:
(($selection.target.url = "a.vollar.ga" or $selection.target.url = "aa.vollar.ga" or $selection.target.url = "b.vollar.ga" or $selection.target.url = "c.vollar.ga" or $selection.target.url = "ca.vollar.gad.vollar.ga" or $selection.target.url = "da.vollar.ga" or $selection.target.url = "f.vollar.ga" or $selection.target.url = "h.vollar.ga" or $selection.target.url = "ja.vollar.ga" or $selection.target.url = "k.vollar.ga" or $selection.target.url = "m.vollar.ga" or $selection.target.url = "ma.vollar.ga" or $selection.target.url = "n.vollar.ga" or $selection.target.url = "na.vollar.ga" or $selection.target.url = "o.vollar.ga" or $selection.target.url = "oa.vollar.ga" or $selection.target.url = "ob.vollar.ga" or $selection.target.url = "s.vollar.ga" or $selection.target.url = "sa.vollar.ga" or $selection.target.url = "t.vollar.ga" or $selection.target.url = "ta.vollar.ga" or $selection.target.url = "v.vollar.ga" or $selection.target.url = "x.vollar.ga" or $selection.target.url = "xa.vollar.ga" or $selection.target.url = "z.vollar.ga") and ($selection.principal.ip = "183.131.3.196" or $selection.principal.ip = "192.37.90.118" or $selection.principal.ip = "39.109.116.162" or $selection.principal.ip = "154.221.26.108" or $selection.principal.ip = "103.53.211.94" or $selection.principal.ip = "185.172.66.203" or $selection.principal.ip = "51.105.249.223" or $selection.principal.ip = "154.211.14.66" or $selection.principal.ip = "154.221.19.221" or $selection.principal.ip = "145.239.23.7" or $selection.principal.ip = "180.97.220.5" or $selection.principal.ip = "207.180.202.208"))
condition:
$selection
}bazar_loader_detection_sysmon_detection
BazarLoader (also known as Bazar Loader, Bazar Backdoor or Team9 Backdoor) is a module of the dreaded TrickBot Trojan. It is mostly used to gain a foothold in compromised enterprise networks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule bazar_loader_detection_sysmon_detection {
meta:
author = "Ariel Millahuel"
description = "BazarLoader (also known as Bazar Loader, Bazar Backdoor or Team9 Backdoor) is a module of the dreaded TrickBot Trojan. It is mostly used to gain a foothold in compromised enterprise networks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/QDvyH85txiBA"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "execution, T1059"
events:
($selection1.metadata.product_event_type = "11" and (re.regex($selection1.target.file.full_path, `.*DD45\.exe.*`) or re.regex($selection1.target.file.full_path, `.*BthCxn\.exe.*`) or re.regex($selection1.target.file.full_path, `.*v86\.exe_.*`)))
condition:
$selection1
}burp_suite_scanner_and_burp_collaborator_detected_via_proxy
Burp Suite Scanner Activirt Detected via Proxy License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule burp_suite_scanner_and_burp_collaborator_detected_via_proxy {
meta:
author = "Emir Erdogan"
description = "Burp Suite Scanner Activirt Detected via Proxy License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/QhIyqc5Qdl6m"
version = "0.01"
created = "2021-03-09"
category = "proxy"
mitre = "T1190, T1210"
events:
re.regex($selection.target.url, `.*burpcollaborator.*`)
condition:
$selection
}certutil_activity_via_proxy
This rule can be used to hunt for Living of the Land activity from certutil from proxy server logs. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule certutil_activity_via_proxy {
meta:
author = "Joseph Kamau"
description = "This rule can be used to hunt for Living of the Land activity from certutil from proxy server logs. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/E64jgRkkRkTS"
version = "0.01"
created = "2021-03-09"
product = "proxy"
mitre = "command&control, T1105, defense-evasion, T1140"
events:
($selection.principal.application = "CertUtil URL Agent" or re.regex($selection.principal.application, `Microsoft-CryptoAPI/.*`))
condition:
$selection
}covid19_phishing_campaign_fake_world_health_organization
Coronovirus themed malware is downloaded via fake WHO phsihing email License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule covid19_phishing_campaign_fake_world_health_organization {
meta:
author = "Emir Erdogan"
description = "Coronovirus themed malware is downloaded via fake WHO phsihing email License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/xyaUex2Ka9Lq"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1129, T1060, T1053, T1059"
events:
(($selection1.principal.process.file.full_path = "C:\\Windows\\system32\\cmd.exe" and (($selection1.target.process.file.full_path = "C:\\Windows\\system32\\findstr.exe" and re.regex($selection1.target.process.command_line, `findstr\.exe \"TVNDRgAAAA\" .*\\AppData\\Local\\Temp\\\\g4ZokyumBB2gDn\.tmp`)) or (re.regex($selection1.target.process.file.full_path, `.*\\AppData\\Local\\Temp\\msoia\.exe`) and re.regex($selection1.target.process.command_line, `.*\\AppData\\Local\\Temp\\\\msoia\.exe -decode .*AppData\\Local\\Temp\\\\cSi1r0uywDNvDu\.tmp .*\\AppData\\Local\\Temp\\\\oGhPGUDC03tURV\.tmp`)))) or (re.regex($selection1.target.process.file.full_path, `.*\\OFFICE12\\Wordcnvpxy\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*MSOSTYLE\.exe`)))
condition:
$selection1
}covid19_themed_malware_via_chm_file
rundll32 downloads covid-19 malware over chm file License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule covid19_themed_malware_via_chm_file {
meta:
author = "Emir Erdogan"
description = "rundll32 downloads covid-19 malware over chm file License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/n0COmCxxqXD5"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1059, T1204, T1012"
events:
(($selection1.target.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" and $selection1.principal.process.file.full_path = "C:\\Windows\\hh.exe" and re.regex($selection1.target.process.command_line, `.*for %i in \(.*\.chm\) do \(hh -decompile %temp% %~i\)&&cmd /c %temp%/~tmp6\.cab`)) or ($selection1.principal.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" and $selection1.target.process.file.full_path = "C:\\Windows\\hh.exe" and re.regex($selection1.target.process.command_line, `hh -decompile .*COVID-19\.chm.*`)))
condition:
$selection1
}data_exfiltration_attempt_via_bitsadmin
Using bitsadmin to exfiltrate data License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule data_exfiltration_attempt_via_bitsadmin {
meta:
author = "Emir Erdogan"
description = "Using bitsadmin to exfiltrate data License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/HjIK6Euup7w0"
version = "0.01"
created = "2021-03-09"
category = "sysmon"
product = "windows"
mitre = "T1020, T1041, T1011"
events:
(re.regex($selection.target.process.file.full_path, `.*\\bitsadmin\.exe`) and re.regex($selection.target.process.command_line, `.*bitsadmin\.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY.*`))
condition:
$selection
}data_exfiltration_detection_with_htran
Similar to most of cyber espionage groups, APT10 is main goal is to exfiltrate critical data from victim is environment. In order to exfiltrate data from the victim is network segment that is not connected to internet, a bridge tool is needed to redirect ports and connections between two network segments. In this case threat group deployed hTran to achieve the same functionality. Over the past years we observed Chinese threata groups using htran in their attacks against world. This executable file was seen as java.exe on compromised hosts License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule data_exfiltration_detection_with_htran {
meta:
author = "Furkan Celik"
description = "Similar to most of cyber espionage groups, APT10 is main goal is to exfiltrate critical data from victim is environment. In order to exfiltrate data from the victim is network segment that is not connected to internet, a bridge tool is needed to redirect ports and connections between two network segments. In this case threat group deployed hTran to achieve the same functionality. Over the past years we observed Chinese threata groups using htran in their attacks against world. This executable file was seen as java.exe on compromised hosts License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/CBsRA1zfmrfE"
version = "0.01"
created = "2020/04/12"
product = "windows"
service = "security"
mitre = "T1041, Exfiltration"
events:
(re.regex($selection.target.process.command_line, `.*java\.exe %% 1936 0x199c .*java\.exe -ht listenip:8080 -hu username -hp password C&C:443 NULL SID -- 0x0`) and $selection.metadata.product_event_type = "1" and re.regex($selection.target.process.file.full_path, `.*java\.exe`))
condition:
$selection
}detection_of_safetykatz
Detects possible SafetyKatz Behaviour License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule detection_of_safetykatz {
meta:
author = "Markus Neis"
description = "Detects possible SafetyKatz Behaviour License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/bx1gtxYzjwHz"
version = "0.01"
created = "2018/07/24"
product = "windows"
service = "sysmon"
mitre = "credential_access, T1003"
events:
($selection.metadata.product_event_type = "11" and re.regex($selection.target.file.full_path, `.*\\Temp\\debug\.bin`))
condition:
$selection
}ekanssnake_ransomware_sysmon_detection
EKANS/SNAKE is a Malware that attempts to attack ICS (Industrial Control Systems) environments License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule ekanssnake_ransomware_sysmon_detection {
meta:
author = "Ariel Millahuel"
description = "EKANS/SNAKE is a Malware that attempts to attack ICS (Industrial Control Systems) environments License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/NaOKwNFrbyKd"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "defense_evasion, T1112"
events:
($selection1.metadata.product_event_type = "13" and (re.regex($selection1.target.registry.registry_key, `.*\\DefaultObjectStore\\LruList\\.*`) or re.regex($selection1.target.registry.registry_key, `.*\\DefaultObjectStore\\LruList\\00000000000002FC\\.*`) or re.regex($selection1.target.registry.registry_key, `.*\\DefaultObjectStore\\ObjectTable\\E8\\.*`) or re.regex($selection1.target.registry.registry_key, `.*\\DefaultObjectStore\\ObjectTable\\E9\\.*`) or re.regex($selection1.target.registry.registry_key, `.*\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\.*`)))
condition:
$selection1
}fake_zoom_installerexe_devil_shadow_botnet
This rule detects to devil shadow botnet activities with fake zoom installer exe. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule fake_zoom_installerexe_devil_shadow_botnet {
meta:
author = "Emir Erdogan"
description = "This rule detects to devil shadow botnet activities with fake zoom installer exe. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/UPInonyraJtb"
version = "0.01"
created = "2021-03-09"
category = "windows"
product = "sysmon"
mitre = "T1055, T1179, T1215, T1065, T1045"
events:
(((re.regex($selection.principal.process.file.full_path, `.*/Zoominstaller\.exe `) or re.regex($selection.principal.process.file.full_path, `.*/wscript\.exe`)) and re.regex($selection.target.process.file.full_path, `.*/cmd\.exe`) and re.regex($selection.target.process.command_line, `.*pyclient\.cmd.*`)) or (re.regex($selection.principal.process.file.full_path, `.*/cmd\.exe`) and (re.regex($selection.target.process.file.full_path, `.*/tasklist\.exe`) or re.regex($selection.target.process.file.full_path, `.*/attrib\.exe`) or re.regex($selection.target.process.file.full_path, `.*/reg\.exe`)) and (re.regex($selection.target.process.command_line, `.*D3ViL ShaDow.*`) or re.regex($selection.target.process.command_line, `.*botnet.*`) or re.regex($selection.target.process.command_line, `.*boot-startup\.vbs.*`))))
condition:
$selection
}fallout_rig_ek_delivers_raccoon_stealer
Raccoon Stealer License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule fallout_rig_ek_delivers_raccoon_stealer {
meta:
author = "Emir Erdogan"
description = "Raccoon Stealer License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/9lYIAZKxCWzK"
version = "0.01"
created = "2019/11/24"
product = "windows"
service = "sysmon"
mitre = "T1140, T1059, T1005, T1022, T1105, T1057"
events:
(((re.regex($selection1.target.process.file.full_path, `.*\\cvtres\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\csc\.exe`)) or ($selection1.metadata.product_event_type = "1" and (re.regex($selection1.target.process.file.full_path, `.*\\csc\.exe`) or re.regex($selection1.target.process.file.full_path, `.*\\AyJWa1N0\.tmp`)) and re.regex($selection1.principal.process.file.full_path, `.*\\powershell\.exe`))) or (re.regex($selection1.target.process.file.full_path, `.*\\cmd\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\AyJWa1N0\.tmp`)))
condition:
$selection1
}hacktool_ironsharp_pack_execution
Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
Show query
rule hacktool_ironsharp_pack_execution {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments."
rule_id = "mr_34f2ecef-cd3e-4dee-9c83-b7a9ec34becc"
rule_name = "Hacktool - IronSharpPack Execution"
tactic = "TA0002"
technique = "T1059"
references = "https://github.com/BC-SECURITY/IronSharpPack"
type = "alert"
platform = "Linux, Windows, EDR"
data_source = "Sysmon for Linux, Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$ironsharp_execution.metadata.event_type = "PROCESS_LAUNCH"
$ironsharp_execution.target.process.file.full_path = /cmd\.exe|python.*\.exe|ipy\.exe|powershell\.exe|pwsh\.exe|wsl\.exe/ nocase and
$ironsharp_execution.target.process.command_line = /IronADCSPwn\.py|IronADFSDump\.py|IronBetterSafetyKatz\.py|IronCertify\.py|IronDeployPrinterNightmare\.py|IronEmbed\.py|IronEDD\.py|IronGrouper2\.py|IronInveigh\.py|IronLockLess\.py|IronPassTheCert\.py|IronRubeus\.py|IronSafetyKatz\.py|IronSearchOutlook\.py|IronSeatbelt\.py|IronSharPersist\.py|IronSharp-SMBExec\.py|IronSharpAllowedToAct\.py|IronSharpBypassUAC\.py|IronSharpCOM\.py|IronSharpChisel\.py|IronSharpChrome\.py|IronSharpChromium\.py|IronSharpCloud\.py|IronSharpCookieMonster\.py|IronSharpCrashEventLog\.py|IronSharpDPAPI\.py|IronSharpDir\.py|IronSharpDoor\.py|IronSharpDump\.py|IronSharpEDRChecker\.py|IronSharpExec\.py|IronSharpGPOAbuse\.py|IronSharpHandler\.py|IronSharpKatz\.py|IronSharpLAPS\.py|IronSharpMapExec\.py|IronSharpMiniDump\.py|IronSharpMove\.py|IronSharpNamedPipePTH\.py|IronSharpReg\.py|IronSharpSQLPwn\.py|IronSharpSearch\.py|IronSharpSecDump\.py|IronSharpSniper\.py|IronSharpSpray\.py|IronSharpStay\.py|IronSharpTask\.py|IronSharpUp\.py|IronSharpWMI\.py|IronSharpWebServer\.py|IronSharpWifiGrabber\.py|IronSharpZeroLogon\.py|IronShhmon\.py|IronSqlClient\.py|IronStandIn\.py|IronStickyNotesExtract\.py|IronThunderFox\.py|IronTokenStomp\.py|IronWMIReg\.py|IronWatson\.py|Iron_RunasCs\.py|Ironscout\.py|Ironsharpfiles\.py|Ironsharpshares\.py/ nocase
// Capture the hostname where the event occurred
$ironsharp_execution.principal.hostname = $hostname
match:
$hostname over 15m
outcome:
$risk_score = max(65)
$event_count = count_distinct($ironsharp_execution.metadata.id)
$principal_process_pid = array_distinct($ironsharp_execution.principal.process.pid)
$principal_process_command_line = array_distinct($ironsharp_execution.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($ironsharp_execution.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($ironsharp_execution.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($ironsharp_execution.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($ironsharp_execution.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($ironsharp_execution.target.process.pid)
$target_process_command_line = array_distinct($ironsharp_execution.target.process.command_line)
$target_process_file_sha256 = array_distinct($ironsharp_execution.target.process.file.sha256)
$target_process_file_full_path = array_distinct($ironsharp_execution.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($ironsharp_execution.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($ironsharp_execution.principal.user.userid)
condition:
$ironsharp_execution
}hacktool_purpleknight_execution
This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized reconnaissance by adversaries attempting to map domain weaknesses.
Show query
rule hacktool_purpleknight_execution {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized reconnaissance by adversaries attempting to map domain weaknesses."
rule_id = "mr_69e428bb-c946-4e3f-abb8-0e28316f2389"
rule_name = "Purple Knight Tool Execution Detected"
tactic = "TA0007"
technique = "T1087"
references = "https://www.purple-knight.com/"
type = "alert"
platform = "Windows, EDR"
data_source = "Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$purple_knight.metadata.event_type = "PROCESS_LAUNCH"
(
$purple_knight.target.process.file.full_path = /\\PurpleKnight\.exe$/ nocase or
$purple_knight.principal.process.file.full_path = /\\PurpleKnight\.exe$/ nocase or
$purple_knight.principal.process.command_line = /PurpleKnight/ nocase
)
// Capture the hostname where the event occurred
$purple_knight.principal.hostname = $hostname
match:
$hostname over 10m
outcome:
$risk_score = max(65)
$event_count = count_distinct($purple_knight.metadata.id)
$principal_process_pid = array_distinct($purple_knight.principal.process.pid)
$principal_process_command_line = array_distinct($purple_knight.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($purple_knight.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($purple_knight.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($purple_knight.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($purple_knight.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($purple_knight.target.process.pid)
$target_process_command_line = array_distinct($purple_knight.target.process.command_line)
$target_process_file_sha256 = array_distinct($purple_knight.target.process.file.sha256)
$target_process_file_full_path = array_distinct($purple_knight.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($purple_knight.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($purple_knight.principal.user.userid)
condition:
$purple_knight
}hacktool_winpeas_execution_patterns
This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team assessments and by adversaries seeking to elevate privileges after gaining initial access. WinPEAS checks are well-documented in the HackTricks knowledge base.
Show query
rule hacktool_winpeas_execution_patterns {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team assessments and by adversaries seeking to elevate privileges after gaining initial access. WinPEAS checks are well-documented in the HackTricks knowledge base."
rule_id = "mr_9c9ad668-485a-4b10-b85d-36ba63546304"
rule_name = "Hacktool - WinPEAS Execution Patterns"
tactic = "TA0007"
technique = "T1082"
references = "https://github.com/carlospolop/PEASS-ng, https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html, https://www.microsoft.com/en-us/security/blog/2022-10-14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/, https://www.logpoint.com/wp-content/uploads/2023/02/emerging-threats-the-play-report.pdf"
type = "alert"
platform = "Windows, EDR"
data_source = "Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$winpeas_execution.metadata.event_type = "PROCESS_LAUNCH"
and
(
$winpeas_execution.src.process.file.full_path = /winPEAS.exe|winPEASany.exe|winPEASany_ofs.exe|winPEASx64.exe|winPEASx64_ofs.exe|winPEASx86.exe|winPEASx86_ofs.exe/ nocase or
$winpeas_execution.target.process.file.full_path = /\\winPEAS\.exe|\\winPEASany\.exe|\\winPEASany_ofs\.exe|\\winPEASx64\.exe|\\winPEASx64_ofs\.exe|\\winPEASx86\.exe|\\winPEASx86_ofs\.exe/ nocase or
$winpeas_execution.target.process.command_line = /processinfo|servicesinfo|applicationsinfo|networkinfo|windowscreds|browserinfo|filesinfo|fileanalysis|eventsinfo/ nocase
or
(
$winpeas_execution.target.process.command_line = /raw\.githubusercontent\.com/ nocase and
$winpeas_execution.target.process.command_line = /carlospolop/ nocase and
$winpeas_execution.target.process.command_line = /winPEAS\.ps1/ nocase
)
or
(
$winpeas_execution.principal.process.command_line = / -linpeas$/ nocase or
$winpeas_execution.target.process.command_line = / -linpeas$/ nocase
)
)
not
(
// Exclusion: Microsoft Defender Threat Protection Sensor Updates
$winpeas_execution.additional.fields["current_directory"] = "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\"
)
// Capture the hostname where the event occurred
$winpeas_execution.principal.hostname = $hostname
match:
$hostname over 10m
outcome:
$risk_score = max(65)
$event_count = count_distinct($winpeas_execution.metadata.id)
$principal_process_pid = array_distinct($winpeas_execution.principal.process.pid)
$principal_process_command_line = array_distinct($winpeas_execution.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($winpeas_execution.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($winpeas_execution.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($winpeas_execution.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($winpeas_execution.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($winpeas_execution.target.process.pid)
$target_process_command_line = array_distinct($winpeas_execution.target.process.command_line)
$target_process_file_sha256 = array_distinct($winpeas_execution.target.process.file.sha256)
$target_process_file_full_path = array_distinct($winpeas_execution.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($winpeas_execution.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($winpeas_execution.principal.user.userid)
condition:
$winpeas_execution
}hostdomain_enumeration_with_wmic
Detects the Host/Domain Enumeration Attempts. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule hostdomain_enumeration_with_wmic {
meta:
author = "Osman Demir"
description = "Detects the Host/Domain Enumeration Attempts. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/tZIBjTZedRxS"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "discovery, T1082, T1083, T1087"
events:
(($selection.target.process.file.full_path = "cmd.exe" or $selection.target.process.file.full_path = "powershell.exe") and ($selection.target.process.command_line = "wmic os LIST Full" or $selection.target.process.command_line = "wmic computersystem LIST full" or $selection.target.process.command_line = "wmic /namespace:\\\\root\\securitycenter2 path antivirusproduct" or $selection.target.process.command_line = "wmic path Win32_PnPdevice" or $selection.target.process.command_line = "wmic qfe list brief" or re.regex($selection.target.process.command_line, `wmic DATAFILE where \"path='\\\\Users\\\\test\\\\Documents\\\\'\" GET .*`) or re.regex($selection.target.process.command_line, `wmic DATAFILE where \"drive='C:' AND Name like '%password%'\" GET .*`) or re.regex($selection.target.process.command_line, `wmic USERACCOUNT Get .*`) or $selection.target.process.command_line = "wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE" or re.regex($selection.target.process.command_line, `wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_user where .*`) or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_user GET ds_samaccountname" or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_group GET ds_samaccountname" or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_group where \"ds_samaccountname='Domain Admins'\" Get ds_member /Value" or re.regex($selection.target.process.command_line, `wmic path win32_groupuser where \(groupcomponent=\"win32_group\.name=\"domain admins\",domain .*\"\)`) or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_computer GET ds_samaccountname" or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_computer GET ds_dnshostname"))
condition:
$selection
}lazarus_attack_variant
Detects a Lazarus attack variant via move.exe and reg.exe License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule lazarus_attack_variant {
meta:
author = "Ariel Millahuel"
description = "Detects a Lazarus attack variant via move.exe and reg.exe License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/XK07zRt3m5OF"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "move.exe" and ($selection1.target.process.command_line = "move \"c:\\perflogs\\1.dat\" \"c:\\programdata\\microsoft\\sqcsvc\\sqcsvc6.ldx\"" or $selection1.target.process.command_line = "move \"c:\\perflogs\\1.dll\" \"c:\\windows\\system32\\sqcsvc.dll\"" or $selection1.target.process.command_line = "move \"c:\\perflogs\\1.dll.mui\" \"c:\\windows\\system32\\sqcsvc.dll.mui\"")) or ($selection1.target.process.file.full_path = "reg.exe" and ($selection1.target.process.command_line = "reg add \"HKLM\\SYSTEM\\ControlSet001\\Services\\sqcsvc\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%SystemRoot%\\System32\\sqcsvc.dll\"" or $selection1.target.process.command_line = "reg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v sqcsvc /t REG_ MULTI_SZ /d sqcsvc"))))
condition:
$selection1
}loda_rat_detection
Loda is a Remote Access Trojan with spying capabilities License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule loda_rat_detection {
meta:
author = "Ariel Millahuel"
description = "Loda is a Remote Access Trojan with spying capabilities License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/yO2dtTK5tKlD"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `cmd\.exe & /C CD C:/ & msiexec\.exe /i http.*://lcodigo\.com/apiW/config/uploads/tmp/.*\.msi /quiet`) or re.regex($selection1.target.process.command_line, `cmd\.exe & /C CD C:/ & msiexec\.exe /i http.*://.*\.com/api.*/config/uploads/tmp/.*\.msi /quiet`)) and ($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1"))
condition:
$selection1
}malware_dridex_dropper_doc_20191217
Dridex dropper doc (mechanisms from Powershell)
Show query
rule malware_dridex_dropper_doc_20191217
{
meta:
author = "Google Cloud Security"
description = "Dridex dropper doc (mechanisms from Powershell)"
reference = "https://attack.mitre.org/techniques/T1059/"
ref_hash = "57e25974e9e52c87aff9e0cae39bd7670a5d861fd70b9694a43a612cb56c6d88"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e1.principal.process.command_line, `powershell -w hidden -en jabf`) nocase
condition:
$e1
}malware_servhelper_bot
ServHelper bot
Show query
rule malware_servhelper_bot
{
meta:
author = "Google Cloud Security"
description = "ServHelper bot"
reference = "https://attack.mitre.org/techniques/T1059/"
ref_hash = "6f58ed116b53b991522d6586c80a7061951dbf251e6943d3cfbd97f6c0126c0e"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
and
(
re.regex($e1.principal.process.command_line, `net.* user wgautilacc`) nocase or
re.regex($e1.principal.process.command_line, `net.* localgroup "remote desktop users"`) nocase
)
condition:
$e1
}malware_servhelper_nsis_dropper
ServHelper NSIS dropper which layers PowerShell to execute its payload
Show query
rule malware_servhelper_nsis_dropper
{
meta:
author = "Google Cloud Security"
description = "ServHelper NSIS dropper which layers PowerShell to execute its payload"
reference = "https://attack.mitre.org/techniques/T1059/"
ref_hash = "7f0191d0d08abd814b435aed3d3ab0d9499942ceba2e91fb9f3b9e5a4ab849a5"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e1.principal.process.command_line, `cmd\.exe.* /c timeout -t 15\& powershell -ep bypass -f`) nocase
condition:
$e1
}malware_zeppelin_registry
Zeppelin registry key writing
Show query
rule malware_zeppelin_registry
{
meta:
author = "Google Cloud Security"
description = "Zeppelin registry key writing"
reference = "https://attack.mitre.org/techniques/T1112/"
related_sample = "423ac94365660904322647356081aa1ea584cb20385ec3163193e71fd3e4f1ad"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "REGISTRY_CREATION"
re.regex($e1.target.registry.registry_key, `\\software\\zeppelin\\`) nocase
condition:
$e1
}mitre_attack_T1021_002_windows_admin_share
Net use commands for SMB/Windows admin shares
Show query
rule mitre_attack_T1021_002_windows_admin_share
{
meta:
author = "Google Cloud Security"
description = "Net use commands for SMB/Windows admin shares"
reference = "https://attack.mitre.org/techniques/T1021/002/"
yara_version = "YL2.0"
rule_version = "1.0"
events:
re.regex($e1.principal.process.command_line, `net use.* (C|ADMIN|IPC)$`) nocase
condition:
$e1
}mitre_attack_T1037_001_windows_logon_script
Registry modification related to installation of a custom logon script
Show query
rule mitre_attack_T1037_001_windows_logon_script
{
meta:
author = "Google Cloud Security"
description = "Registry modification related to installation of a custom logon script"
reference = "https://attack.mitre.org/techniques/T1037/001/"
yara_version = "YL2.0"
rule_version = "1.0"
events:
(
$e1.metadata.event_type = "REGISTRY_CREATION" or
$e1.metadata.event_type = "REGISTRY_MODIFICATION"
)
and
re.regex($e1.target.registry.registry_key, `(HKCU|HKEY_CURRENT_USER)\\Environment\\UserInitMprLogonScript`) nocase
condition:
$e1
}Showing 151-200 of 1,177