Tool
Hunt pack: Play
990 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Play - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 990google_safebrowsing_file_contacts_tor_exit_node
A malicious file contacting a known Tor Exit Node.
Show query
rule google_safebrowsing_file_contacts_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "A malicious file contacting a known Tor Exit Node."
rule_id = "mr_f6733319-50b3-477e-bad6-96bb4c14c632"
rule_name = "Google Safebrowsing File Contacts Tor Exit Node"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
data_source = "microsoft defender atp, crowdstrike, microsoft sysmon"
severity = "Critical"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 != ""
$network.principal.process.file.sha256 = $file_hash
$network.principal.hostname = $hostname
$network.target.ip = $ip
// Safe Browsing file hashes provided by GCTI Feed
$safebrowse.graph.metadata.product_name = "Google Safe Browsing"
$safebrowse.graph.metadata.entity_type = "FILE"
$safebrowse.graph.metadata.source_type = "GLOBAL_CONTEXT"
$safebrowse.graph.metadata.threat.category = "SOFTWARE_MALICIOUS"
$safebrowse.graph.entity.file.sha256 = $file_hash
// Tor IP listing provided by GCTI Feed
$gcti.graph.entity.artifact.ip = $ip
$gcti.graph.metadata.entity_type = "IP_ADDRESS"
$gcti.graph.metadata.source_type = "GLOBAL_CONTEXT"
$gcti.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti.graph.metadata.product_name = "GCTI Feed"
match:
$hostname over 1h
outcome:
$risk_score = 95
$event_count = count_distinct($network.metadata.id)
//added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
//$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti and $safebrowse
}hacktool_dumpert_process_dumper_default_file
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Show query
rule hacktool_dumpert_process_dumper_default_file {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "HackTool - Dumpert Process Dumper Default File"
sigma_uuid = "93d94efc-d7ad-4161-ad7d-1638c4f908d8"
sigma_status = "test"
rule_id = "mr_13ac04a7-8853-42c9-a243-9da5dc05cb66"
tactic = "TA0006"
technique = "T1003.001"
data_source = "Sysmon"
platform = "Windows"
severity = "Critical"
priority = "Critical"
false_positives = "Very unlikely"
events:
$file.metadata.event_type = "FILE_CREATION"
re.regex($file.target.file.full_path, `dumpert.dmp$`) nocase
$file.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($file.principal.user.userid = "user" and $file.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($file.principal.hostname)
$principal_process_pid = array_distinct($file.principal.process.pid)
$principal_process_command_line = array_distinct($file.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($file.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($file.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($file.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($file.principal.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$target_file_sha256 = array_distinct($file.target.file.sha256)
$target_file_full_path = array_distinct($file.target.file.full_path)
condition:
$file
}hacktool_dumpert_process_dumper_exec
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Show query
rule hacktool_dumpert_process_dumper_exec {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml"
rule_name = "HackTool - Dumpert Process Dumper Execution"
sigma_uuid = "2704ab9e-afe2-4854-a3b1-0c0706d03578"
sigma_status = "test"
rule_id = "mr_39c682b6-b50e-4d22-95de-c9d579c8fc44"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Critical"
priority = "Critical"
false_positives = "Very unlikely"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
$process.target.process.file.file_metadata.pe.import_hash = "09D278F9DE118EF09163C6140255C690" nocase or
$process.target.process.file.pe_file.imphash = "09D278F9DE118EF09163C6140255C690" nocase or
strings.contains(strings.to_lower($process.target.process.command_line), "dumpert.dll")
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}potential_cred_dumping_via_lsass_silentprocessexit_technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Show query
rule potential_cred_dumping_via_lsass_silentprocessexit_technique {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Potential Credential Dumping Via LSASS SilentProcessExit Technique"
sigma_uuid = "55e29995-75e7-451a-bef0-6225e2f13597"
sigma_status = "test"
rule_id = "mr_bc2279f0-9b27-485d-b392-ff6f13ae68df"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Critical"
priority = "Critical"
false_positives = "Unlikely"
events:
$registry.metadata.event_type = "REGISTRY_MODIFICATION"
//$registry.metadata.product_event_type = "13"
strings.contains(strings.to_lower($registry.target.registry.registry_key), "microsoft\\windows nt\\currentversion\\silentprocessexit\\lsass.exe")
$registry.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($registry.principal.user.userid = "user" and $registry.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($registry.principal.hostname)
$principal_process_pid = array_distinct($registry.principal.process.pid)
$principal_process_file_full_path = array_distinct($registry.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($registry.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($registry.principal.user.userid)
$target_registry_key = array_distinct($registry.target.registry.registry_key)
$target_registry_value = array_distinct($registry.target.registry.registry_value_data)
condition:
$registry
}rw_mimikatz_T1003
Detects the process mimikatz being issued from the command line.
Show query
rule rw_mimikatz_T1003 {
meta:
author = "Google Cloud Security"
description = "Detects the process mimikatz being issued from the command line."
rule_id = "mr_fa96ead4-7f1f-4dbb-bacb-a526f985c12f"
rule_name = "MITRE ATT&CK T1003 RW Mimikatz"
tactic = "TA0006"
technique = "T1003"
type = "alert"
platform = "Windows"
data_source = "microsoft sysmon, microsoft windows events"
severity = "Critical"
priority = "High"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.metadata.event_type = $event_type
$process.target.process.command_line = /mimikatz/ nocase
match:
$event_type over 5m
outcome:
$risk_score = 95
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}sap_change_documents_sensitive_profile_assignment
Detects the assignment of highly privileged SAP profiles via Change Documents.
Show query
rule sap_change_documents_sensitive_profile_assignment {
meta:
author = "Google Cloud Security"
description = "Detects the assignment of highly privileged SAP profiles via Change Documents."
severity = "Critical"
tactic = "TA0004"
technique = "T1098"
events:
$e.metadata.log_type = "SAP_CHANGE_DOCUMENT"
$e.target.resource.attribute.labels["TABKEY"] = /^SAP_ALL$|^SAP_NEW$/
$e.target.resource.name = "IDENTITY"
$principal_user = $e.principal.user.userid
match:
$principal_user over 30m
outcome:
$target_user = array_distinct($e.target.resource.product_object_id)
$tcode = array_distinct($e.target.application)
$tabname = array_distinct($e.target.resource.attribute.labels["TABNAME"])
$sensitive_profile_assigned = array_distinct($e.target.resource.attribute.labels["TABKEY"])
condition:
$e
}sap_change_documents_sensitive_profile_assignment_data_table
Detects the assignment of highly privileged SAP profiles via Change Documents.
Show query
rule sap_change_documents_sensitive_profile_assignment_data_table {
meta:
author = "Google Cloud Security"
description = "Detects the assignment of highly privileged SAP profiles via Change Documents."
severity = "Critical"
tactic = "TA0004"
technique = "T1098"
events:
$e.metadata.log_type = "SAP_CHANGE_DOCUMENT"
$e.target.resource.attribute.labels["TABKEY"] in %sap_sensitive_profiles.profile
$e.target.resource.name = "IDENTITY"
$principal_user = $e.principal.user.userid
match:
$principal_user over 30m
outcome:
$target_user = array_distinct($e.target.resource.product_object_id)
$tcode = array_distinct($e.target.application)
$tabname = array_distinct($e.target.resource.attribute.labels["TABNAME"])
$sensitive_profile_assigned = array_distinct($e.target.resource.attribute.labels["TABKEY"])
condition:
$e
}sap_change_documents_sensitive_role_assignment
Detects the assignment of highly privileged SAP roles via Change Documents.
Show query
rule sap_change_documents_sensitive_role_assignment {
meta:
author = "Google Cloud Security"
description = "Detects the assignment of highly privileged SAP roles via Change Documents."
severity = "Critical"
tactic = "TA0004"
technique = "T1098"
events:
$e.metadata.log_type = "SAP_CHANGE_DOCUMENT"
$e.target.resource.product_object_id in %sap_sensitive_roles.role
$principal_user = $e.principal.user.userid
match:
$principal_user over 30m
outcome:
$target_user = array_distinct($e.target.resource.product_object_id)
$tcode = array_distinct($e.target.application)
$tabname = array_distinct($e.target.resource.attribute.labels["TABNAME"])
$sensitive_role_assigned = array_distinct($e.target.resource.attribute.labels["TABKEY"])
condition:
$e
}sap_critial_role_assigned_to_new_user
Detects the assignment of high-privilege roles by correlating Change Documents (PFCG) with Security Audit logs (AUD) for IP attribution.
Show query
rule sap_critial_role_assigned_to_new_user {
meta:
author = "Google Cloud Security"
name = "SAP - Critical Authorization Assignment"
description = "Detects the assignment of high-privilege roles by correlating Change Documents (PFCG) with Security Audit logs (AUD) for IP attribution."
severity = "Critical"
tactic = "TA0004"
technique = "T1098"
events:
$change.metadata.log_type = "SAP_CHANGE_DOCUMENT"
$change.target.resource.attribute.labels["TABNAME"] = "AGR_USERS"
$change.target.resource.attribute.labels["CHNGIND"] = "I"
$role = $change.target.resource.product_object_id
$audit.metadata.log_type = "SAP_SECURITY_AUDIT"
$audit.additional.fields["msg_1"] = "AU7"
//join
$target_user = re.capture($change.target.resource.attribute.labels["TABKEY"], "^.{33}\\s*(\\S+)\\s*\\d{16}$")
$target_user = $audit.additional.fields["param1_1"]
$role in %sap_sensitive_roles.role
match:
$target_user over 1h
outcome:
$user_that_created_account = array_distinct($audit.principal.user.userid)
$user_that_assigned_role = array_distinct($change.principal.user.userid)
$source_ip = array_distinct($audit.principal.ip)
$assigned_role = array_distinct($role)
$system_id = array_distinct($audit.target.application)
$risk_score = 95
condition:
$change and $audit
}sap_critical_authorization_value_changed
Detects the modification of sensitive authorization objects (CD1251) within a role. This identifies potential 'backdoor' privilege escalation where a standard role is granted administrative powers (e.g., Debugging or System Table access) via PFCG.
Show query
rule sap_critical_authorization_value_changed {
meta:
author = "Google Cloud Security"
description = "Detects the modification of sensitive authorization objects (CD1251) within a role. This identifies potential 'backdoor' privilege escalation where a standard role is granted administrative powers (e.g., Debugging or System Table access) via PFCG."
severity = "Critical"
tactic = "TA0004"
technique = "T1098"
events:
$change.metadata.log_type = "SAP_CHANGE_DOCUMENT"
$change.target.resource.attribute.labels["TABNAME"] = "CD1251"
$change.target.resource.attribute.labels["CHNGIND"] = /J|U/
$change.target.application = "PFCG"
$role = $change.target.resource.product_object_id
$admin = $change.principal.user.userid
$auth_object = re.capture($change.target.resource.attribute.labels["TABKEY"], "^.{33}(.{10})")
match:
$admin, $role over 1h
outcome:
$admin_user = array_distinct($admin)
$modified_role = array_distinct($role)
$impacted_object = array_distinct($auth_object)
$new_value = array_distinct($change.additional.fields["VALUE_NEW"])
$system_id = array_distinct($change.target.application)
$risk_score = 75
condition:
$change
}sap_critical_role_assigned_to_new_user
Detects the assignment of high-privilege roles by correlating Change Documents (PFCG) with Security Audit logs (AUD) for IP attribution.
Show query
rule sap_critical_role_assigned_to_new_user {
meta:
author = "Google Cloud Security"
description = "Detects the assignment of high-privilege roles by correlating Change Documents (PFCG) with Security Audit logs (AUD) for IP attribution."
severity = "Critical"
tactic = "TA0004"
technique = "T1098"
events:
$change.metadata.log_type = "SAP_CHANGE_DOCUMENT"
$change.target.resource.attribute.labels["TABNAME"] = "AGR_USERS"
$change.target.resource.attribute.labels["CHNGIND"] = "I"
$role = $change.target.resource.product_object_id
$audit.metadata.log_type = "SAP_SECURITY_AUDIT"
$audit.additional.fields["msg_1"] = "AU7"
//join
$target_user = re.capture($change.target.resource.attribute.labels["TABKEY"], "^.{33}\\s*(\\S+)\\s*\\d{16}$")
$target_user = $audit.additional.fields["param1_1"]
$role in %sap_sensitive_roles.role
match:
$target_user over 1h
outcome:
$user_that_created_account = array_distinct($audit.principal.user.userid)
$user_that_assigned_role = array_distinct($change.principal.user.userid)
$source_ip = array_distinct($audit.principal.ip)
$assigned_role = array_distinct($role)
$system_id = array_distinct($audit.target.application)
$risk_score = 95
condition:
$change and $audit
}vt_relationships_file_contacts_tor_ip
Alert on known Hash contacting Tor IP with VT Relationships.
Show query
rule vt_relationships_file_contacts_tor_ip {
meta:
author = "Google Cloud Security"
description = "Alert on known Hash contacting Tor IP with VT Relationships."
rule_id = "mr_a6f8b114-8fdb-4f39-8820-8961dcbb1079"
rule_name = "VT Relationships File Contacts Tor IP"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "vt, tor"
data_source = "microsoft defender atp"
severity = "Critical"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 = $file_hash
$network.target.ip = $ip
$network.principal.hostname = $hostname
// Uses VirusTotal integration via entity graph, this section maps to principal process file hash
$vt.graph.metadata.entity_type = "FILE"
$vt.graph.metadata.source_type = "GLOBAL_CONTEXT"
$vt.graph.metadata.vendor_name = "VirusTotal"
$vt.graph.metadata.product_name = "VirusTotal Relationships"
$vt.graph.entity.file.sha256 = $file_hash
// Uses VirusTotal integration via entity graph, this section maps the hash to the ip address it contacts
$vt.graph.relations.entity_type = "IP_ADDRESS"
$vt.graph.relations.relationship = "CONTACTS"
$vt.graph.relations.entity.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti.graph.entity.artifact.ip = $ip
$gcti.graph.metadata.entity_type = "IP_ADDRESS"
$gcti.graph.metadata.source_type = "GLOBAL_CONTEXT"
$gcti.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti.graph.metadata.product_name = "GCTI Feed"
match:
$hostname over 5m
outcome:
$risk_score = max(
if($gcti.graph.metadata.threat.confidence = "HIGH_CONFIDENCE", 70) +
// Unauthorized target geographies
if($network.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$event_count = count_distinct($network.metadata.id)
$count_file_hash = count_distinct($file_hash)
$count_tor_ips = count_distinct($ip)
$tor_geoip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
$tor_geoip_state = array_distinct($network.target.ip_geo_artifact.location.state)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
//$target_process_pid = array_distinct($network.target.process.pid)
//$target_process_command_line = array_distinct($network.target.process.command_line)
//$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
//$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
//$target_user_userid = array_distinct($network.target.user.userid)
$target_url = array_distinct($network.target.url)
condition:
$network and $vt and $gcti
}aws_api_call_outside_of_organization
Detects API Calls from AWS accounts that are not part of the organization.
Show query
rule aws_api_call_outside_of_organization {
meta:
author = "Google Cloud Security"
description = "Detects API Calls from AWS accounts that are not part of the organization."
rule_id = "mr_205120b7-6654-410a-ab6d-e40484e2fafb"
rule_name = "AWS API Call Outside Of Organization"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$cloudtrail.metadata.vendor_name = "AMAZON"
$cloudtrail.metadata.product_name = "AWS CloudTrail"
// Requires a Reference List named aws_accounts with a list of approved and known AWS Account IDs
not $cloudtrail.principal.user.group_identifiers in %aws_accounts
not $cloudtrail.target.user.group_identifiers in %aws_accounts
$cloudtrail.additional.fields["recipientAccountId"] = $accountId
match:
$accountId over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($cloudtrail.metadata.id)
$network_http_user_agent = array_distinct($cloudtrail.network.http.user_agent)
$principal_ip = array_distinct($cloudtrail.principal.ip)
$principal_ip_country = array_distinct($cloudtrail.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($cloudtrail.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($cloudtrail.principal.user.user_display_name)
$recipient_aws_account_id = array_distinct($cloudtrail.additional.fields["recipientAccountId"])
$aws_region = array_distinct($cloudtrail.principal.location.name)
$product_event_type = array_distinct($cloudtrail.metadata.product_event_type)
$target_resource_name = array_distinct($cloudtrail.target.resource.name)
$target_resource_product_object_id = array_distinct($cloudtrail.target.resource.product_object_id)
condition:
$cloudtrail
}aws_guardduty_black_hole_traffic_detected
Amazon GuardDuty detects an Amazon EC2 instance or a container attempting to communicate with a black hole IP address.
Show query
rule aws_guardduty_black_hole_traffic_detected {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects an Amazon EC2 instance or a container attempting to communicate with a black hole IP address."
rule_id = "mr_8ac55f38-9c11-4f51-89cd-c40e9b6238b3"
rule_name = "AWS GuardDuty Black Hole Traffic Detected"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "Application Layer Protocol"
mitre_attack_url = "https://attack.mitre.org/techniques/T1071/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /BlackholeTraffic/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Command and Control"
$mitre_attack_technique = "Application Layer Protocol"
$mitre_attack_technique_id = "T1071"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}aws_guardduty_command_and_control_activity_detected
Amazon GuardDuty detects Command and control activity in Amazon EC2, AWS Lambda or Amazon EKS Runtimes.
Show query
rule aws_guardduty_command_and_control_activity_detected {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects Command and control activity in Amazon EC2, AWS Lambda or Amazon EKS Runtimes."
rule_id = "mr_dc0c33c7-35e3-44e2-b149-99212f3e54c6"
rule_name = "AWS GuardDuty Command And Control Activity Detected"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "Application Layer Protocol"
mitre_attack_url = "https://attack.mitre.org/techniques/T1071/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /C&CActivity/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Command and Control"
$mitre_attack_technique = "Application Layer Protocol"
$mitre_attack_technique_id = "T1071"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}aws_guardduty_malicious_or_suspicious_file_executed
Amazon GuardDuty detects a malicious or suspicious file on an Amazon EC2 instance or a container workload.
Show query
rule aws_guardduty_malicious_or_suspicious_file_executed {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects a malicious or suspicious file on an Amazon EC2 instance or a container workload."
rule_id = "mr_a5d8f51c-d0de-4169-99e2-d3eaa02b266c"
rule_name = "AWS GuardDuty Malicious Or Suspicious File Executed"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "User Execution: Malicious File"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/002/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /MaliciousFile|SuspiciousFile/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Execution"
$mitre_attack_technique = "User Execution: Malicious File"
$mitre_attack_technique_id = "T1204.002"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}aws_guardduty_tor_network_activity_detected
Amazon GuardDuty detects Tor Network activity in an AWS account.
Show query
rule aws_guardduty_tor_network_activity_detected {
meta:
author = "Google Cloud Security"
description = "Amazon GuardDuty detects Tor Network activity in an AWS account."
rule_id = "mr_abbc8f85-d4a3-4579-b444-19e6944f49d1"
rule_name = "AWS GuardDuty Tor Network Activity Detected"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "Proxy: Multi-hop Proxy"
mitre_attack_url = "https://attack.mitre.org/techniques/T1090/003/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS GuardDuty"
platform = "AWS"
severity = "High"
priority = "High"
events:
$guardduty.metadata.vendor_name = "AMAZON"
$guardduty.metadata.product_name = "AWS GuardDuty"
$guardduty.metadata.product_event_type = /TorIPCaller|TorRelay|TorClient/
//Filter out sample findings
$guardduty.security_result.about.labels["Sample"] != "true"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Command and Control"
$mitre_attack_technique = "Proxy: Multi-hop Proxy"
$mitre_attack_technique_id = "T1090.003"
$event_count = count_distinct($guardduty.metadata.id)
$principal_ip = array_distinct($guardduty.principal.ip)
$principal_ip_country = array_distinct($guardduty.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($guardduty.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $guardduty.principal.user.user_display_name
$aws_region = $guardduty.target.location.name
$target_resource_name = $guardduty.target.resource.name
$target_resource_product_object_id = $guardduty.target.resource.product_object_id
$security_result_summary = array_distinct($guardduty.security_result.summary)
$security_result_description = array_distinct($guardduty.security_result.description)
$security_result_severity = array_distinct($guardduty.security_result.severity)
$security_result_severity_details = array_distinct($guardduty.security_result.severity_details)
$metadata_product_event_type = array_distinct($guardduty.metadata.product_event_type)
condition:
$guardduty
}aws_iam_activity_by_s3_browser_utility
Detect AWS IAM activities associated with the S3 Browser utility.
Show query
rule aws_iam_activity_by_s3_browser_utility {
meta:
author = "Google Cloud Security"
description = "Detect AWS IAM activities associated with the S3 Browser utility."
rule_id = "mr_003e618f-e099-4c72-a170-03d2e03836f9"
rule_name = "AWS IAM Activity By S3 Browser Utility"
reference = "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Account Manipulation"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$cloudtrail.metadata.vendor_name = "AMAZON"
$cloudtrail.metadata.product_name = "AWS CloudTrail"
$cloudtrail.target.application = "iam.amazonaws.com"
(
$cloudtrail.metadata.product_event_type = "CreateUser" or
$cloudtrail.metadata.product_event_type = "CreateLoginProfile" or
$cloudtrail.metadata.product_event_type = "CreateAccessKey" or
$cloudtrail.metadata.product_event_type = "PutUserPolicy"
)
$cloudtrail.network.http.user_agent = /S3 Browser/
$cloudtrail.security_result.action = "ALLOW"
$cloudtrail.principal.ip = $ip
match:
$ip over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Account Manipulation"
$mitre_attack_technique_id = "T1098"
$event_count = count_distinct($cloudtrail.metadata.id)
$network_http_user_agent = array_distinct($cloudtrail.network.http.user_agent)
$principal_ip = array_distinct($cloudtrail.principal.ip)
$principal_ip_country = array_distinct($cloudtrail.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($cloudtrail.principal.ip_geo_artifact.location.state)
$target_user_display_name = array_distinct($cloudtrail.target.user.user_display_name)
$recipient_aws_account_id = array_distinct($cloudtrail.additional.fields["recipientAccountId"])
$aws_region = array_distinct($cloudtrail.principal.location.name)
$target_resource_name = array_distinct($cloudtrail.target.resource.name)
$target_resource_product_object_id = array_distinct($cloudtrail.target.resource.product_object_id)
condition:
$cloudtrail
}aws_iam_activity_from_ec2_instance
Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.
Show query
rule aws_iam_activity_from_ec2_instance {
meta:
author = "Google Cloud Security"
description = "Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges."
rule_id = "mr_60c7bb2f-2f02-4ac5-bbe0-ba8be871f3fb"
rule_name = "AWS IAM Activity From EC2 Instance"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Account Manipulation"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$cloudtrail.metadata.vendor_name = "AMAZON"
$cloudtrail.metadata.product_name = "AWS CloudTrail"
$cloudtrail.target.application = "iam.amazonaws.com"
(
$cloudtrail.metadata.product_event_type = "CreateUser" or
$cloudtrail.metadata.product_event_type = "AttachUserPolicy" or
$cloudtrail.metadata.product_event_type = "CreateLoginProfile" or
$cloudtrail.metadata.product_event_type = "UpdateLoginProfile" or
$cloudtrail.metadata.product_event_type = "CreateAccessKey" or
$cloudtrail.metadata.product_event_type = "CreateGroup" or
$cloudtrail.metadata.product_event_type = "AttachGroupPolicy" or
$cloudtrail.metadata.product_event_type = "CreateRole" or
$cloudtrail.metadata.product_event_type = "AttachRolePolicy"
)
$cloudtrail.security_result.action = "ALLOW"
$cloudtrail.principal.ip = $ip
$cloudtrail.principal.resource.type = "AssumedRole"
$cloudtrail.principal.user.userid = /\/i-.*$/ //regex to be improved
re.capture($cloudtrail.principal.user.userid, ":assumed-role/.*/(.*)$") = $instanceId
match:
$ip over 1h
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Account Manipulation"
$mitre_attack_technique_id = "T1098"
$event_count = count_distinct($cloudtrail.metadata.id)
$network_http_user_agent = array_distinct($cloudtrail.network.http.user_agent)
$principal_ip = array_distinct($cloudtrail.principal.ip)
$principal_ip_country = array_distinct($cloudtrail.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($cloudtrail.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($cloudtrail.principal.user.user_display_name)
$recipient_aws_account_id = array_distinct($cloudtrail.additional.fields["recipientAccountId"])
$aws_region = array_distinct($cloudtrail.principal.location.name)
$target_resource_name = array_distinct($cloudtrail.target.resource.name)
$target_resource_product_object_id = array_distinct($cloudtrail.target.resource.product_object_id)
$ec2_instance_id = array_distinct($instanceId)
condition:
$cloudtrail
}aws_iam_administrator_access_policy_attached
Detects when AWS IAM AdministratorAccess policy is attached to a user, group or role which can be used for privilege escalation.
Show query
rule aws_iam_administrator_access_policy_attached {
meta:
author = "Google Cloud Security"
description = "Detects when AWS IAM AdministratorAccess policy is attached to a user, group or role which can be used for privilege escalation."
rule_id = "mr_52c6643b-f6ce-4299-9fb6-05554901800c"
rule_name = "AWS IAM Administrator Access Policy Attached"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$cloudtrail.metadata.vendor_name = "AMAZON"
$cloudtrail.metadata.product_name = "AWS CloudTrail"
(
$cloudtrail.metadata.product_event_type = "AttachUserPolicy" or
$cloudtrail.metadata.product_event_type = "AttachGroupPolicy" or
$cloudtrail.metadata.product_event_type = "AttachRolePolicy"
)
$cloudtrail.target.resource.name = "arn:aws:iam::aws:policy/AdministratorAccess"
$cloudtrail.security_result.action = "ALLOW"
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($cloudtrail.metadata.id)
$network_http_user_agent = $cloudtrail.network.http.user_agent
$principal_ip = array_distinct($cloudtrail.principal.ip)
$principal_ip_country = array_distinct($cloudtrail.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($cloudtrail.principal.ip_geo_artifact.location.state)
$principal_user_display_name = $cloudtrail.principal.user.user_display_name
$recipient_aws_account_id = $cloudtrail.additional.fields["recipientAccountId"]
$aws_region = $cloudtrail.principal.location.name
$target_resource_name = $cloudtrail.target.resource.name
$target_resource_product_object_id = $cloudtrail.target.resource.product_object_id
condition:
$cloudtrail
}aws_successful_api_from_tor_exit_node
Detects successful API executions from a Tor exit node.
Show query
rule aws_successful_api_from_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "Detects successful API executions from a Tor exit node."
rule_id = "mr_17232c2a-188e-4d6e-85b6-836cdc779655"
rule_name = "AWS Successful API From Tor Exit Node"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "User Execution"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "High"
priority = "High"
events:
$api.metadata.vendor_name = "AMAZON"
$api.metadata.product_name = "AWS CloudTrail"
$api.security_result.action = "ALLOW"
$api.principal.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti_feed.graph.entity.artifact.ip = $ip
$gcti_feed.graph.metadata.entity_type = "IP_ADDRESS"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 5m
outcome:
$risk_score = max(
//Baseline
35 +
// Unauthorized geographies
if($api.principal.ip_geo_artifact.location.country_or_region = "Cuba", 40) +
if($api.principal.ip_geo_artifact.location.country_or_region = "Iran", 40) +
if($api.principal.ip_geo_artifact.location.country_or_region = "North Korea" , 40) +
if($api.principal.ip_geo_artifact.location.country_or_region = "Russia", 40) +
if($api.principal.ip_geo_artifact.location.country_or_region = "Syria", 40)
)
$mitre_attack_tactic = "Execution"
$mitre_attack_technique = "User Execution"
$mitre_attack_technique_id = "T1204"
$event_count = count_distinct($api.metadata.id)
$network_http_user_agent = array_distinct($api.network.http.user_agent)
$principal_ip = array_distinct($api.principal.ip)
$principal_ip_country = array_distinct($api.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($api.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($api.principal.user.user_display_name)
$dc_principal_user_display_name = count_distinct($api.principal.user.user_display_name)
$is_mfa_used = array_distinct($api.extensions.auth.auth_details)
$target_resource_name = array_distinct($api.target.resource.name)
$target_resource_product_object_id = array_distinct($api.target.resource.product_object_id)
condition:
$api and $gcti_feed
}base64_encoded_powershell_command_detected
Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string
Show query
rule base64_encoded_powershell_command_detected {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Base64 Encoded PowerShell Command Detected"
sigma_uuid = "e32d4572-9826-4738-b651-95fa63747e8a"
sigma_status = "test"
rule_id = "mr_a3603334-35e3-4050-b94e-f79aeccb899a"
tactic = "TA0002"
technique = "T1059.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Administrative script libraries"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
strings.contains(strings.to_lower($process.target.process.command_line), "::frombase64string(")
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}blackbyte_ransomware_registry
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
Show query
rule blackbyte_ransomware_registry {
meta:
author = "frack113"
description = "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Blackbyte Ransomware Registry"
rule_id = "mr_83d31958-2537-4ac7-bee2-1d6e193c892f"
sigma_uuid = "83314318-052a-4c90-a1ad-660ece38d276"
sigma_status = "test"
tactic = "TA0005"
technique = "T1112"
type = "Detection"
data_source = "Windows Registry"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
(
$reg.target.registry.registry_key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy" nocase or
$reg.target.registry.registry_key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections" nocase or
$reg.target.registry.registry_key = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled" nocase
) and $reg.target.registry.registry_value_data = "DWORD (0x00000001)" nocase
$reg.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($reg.principal.user.userid = "user" and $reg.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($reg.principal.hostname)
$principal_process_pid = array_distinct($reg.principal.process.pid)
$principal_process_file_full_path = array_distinct($reg.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($reg.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($reg.principal.user.userid)
$target_registry_key = array_distinct($reg.target.registry.registry_key)
$target_registry_value_data = array_distinct($reg.target.registry.registry_value_data)
$log_type = array_distinct(strings.concat($reg.metadata.log_type,"/",$reg.metadata.product_event_type))
condition:
$reg
}create_dump_process_dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Show query
rule create_dump_process_dump {
meta:
author = "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"
description = "Detects uses of the createdump.exe LOLOBIN utility to dump process memory"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "CreateDump Process Dump"
sigma_uuid = "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48"
sigma_status = "test"
rule_id = "mr_20772389-ecc9-4598-9241-843172e1dd43"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Command lines that use the same flags"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($process.target.process.file.full_path, `\\createdump\.exe$`) nocase or
$process.src.process.file.full_path = "createdump.exe" nocase
)
(
strings.contains(strings.to_lower($process.target.process.command_line), " -u ") or
strings.contains(strings.to_lower($process.target.process.command_line), " --full ") or
strings.contains(strings.to_lower($process.target.process.command_line), " -f ") or
strings.contains(strings.to_lower($process.target.process.command_line), " --name ") or
strings.contains(strings.to_lower($process.target.process.command_line), ".dmp ")
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}cred_dump_tools_dropped_files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Show query
rule cred_dump_tools_dropped_files {
meta:
author = "Teymur Kheirkhabarov, oscd.community"
description = "Files with well-known filenames (parts of credential dump software or files produced by them) creation"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Cred Dump Tools Dropped Files"
sigma_uuid = "8fbf3271-1ef6-4e94-8210-03c2317947f6"
sigma_status = "test"
rule_id = "mr_1ba84a4c-c6cf-49ee-902d-5e9e6efcaac0"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Legitimate Administrator using tool for password recovery"
events:
$file.metadata.event_type = "FILE_CREATION"
(
re.regex($file.target.file.full_path, `\\(fgdump-log|kirbi|pwdump|pwhashes|wce_ccache|wce_krbtkt)`) nocase or
re.regex($file.target.file.full_path, `\\(cachedump\.exe|cachedump64\.exe|DumpExt\.dll|DumpSvc\.exe|Dumpy\.exe|fgexec\.exe|lsremora\.dll|lsremora64\.dll|NTDS\.out|procdump64\.exe|pstgdump\.exe|pwdump\.exe|SAM\.out|SECURITY\.out|servpw\.exe|servpw64\.exe|SYSTEM\.out|test\.pwd|wceaux\.dll)$`) nocase
)
$file.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($file.principal.user.userid = "user" and $file.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($file.principal.hostname)
$principal_process_pid = array_distinct($file.principal.process.pid)
$principal_process_command_line = array_distinct($file.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($file.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($file.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($file.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($file.principal.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$target_file_sha256 = array_distinct($file.target.file.sha256)
$target_file_full_path = array_distinct($file.target.file.full_path)
condition:
$file
}credential_dumping_attempt_via_werfault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up
Show query
rule credential_dumping_attempt_via_werfault {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Credential Dumping Attempt Via WerFault"
sigma_uuid = "e5b33f7d-eb93-48b6-9851-09e1e610b6d7"
sigma_status = "test"
rule_id = "mr_b3448ab7-b1a2-41f7-9cd4-151c3cb2e2d6"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Actual failures in lsass.exe that trigger a crash dump (unlikely), unknown cases in which WerFault accesses lsass.exe"
events:
$process.metadata.event_type = "PROCESS_OPEN"
re.regex($process.target.process.file.full_path, `\\lsass\.exe$`) nocase
re.regex($process.principal.process.file.full_path, `\\werfault\.exe$`) nocase
$process.target.resource.name = "0x1FFFFF" nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}entra_id_recently_created_user_assigned_entra_id_roles
Detect users who are newly created and then immediately assigned administrator level roles
Show query
rule entra_id_recently_created_user_assigned_entra_id_roles {
meta:
author = "Google Cloud Security"
description = "Detect users who are newly created and then immediately assigned administrator level roles"
rule_id = "mr_ab6067cd-b8a0-49f7-9efb-8a9b3b096a49"
rule_name = "Entra ID Recently Created User Assigned an Entra ID Role"
tactic = "TA0003"
technique = "T1098.003"
assumption = "The list msgraph_watchlist_roles_guid is popualted with admin role guids, ie 62e90394-69f5-4237-9190-012177145e10"
reference = "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference"
type = "alert"
platform = "azure"
data_source = "azure ad"
severity = "High"
priority = "High"
events:
(
$create.metadata.event_type = "USER_CREATION" and
$create.metadata.product_event_type = "Add user" and
$create.metadata.product_name = "Azure AD Directory Audit" and
$create.metadata.vendor_name = "Microsoft" and
$create.security_result.action = "ALLOW" and
$create.principal.user.userid = $principal_userid and
$create.target.user.userid = $target_userid
)
$create.metadata.event_timestamp.seconds < $role.metadata.event_timestamp.seconds
(
$role.metadata.event_type = "USER_CHANGE_PERMISSIONS" and
$role.metadata.product_event_type = "Add member to role" and
$role.metadata.product_name = "Azure AD Directory Audit" and
$role.metadata.vendor_name = "Microsoft" and
$role.security_result.action = "ALLOW" and
//To detect on specific roles, they can be added to a reference list and the following line uncommented
//$role.target.resource.attribute.labels["Role.Role.TemplateId"] in %msgraph_watchlist_roles_guid and
$role.principal.user.userid = $principal_userid and
re.replace($role.target.user.userid, `@.*$`, "") = $target_userid
)
match:
$principal_userid, $target_userid over 30m
outcome:
$risk_score = 85
$principal_county_region = array_distinct(strings.concat($create.principal.location.city," ",$create.principal.location.state," ",$create.principal.location.country_or_region))
$assigned_role = array_distinct($role.target.user.title)
$assigned_role_guid = array_distinct($role.target.resource.attribute.labels["Role.TemplateId"])
condition:
$create and $role
}file_download_using_notepad_plus_plus_gup_utility
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files
Show query
rule file_download_using_notepad_plus_plus_gup_utility {
meta:
author = "Nasreddine Bencherchali (Nextron Systems)"
description = "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_gup_download.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "File Download Using Notepad++ GUP Utility"
sigma_uuid = "44143844-0631-49ab-97a0-96387d6b2d7c"
sigma_status = "test"
rule_id = "mr_0e2db84a-0176-460c-b0b6-572e17842acd"
tactic = "TA0011"
technique = "T1105"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Other parent processes other than notepad++ using GUP that are not currently identified"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($process.target.process.file.full_path, `\\GUP\.exe$`) nocase or
$process.src.process.file.full_path = "gup.exe" nocase
)
(
strings.contains(strings.to_lower($process.target.process.command_line), " -unzipto ") and
strings.contains(strings.to_lower($process.target.process.command_line), "http")
)
not re.regex($process.principal.process.file.full_path, `\\notepad\+\+\.exe$`) nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}file_download_via_windows_defender_mpcmdrun_exe
Detects the use of Windows Defender MpCmdRun.EXE to download files
Show query
rule file_download_via_windows_defender_mpcmdrun_exe {
meta:
author = "Matthew Matchen"
description = "Detects the use of Windows Defender MpCmdRun.EXE to download files"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "File Download Via Windows Defender MpCmpRun.EXE"
sigma_uuid = "46123129-1024-423e-9fae-43af4a0fa9a5"
sigma_status = "test"
rule_id = "mr_22c73791-b666-436e-b584-f14afb3cf6d5"
tactic = "TA0011"
technique = "T1105"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
$process.src.process.file.full_path = "mpcmdrun.exe" nocase or
re.regex($process.target.process.file.full_path, `\\mpcmdrun\.exe$`) nocase or
strings.contains(strings.to_lower($process.target.process.command_line), "mpcmdrun.exe") or
$process.target.asset.software.description = "Microsoft Malware Protection Command Line Utility" nocase
)
(
strings.contains(strings.to_lower($process.target.process.command_line), "downloadfile") and
strings.contains(strings.to_lower($process.target.process.command_line), "url")
)
$process.principal.hostname = $hostname
match:
$hostname over 1m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}finger_exe_execution
Detects execution of the finger.exe utility. Finger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of finger.exe can be considered suspicious and worth investigating.
Show query
rule finger_exe_execution {
meta:
author = "Florian Roth (Nextron Systems), omkar72, oscd.community"
description = "Detects execution of the finger.exe utility. Finger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of finger.exe can be considered suspicious and worth investigating."
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Finger.EXE Execution"
sigma_uuid = "af491bca-e752-4b44-9c86-df5680533dbc"
sigma_status = "test"
rule_id = "mr_9174795b-96f3-4fce-b5a3-f8e5901990b1"
tactic = "TA0011"
technique = "T1105"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Admin activity (unclear what they do nowadays with finger.exe)"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
$process.src.process.file.full_path = "finger.exe" nocase or
re.regex($process.target.process.file.full_path, `\\finger\.exe$`) nocase
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}gcp_iam_organization_policy_updated_or_deleted
Detect when GCP IAM Organization Policy is updated or deleted.
Show query
rule gcp_iam_organization_policy_updated_or_deleted {
meta:
author = "Google Cloud Security"
description = "Detect when GCP IAM Organization Policy is updated or deleted."
rule_id = "mr_327c1753-1cd5-424a-8a9f-1648278e2831"
rule_name = "GCP IAM Organization Policy Updated Or Deleted"
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "Account Manipulation"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "High"
priority = "High"
events:
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
(
($gcp.metadata.event_type = "RESOURCE_WRITTEN" and $gcp.metadata.product_event_type = "google.cloud.orgpolicy.v2.OrgPolicy.UpdatePolicy") or
($gcp.metadata.event_type = "RESOURCE_DELETION" and $gcp.metadata.product_event_type = "google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy")
)
$gcp.security_result.action = "ALLOW"
$gcp.target.application = "orgpolicy.googleapis.com"
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Persistence, Privilege Escalation"
$mitre_attack_technique = "Account Manipulation"
$mitre_attack_technique_id = "T1098"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_id = $gcp.principal.user.userid
$principal_user_display_name = $gcp.principal.user.user_display_name
$target_resource_name = $gcp.target.resource.name
$event_name = $gcp.metadata.product_event_type
condition:
$gcp
}gcp_successful_api_from_tor_exit_node
Detects successful API executions from a Tor exit node.
Show query
rule gcp_successful_api_from_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "Detects successful API executions from a Tor exit node."
rule_id = "mr_5912e2be-4366-4f34-a770-0ac8358f2cb9"
rule_name = "GCP Successful API Call From Tor Exit Node"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "User Execution"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "High"
priority = "High"
events:
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
$gcp.security_result.action = "ALLOW"
$gcp.principal.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti_feed.graph.entity.artifact.ip = $ip
$gcti_feed.graph.metadata.entity_type = "IP_ADDRESS"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 5m
outcome:
$risk_score = max(
//Baseline
35 +
// Unauthorized geographies
if($gcp.principal.ip_geo_artifact.location.country_or_region = "Cuba", 40) +
if($gcp.principal.ip_geo_artifact.location.country_or_region = "Iran", 40) +
if($gcp.principal.ip_geo_artifact.location.country_or_region = "North Korea" , 40) +
if($gcp.principal.ip_geo_artifact.location.country_or_region = "Russia", 40) +
if($gcp.principal.ip_geo_artifact.location.country_or_region = "Syria", 40)
)
$mitre_attack_tactic = "Execution"
$mitre_attack_technique = "User Execution"
$mitre_attack_technique_id = "T1204"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_display_name = array_distinct($gcp.principal.user.user_display_name)
$dc_principal_user_display_name = count_distinct($gcp.principal.user.user_display_name)
$target_resource_name = array_distinct($gcp.target.resource.name)
condition:
$gcp and $gcti_feed
}gcp_workload_identity_pool_disabled_or_deleted
Detect when GCP Workload identity pools are disabled or deleted. Disabling or deleting a pool will prevent any connected identities from accessing all GCP resources.
Show query
rule gcp_workload_identity_pool_disabled_or_deleted {
meta:
author = "Google Cloud Security"
description = "Detect when GCP Workload identity pools are disabled or deleted. Disabling or deleting a pool will prevent any connected identities from accessing all GCP resources."
rule_id = "mr_265fbe68-80c6-48b0-a211-dca6bcef0fd2"
rule_name = "GCP Workload Identity Pool Disabled Or Deleted"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "High"
priority = "High"
events:
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
(
$gcp.metadata.product_event_type = "google.iam.v1.WorkloadIdentityPools.DeleteWorkloadIdentityPool" or
(
$gcp.metadata.product_event_type = "google.iam.v1.WorkloadIdentityPools.UpdateWorkloadIdentityPool" and
$gcp.target.resource.attribute.labels["req_identityPool_disabled"] = "true"
)
)
$gcp.target.application = "iam.googleapis.com"
$gcp.security_result.action = "ALLOW"
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_id = $gcp.principal.user.userid
$principal_user_display_name = $gcp.principal.user.user_display_name
$target_resource_name = $gcp.target.resource.name
$event_name = $gcp.metadata.product_event_type
condition:
$gcp
}gcti_benign_binaries_contacts_tor_exit_node
Alert on Benign Binary contacting a TOR IP
Show query
rule gcti_benign_binaries_contacts_tor_exit_node {
meta:
author = "Google Cloud Security"
description = "Alert on Benign Binary contacting a TOR IP"
rule_id = "mr_8bb13cf7-d66b-41f2-9bbc-0a1884a77f70"
rule_name = "GCTI Benign Binaries Contacts Tor Exit Node"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "tor, benign binaries"
data_source = "crowdstrike"
severity = "High"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.sha256 = $benign_hash
$network.target.ip = $ip
// Benign Files provided by GCTI Feed
$gcti_feed.graph.entity.file.sha256 = $benign_hash
$gcti_feed.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.entity_type = "FILE"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Benign Binaries"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Tor IP listing provided by GCTI Feed
$tor.graph.entity.artifact.ip = $ip
$tor.graph.metadata.entity_type = "IP_ADDRESS"
$tor.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$tor.graph.metadata.vendor_name = "Google Cloud Threat Intelligence"
$tor.graph.metadata.product_name = "GCTI Feed"
$tor.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 5m
outcome:
$risk_score = max(
if($tor.graph.metadata.threat.confidence = "HIGH_CONFIDENCE", 70) +
// Unauthorized target geographies
if($network.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($network.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$event_count = count_distinct($network.metadata.id)
$tor_ip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
// Commented out target.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti_feed and $tor
}gcti_tor_exit_nodes
Alert traffic destined for known Tor exit nodes
Show query
rule gcti_tor_exit_nodes {
meta:
author = "Google Cloud Security"
description = "Alert traffic destined for known Tor exit nodes"
rule_id = "mr_1d31f0e4-8cd9-4fc2-ae87-e91a435fe34f"
rule_name = "GCTI Tor Exit Nodes"
tactic = "TA0011"
technique = "T1090.003"
type = "alert"
tags = "tor"
data_source = "crowdstrike, microsoft sysmon, microsoft defender atp"
severity = "High"
priority = "High"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.security_result.action = "ALLOW"
$network.target.ip = $ip
// Tor IP listing provided by GCTI Feed
$gcti_feed.graph.entity.artifact.ip = $ip
$gcti_feed.graph.metadata.entity_type = "IP_ADDRESS"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 1h
outcome:
$risk_score = 85
$event_count = count_distinct($network.metadata.id)
$tor_geoip_country = array_distinct($network.target.ip_geo_artifact.location.country_or_region)
$tor_geoip_state = array_distinct($network.target.ip_geo_artifact.location.state)
// added to populate alert graph with additional context
$principal_ip = array_distinct($network.principal.ip)
// Commented out target.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_ip = array_distinct($network.target.ip)
$principal_process_pid = array_distinct($network.principal.process.pid)
$principal_process_command_line = array_distinct($network.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($network.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($network.target.process.pid)
$target_process_command_line = array_distinct($network.target.process.command_line)
$target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
$target_process_file_full_path = array_distinct($network.target.process.file.full_path)
//$target_process_product_specific_process_id = array_distinct($network.target.process.product_specific_process_id)
//$target_process_parent_process_product_specific_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($network.principal.user.userid)
$target_user_userid = array_distinct($network.target.user.userid)
condition:
$network and $gcti_feed
}github_personal_access_token_created_from_tor_ip_address
Detects when a GitHub Personal Access Token is created from a known Tor exit node IP address. An adversary may create a Personal Access Token before carrying out follow up actions such as cloning GitHub repositories to steal data.
Show query
rule github_personal_access_token_created_from_tor_ip_address {
meta:
author = "Google Cloud Security"
description = "Detects when a GitHub Personal Access Token is created from a known Tor exit node IP address. An adversary may create a Personal Access Token before carrying out follow up actions such as cloning GitHub repositories to steal data."
rule_id = "mr_39b42a3c-6b7a-4fa7-a6ca-df084ca92da4"
rule_name = "GitHub Personal Access Token Created from Tor IP Address"
assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization"
type = "alert"
severity = "High"
priority = "High"
platform = "GitHub"
data_source = "github"
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "Account Manipulation: Additional Cloud Credentials"
mitre_attack_url = "https://attack.mitre.org/versions/v14/techniques/T1098/001/"
mitre_attack_version = "v14"
reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise"
tags = "tor"
events:
$github.metadata.vendor_name = "GITHUB" nocase
$github.metadata.product_name = "GITHUB"
$github.metadata.product_event_type = "personal_access_token.request_created"
$github.principal.ip = $ip
// Tor IP address list is provided by Google Cloud Threat Intelligence (GCTI) feed
$gcti_feed.graph.entity.artifact.ip = $ip
$gcti_feed.graph.metadata.entity_type = "IP_ADDRESS"
$gcti_feed.graph.metadata.threat.threat_feed_name = "Tor Exit Nodes"
$gcti_feed.graph.metadata.product_name = "GCTI Feed"
$gcti_feed.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ip over 30m
outcome:
$risk_score = max(85)
$mitre_attack_tactic = "Persistence, Privilege Escalation"
$mitre_attack_technique = "Account Manipulation: Additional Cloud Credentials"
$mitre_attack_technique_id = "T1098.001"
$event_count = count_distinct($github.metadata.id)
$principal_ip = array_distinct($github.principal.ip)
$principal_user_userid = array_distinct($github.principal.user.userid)
$principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($github.principal.location.city)
$security_result_summary = array_distinct($github.security_result.summary)
condition:
$github and $gcti_feed
}github_repository_deploy_key_created_or_modified
Detects when an SSH deploy key is added or modified in a GitHub repository. A compromised or unauthorized deploy key could allow malicious actors to push unauthorized changes into production environments, potentially bypassing code reviews and testing procedures. This could lead to the introduction of backdoors, malware, or the exfiltration of sensitive data.
Show query
rule github_repository_deploy_key_created_or_modified {
meta:
author = "Google Cloud Security"
description = "Detects when an SSH deploy key is added or modified in a GitHub repository. A compromised or unauthorized deploy key could allow malicious actors to push unauthorized changes into production environments, potentially bypassing code reviews and testing procedures. This could lead to the introduction of backdoors, malware, or the exfiltration of sensitive data."
rule_id = "mr_e10b0f8b-6a90-48af-aecb-95ef2ca10de8"
rule_name = "GitHub Repository Deploy Key Created Or Modified"
assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization"
type = "alert"
severity = "High"
priority = "High"
platform = "GitHub"
data_source = "github"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Account Manipulation: Additional Cloud Credentials"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/001/"
mitre_attack_version = "v14"
reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise"
events:
$github.metadata.vendor_name = "GITHUB" nocase
$github.metadata.product_name = "GITHUB"
(
$github.metadata.product_event_type = "public_key.create" or
$github.metadata.product_event_type = "public_key.update"
)
$github.principal.user.userid = $user_id
$github.target.resource.name = $github_repo_name
match:
$user_id, $github_repo_name over 30m
outcome:
$risk_score = max(65)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Account Manipulation: Additional Cloud Credentials"
$mitre_attack_technique_id = "T1098.001"
$event_count = count_distinct($github.metadata.id)
$principal_ip = array_distinct($github.principal.ip)
$principal_user_userid = array_distinct($github.principal.user.userid)
$principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($github.principal.location.city)
$security_result_summary = array_distinct($github.security_result.summary)
condition:
$github
}google_workspace_admin_role_assignment
Identifies when an administrator role is assigned to a user account in Google Workspace. Security teams can monitor for the malicious or accidental assignment of administrator privileges to prevent unauthorized access to data.
Show query
rule google_workspace_admin_role_assignment {
meta:
author = "Google Cloud Security"
description = "Identifies when an administrator role is assigned to a user account in Google Workspace. Security teams can monitor for the malicious or accidental assignment of administrator privileges to prevent unauthorized access to data."
rule_id = "mr_0c547820-1095-42a1-94d8-a00d5ef2df76"
rule_name = "Google Workspace Admin Role Assignment"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/003/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "High"
priority = "High"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.metadata.event_type = "USER_RESOURCE_UPDATE_PERMISSIONS"
$ws.metadata.product_event_type = "ASSIGN_ROLE"
$ws.security_result.category_details = "DELEGATED_ADMIN_SETTINGS"
outcome:
$risk_score = max(35 +
if($ws.target.resource.attribute.roles.name = "_SEED_ADMIN_ROLE", 50)
)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
$mitre_attack_technique_id = "T1098.003"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$target_user_emails = array_distinct($ws.target.user.email_addresses)
$principal_user_id = $ws.principal.user.userid
$role_name = array_distinct($ws.target.resource.attribute.roles.name)
condition:
$ws
}google_workspace_custom_admin_role_created
Identifies when a custom administrator role is created in Google Workspace. Security teams can monitor for malicious or accidental configuration of administrator privileges to prevent unauthorized access to data.
Show query
rule google_workspace_custom_admin_role_created {
meta:
author = "Google Cloud Security"
description = "Identifies when a custom administrator role is created in Google Workspace. Security teams can monitor for malicious or accidental configuration of administrator privileges to prevent unauthorized access to data."
rule_id = "mr_a15f64fc-3eaf-49f0-9f74-c533a63cb531"
rule_name = "Google Workspace Custom Admin Role Created"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/003/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "High"
priority = "High"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.metadata.event_type = "USER_RESOURCE_CREATION"
$ws.metadata.product_event_type = "CREATE_ROLE"
$ws.security_result.category_details = "DELEGATED_ADMIN_SETTINGS"
outcome:
$risk_score = max(85)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
$mitre_attack_technique_id = "T1098.003"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$target_user_emails = array_distinct($ws.target.user.email_addresses)
$principal_user_id = $ws.principal.user.userid
$role_id = $ws.target.resource.attribute.labels["role_id"]
$role_name = array_distinct($ws.target.resource.attribute.roles.name)
condition:
$ws
}google_workspace_ownership_transferred_on_google_drive
Identifies when a Google Workspace user transfers the ownership of a file.
Show query
rule google_workspace_ownership_transferred_on_google_drive {
meta:
author = "Google Cloud Security"
description = "Identifies when a Google Workspace user transfers the ownership of a file."
rule_id = "mr_05cddcc9-abf6-4c4c-9518-e2218a1f5c84"
rule_name = "Google Workspace Ownership Transferred On Google Drive"
mitre_attack_tactic = "Collection"
mitre_attack_technique = "Data Staged: Remote Data Staging"
mitre_attack_url = "https://attack.mitre.org/techniques/T1074/002/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "High"
priority = "High"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.metadata.product_event_type = "CREATE_DATA_TRANSFER_REQUEST"
$ws.security_result.category_details = "USER_SETTINGS"
outcome:
$risk_score = max(70)
$mitre_attack_tactic = "Collection"
$mitre_attack_technique = "Data Staged: Remote Data Staging"
$mitre_attack_technique_id = "T1074.002"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$target_user_emails = array_distinct($ws.target.user.email_addresses)
$principal_user_id = $ws.principal.user.userid
$target_application = $ws.target.application
$src_user_emails = array_distinct($ws.src.user.email_addresses)
condition:
$ws
}google_workspace_saml_idp_configuration_change
Identifies SAML provider configuration changes in Google Workspace. Security teams can monitor for changes to SAML provider configuration that may weaken the organization's security posture.
Show query
rule google_workspace_saml_idp_configuration_change {
meta:
author = "Google Cloud Security"
description = "Identifies SAML provider configuration changes in Google Workspace. Security teams can monitor for changes to SAML provider configuration that may weaken the organization's security posture."
rule_id = "mr_1a321683-9c52-4928-a654-e0677df97c09"
rule_name = "Google Workspace SAML IDP Configuration Change"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "High"
priority = "High"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.security_result.category_details = "SAML2_SERVICE_PROVIDER_CONFIG_SETTINGS"
$ws.metadata.product_event_type = /SAML2_SERVICE_PROVIDER_CONFIG/
$ws.principal.user.userid = $userid
match:
$userid over 1h
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$mitre_attack_technique_id = "T1078"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$principal_user_id = array_distinct($ws.principal.user.userid)
$saml_entity_id = array_distinct($ws.about.labels["saml2_service_provider_entity_id"])
$saml_name = array_distinct($ws.about.labels["saml2_service_provider_name"])
$product_event_type = array_distinct($ws.metadata.product_event_type)
condition:
$ws
}google_workspace_user_ou_changed
Identifies when a Google Workspace user account is moved between Organizational Units.
Show query
rule google_workspace_user_ou_changed {
meta:
author = "Google Cloud Security"
description = "Identifies when a Google Workspace user account is moved between Organizational Units."
rule_id = "mr_e265b499-9a83-4e7d-acf8-ae7674e1c743"
rule_name = "Google Workspace User Ou Changed"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/003/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "High"
priority = "High"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.metadata.product_event_type = "MOVE_USER_TO_ORG_UNIT"
$ws.security_result.category_details = "USER_SETTINGS"
outcome:
$risk_score = max(70)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
$mitre_attack_technique_id = "T1098.003"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$target_user_emails = array_distinct($ws.target.user.email_addresses)
$principal_user_id = $ws.principal.user.userid
$old_org_unit_name = $ws.about.labels["org_unit_name"]
$new_org_unit_name = $ws.target.user.attribute.labels["new_value"]
condition:
$ws
}hacktool_generic_process_access
Detects process access requests from hacktool processes based on their default image name
Show query
rule hacktool_generic_process_access {
meta:
author = "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel"
description = "Detects process access requests from hacktool processes based on their default image name"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "HackTool - Generic Process Access"
sigma_uuid = "d0d2f720-d14f-448d-8242-51ff396a334e"
sigma_status = "test"
rule_id = "mr_1e8861fd-060a-4162-8e00-fa2b2a27e1e2"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unlikely"
events:
$process.metadata.event_type = "PROCESS_OPEN"
(
//reference lists for this rule are found in the reference_lists folder in community
$process.principal.process.file.full_path IN regex %hacktool_regex nocase or
$process.principal.process.file.full_path IN regex %hacktool_contains nocase
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}hacktool_mimikatz_execution
Detection well-known mimikatz command line arguments
Show query
rule hacktool_mimikatz_execution {
meta:
author = "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton"
description = "Detection well-known mimikatz command line arguments"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "HackTool - Mimikatz Execution"
sigma_uuid = "a642964e-bead-4bed-8910-1bb4d63e3b4d"
sigma_status = "test"
rule_id = "mr_d173bc90-2dcf-418d-a40c-bb7792f6300a"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unlikely"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
strings.contains(strings.to_lower($process.target.process.command_line), "dumpcreds") or
strings.contains(strings.to_lower($process.target.process.command_line), "mimikatz") or
strings.contains(strings.to_lower($process.target.process.command_line), "::aadcookie") or
strings.contains(strings.to_lower($process.target.process.command_line), "::detours") or
strings.contains(strings.to_lower($process.target.process.command_line), "::memssp") or
strings.contains(strings.to_lower($process.target.process.command_line), "::mflt") or
strings.contains(strings.to_lower($process.target.process.command_line), "::ncroutemon") or
strings.contains(strings.to_lower($process.target.process.command_line), "::ngcsign") or
strings.contains(strings.to_lower($process.target.process.command_line), "::printnightmare") or
strings.contains(strings.to_lower($process.target.process.command_line), "::skeleton") or
strings.contains(strings.to_lower($process.target.process.command_line), "::preshutdown") or
strings.contains(strings.to_lower($process.target.process.command_line), "::mstsc") or
strings.contains(strings.to_lower($process.target.process.command_line), "::multirdp") or
strings.contains(strings.to_lower($process.target.process.command_line), "rpc::") or
strings.contains(strings.to_lower($process.target.process.command_line), "token::") or
strings.contains(strings.to_lower($process.target.process.command_line), "crypto::") or
strings.contains(strings.to_lower($process.target.process.command_line), "dpapi::") or
strings.contains(strings.to_lower($process.target.process.command_line), "sekurlsa::") or
strings.contains(strings.to_lower($process.target.process.command_line), "kerberos::") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsadump::") or
strings.contains(strings.to_lower($process.target.process.command_line), "privilege::") or
strings.contains(strings.to_lower($process.target.process.command_line), "process::") or
strings.contains(strings.to_lower($process.target.process.command_line), "vault::")
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}hacktool_sharp_successor_execution
SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators linked to SharpSuccessor activity, which may signal privilege escalation attempts in Active Directory environments.
Show query
rule hacktool_sharp_successor_execution {
meta:
author = "Georg Lauenstein - suresecure GmbH, Mohamed Abdelfattah - suresecure GmbH"
description = "SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators linked to SharpSuccessor activity, which may signal privilege escalation attempts in Active Directory environments."
rule_id = "mr_be51aa7d-b4b8-4d8c-9998-0aa3194e98c3"
rule_name = "Hacktool - SharpSuccessor Execution"
tactic = "TA0004"
technique = "T1068"
references = "https://academy.bluraven.io/blog/detecting-badsuccessor, https://github.com/logangoins/SharpSuccessor"
type = "alert"
platform = "Windows, EDR"
data_source = "Microsoft Sysmon, Windows Security Event Log, Microsoft Defender XDR"
severity = "High"
priority = "High"
events:
(
$sharp_successor_execution.metadata.event_type = "PROCESS_LAUNCH"
and (
$sharp_successor_execution.src.process.file.full_path = "SharpSuccessor.exe" nocase or
$sharp_successor_execution.target.asset.software.description = "SharpSuccessor" nocase or
$sharp_successor_execution.target.process.file.full_path = /\\SharpSuccessor\.exe/ nocase or
$sharp_successor_execution.principal.process.file.full_path = /\\SharpSuccessor\.exe/ nocase or
$sharp_successor_execution.target.process.command_line = /SharpSuccessor/ nocase
)
)
or
( // Microsoft-Windows-Security-Auditing -- EventCode: 4673
$sharp_successor_execution.metadata.event_type = "SERVICE_UNSPECIFIED"
and (
$sharp_successor_execution.metadata.description = "A privileged service was called" and
$sharp_successor_execution.target.process.command_line = /SharpSuccessor/ nocase
)
)
// Capture the hostname where the event occurred
$sharp_successor_execution.principal.hostname = $hostname
match:
$hostname over 10m
outcome:
$risk_score = 65
$event_count = count_distinct($sharp_successor_execution.metadata.id)
$principal_process_pid = array_distinct($sharp_successor_execution.principal.process.pid)
$principal_process_command_line = array_distinct($sharp_successor_execution.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($sharp_successor_execution.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($sharp_successor_execution.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($sharp_successor_execution.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($sharp_successor_execution.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($sharp_successor_execution.target.process.pid)
$target_process_command_line = array_distinct($sharp_successor_execution.target.process.command_line)
$target_process_file_sha256 = array_distinct($sharp_successor_execution.target.process.file.sha256)
$target_process_file_full_path = array_distinct($sharp_successor_execution.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($sharp_successor_execution.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($sharp_successor_execution.principal.user.userid)
condition:
$sharp_successor_execution
}high_risk_user_download_executable_from_macro
Executable downloaded by Microsoft Excel by user with GCP entity relationship
Show query
rule high_risk_user_download_executable_from_macro {
meta:
author = "Google Cloud Security"
description = "Executable downloaded by Microsoft Excel by user with GCP entity relationship"
rule_id = "mr_352c77a7-67b6-4dfb-95e5-75fef8fa4a6c"
rule_name = "High Risk User Download Executable From Macro"
type = "alert"
data_source = "zscaler nss, crowdstrike"
tags = "user entity, resource entity"
severity = "High"
priority = "High"
platform = "Windows"
assumption = "This rule assumes that GCP DLP has been deployed and resources have been assigned to a user context"
tactic = "TA0002"
technique = "T1204.002"
events:
// proxy event with suspected executable download
$proxy_event.metadata.event_type = "NETWORK_HTTP"
$proxy_event.target.url = /.*\.exe$/ or
$proxy_event.network.received_bytes > 102400
$proxy_event.principal.user.userid = $user
$proxy_event.principal.user.userid != /test/
$proxy_event.target.hostname = $hostname
// correlate with EDR event indicating Excel activity
$edr_event.target.user.userid = $user
$edr_event.target.process.file.full_path = /excel/ nocase
($edr_event.metadata.event_type = "NETWORK_HTTP" or $edr_event.metadata.event_type = "NETWORK_CONNECTION")
$edr_event.target.hostname = $hostname
// first hop into entity graph to find the permissions
$user_entity.graph.entity.user.userid = $user
$user_entity.graph.metadata.entity_type = "USER"
$user_entity.graph.metadata.source_type = "ENTITY_CONTEXT"
$user_entity.graph.relations.entity.resource.name != ""
$user_entity.graph.relations.entity.resource.name = $table_name
// second hop for the table context
$table_context.graph.entity.resource.product_object_id = $table_name
$table_context.graph.metadata.entity_type = "RESOURCE"
$table_context.graph.metadata.source_type = "ENTITY_CONTEXT"
$table_context.graph.metadata.product_name = "GCP DLP CONTEXT"
match:
$user, $hostname over 5m
outcome:
$risk_score = max(if($table_context.graph.entity.resource.attribute.labels.value = "US_SOCIAL_SECURITY_NUMBER", 80))
$entity_resource_name = array_distinct($table_context.graph.entity.resource.name)
// added to populate alert graph with additional context
$principal_hostname = array_distinct($proxy_event.principal.hostname)
// Commented out target.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_hostname = array_distinct($proxy_event.target.hostname)
$principal_process_pid = array_distinct($edr_event.principal.process.pid)
$principal_process_command_line = array_distinct($edr_event.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($edr_event.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($edr_event.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($edr_event.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($edr_event.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($edr_event.target.process.pid)
$target_process_command_line = array_distinct($edr_event.target.process.command_line)
$target_process_file_sha256 = array_distinct($edr_event.target.process.file.sha256)
$target_process_file_full_path = array_distinct($edr_event.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($edr_event.target.process.product_specific_process_id)
$target_process_parent_process_product_specific_process_id = array_distinct($edr_event.target.process.parent_process.product_specific_process_id)
// Commented out principal.user.userid because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_user_userid = array_distinct($edr_event.principal.user.userid)
$target_user_userid = array_distinct($edr_event.target.user.userid)
$target_url = array_distinct($proxy_event.target.url)
condition:
$proxy_event and $edr_event and $user_entity and $table_context
}lsass_dump_keyword_command_line
Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process
Show query
rule lsass_dump_keyword_command_line {
meta:
author = "E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
description = "Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "LSASS Dump Keyword In CommandLine"
sigma_uuid = "ffa6861c-4461-4f59-8a41-578c39f3f23e"
sigma_status = "test"
rule_id = "mr_b7e51852-e836-4020-9ea4-7d9f9ace350f"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Windows Event, Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unlikely"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
(
strings.contains(strings.to_lower($process.target.process.command_line), "lsass.dmp") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsass.zip") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsass.rar") or
strings.contains(strings.to_lower($process.target.process.command_line), "andrew.dmp") or
strings.contains(strings.to_lower($process.target.process.command_line), "coredump.dmp") or
strings.contains(strings.to_lower($process.target.process.command_line), "notlsass.zip") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsass_2") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsassdump") or
strings.contains(strings.to_lower($process.target.process.command_line), "lsassdmp")
)
or
(
strings.contains(strings.to_lower($process.target.process.command_line), "lsass") and
strings.contains(strings.to_lower($process.target.process.command_line), ".dmp")
)
or
(
strings.contains(strings.to_lower($process.target.process.command_line), "sqldmpr") and
strings.contains(strings.to_lower($process.target.process.command_line), ".mdmp")
)
or
(
strings.contains(strings.to_lower($process.target.process.command_line), "nanodump") and
strings.contains(strings.to_lower($process.target.process.command_line), ".dmp")
)
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}lsass_memory_access_by_tool_dump_keyword_name
Detects LSASS process access requests from a source process with the dump keyword in its image name
Show query
rule lsass_memory_access_by_tool_dump_keyword_name {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects LSASS process access requests from a source process with the dump keyword in its image name"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "LSASS Memory Access by Tool With Dump Keyword In Name"
sigma_uuid = "9bd012ee-0dff-44d7-84a0-aa698cfd87a3"
sigma_status = "test"
rule_id = "mr_98164cc1-0051-49c1-b915-421b3c119bfe"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Rare programs that contain the word dump in their name and access lsass"
events:
$process.metadata.event_type = "PROCESS_OPEN"
re.regex($process.target.process.file.full_path, `\\lsass.exe$`) nocase
strings.contains(strings.to_lower($process.principal.process.file.full_path), "dump")
re.regex($process.target.resource.name, `(10|30|50|70|90|B0|D0|F0|18|38|58|78|98|B8|D8|F8|1A|3A|5A|7A|9A|BA|DA|FA|0x14C2|FF)$`) nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}lsass_memory_dump_comsvcs_dll
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass
Show query
rule lsass_memory_dump_comsvcs_dll {
meta:
author = "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"
description = "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Lsass Memory Dump via Comsvcs DLL"
sigma_uuid = "a49fa4d5-11db-418c-8473-1e014a8dd462"
sigma_status = "test"
rule_id = "mr_4efe14fb-53fb-49ba-b137-f5d70cb6adb9"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$process.metadata.event_type = "PROCESS_OPEN"
re.regex($process.target.process.file.full_path, `\\lsass\.exe$`) nocase
re.regex($process.principal.process.file.full_path, `\\rundll32\.exe$`) nocase
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "comsvcs.dll")
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}lsass_process_memory_dump_file_creation
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
Show query
rule lsass_process_memory_dump_file_creation {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "LSASS Process Memory Dump Files"
sigma_uuid = "a5a2d357-1ab8-4675-a967-ef9990a59391"
sigma_status = "test"
rule_id = "mr_8fd8cb2b-18dc-468d-acdf-899da9f6de43"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "High"
priority = "High"
false_positives = "Unknown"
events:
$file.metadata.event_type = "FILE_CREATION"
(
re.regex($file.target.file.full_path, `\\(Andrew\.dmp|Coredump\.dmp|lsass\.dmp|lsass\.rar|lsass\.zip|NotLSASS\.zip|PPLBlade\.dmp|rustive\.dmp)\$`) nocase or
strings.contains($file.target.file.full_path, "\\lsass_2") or
strings.contains($file.target.file.full_path, "\\lsassdmp") or
strings.contains($file.target.file.full_path, "\\lsassdump") or
(
strings.contains(strings.to_lower($file.target.file.full_path), "\\lsass") and
re.regex($file.target.file.full_path, `\.dmp$`) nocase
)
or
(
strings.contains(strings.to_lower($file.target.file.full_path), "sqldmpr") and
re.regex($file.target.file.full_path, `\.mdmp$`) nocase
)
or
(
(
strings.contains(strings.to_lower($file.target.file.full_path), "\\nanodump") or
strings.contains(strings.to_lower($file.target.file.full_path), "\\proc_")
)
and
re.regex($file.target.file.full_path, `\.dmp$`) nocase
)
)
$file.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($file.principal.user.userid = "user" and $file.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($file.principal.hostname)
$principal_process_pid = array_distinct($file.principal.process.pid)
$principal_process_command_line = array_distinct($file.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($file.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($file.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($file.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($file.principal.process.parent_process.product_specific_process_id)
$principal_user_userid = array_distinct($file.principal.user.userid)
$target_file_sha256 = array_distinct($file.target.file.sha256)
$target_file_full_path = array_distinct($file.target.file.full_path)
condition:
$file
}Showing 1-50 of 990