From 1072d3dc3477a9faaa86cc7c5866fd62cb9422ff Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 29 Dec 2022 15:51:15 +0100 Subject: [PATCH] Add sigma ref Detection (#272) * Add sigma ref * Add missing sigma ref * Fix sigma link * Remove by Defender * Remove by Defender --- yml/OSBinaries/Eventvwr.yml | 2 +- yml/OSBinaries/Rdrleakdiag.yml | 3 ++- yml/OSBinaries/Runexehelper.yml | 1 + yml/OSBinaries/Setres.yml | 1 + yml/OSBinaries/Ssh.yml | 1 + yml/OSBinaries/Unregmp2.yml | 1 + yml/OSLibraries/Desk.yml | 6 +++--- yml/OSScripts/pester.yml | 2 -- yml/OtherMSBinaries/AccCheckConsole.yml | 1 + yml/OtherMSBinaries/Agentexecutor.yml | 2 ++ yml/OtherMSBinaries/Createdump.yml | 2 ++ yml/OtherMSBinaries/Mftrace.yml | 1 + yml/OtherMSBinaries/MsoHtmEd.yml | 1 + yml/OtherMSBinaries/Mspub.yml | 1 + yml/OtherMSBinaries/Remote.yml | 2 +- yml/OtherMSBinaries/Squirrel.yml | 2 ++ yml/OtherMSBinaries/VSIISExeLauncher.yml | 1 + yml/OtherMSBinaries/Winword.yml | 1 + 18 files changed, 23 insertions(+), 8 deletions(-) diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 4cdace8..5442927 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -26,7 +26,7 @@ Code_Sample: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml - IOC: eventvwr.exe launching child process other than mmc.exe diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml index 77b13a0..1f40dfe 100644 --- a/yml/OSBinaries/Rdrleakdiag.yml +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -31,7 +31,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml Resources: diff --git a/yml/OSBinaries/Runexehelper.yml b/yml/OSBinaries/Runexehelper.yml index ddcdb6c..4437afe 100644 --- a/yml/OSBinaries/Runexehelper.yml +++ b/yml/OSBinaries/Runexehelper.yml @@ -14,6 +14,7 @@ Commands: Full_Path: - Path: c:\windows\system32\runexehelper.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml - IOC: c:\windows\system32\runexehelper.exe is run - IOC: Existence of runexewithargs_output.txt file Resources: diff --git a/yml/OSBinaries/Setres.yml b/yml/OSBinaries/Setres.yml index 1f51d47..734aba2 100644 --- a/yml/OSBinaries/Setres.yml +++ b/yml/OSBinaries/Setres.yml @@ -14,6 +14,7 @@ Commands: Full_Path: - Path: c:\windows\system32\setres.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml - IOC: Unusual location for choice.exe file - IOC: Process created from choice.com binary - IOC: Existence of choice.cmd file diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index a026693..a84207c 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -21,6 +21,7 @@ Commands: Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml - IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe. - IOC: command line arguments specifying execution. Acknowledgement: diff --git a/yml/OSBinaries/Unregmp2.yml b/yml/OSBinaries/Unregmp2.yml index 200d450..d05fd20 100644 --- a/yml/OSBinaries/Unregmp2.yml +++ b/yml/OSBinaries/Unregmp2.yml @@ -15,6 +15,7 @@ Full_Path: - Path: C:\Windows\System32\unregmp2.exe - Path: C:\Windows\SysWOW64\unregmp2.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml - IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of `unregmp2.exe /HideWMP` Resources: - Link: https://twitter.com/notwhickey/status/1466588365336293385 diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index a044575..8198d8f 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -22,9 +22,9 @@ Full_Path: - Path: C:\Windows\System32\desk.cpl - Path: C:\Windows\SysWOW64\desk.cpl Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/1d7ee1cd197d3b35508e2a5bf34d9d3b6ca4f504/rules/windows/file/file_event/file_event_win_new_src_file.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml Resources: - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt - Link: https://twitter.com/pabraeken/status/998627081360695297 diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index de23bd1..a8a4465 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -32,8 +32,6 @@ Code_Sample: - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index 8c07903..777d9f7 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -26,6 +26,7 @@ Full_Path: Code_Sample: - Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml - IOC: Sysmon Event ID 1 - Process Creation - Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 Resources: diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index 1af9f88..d9c685a 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -23,6 +23,8 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml Resources: - Link: Acknowledgement: diff --git a/yml/OtherMSBinaries/Createdump.yml b/yml/OtherMSBinaries/Createdump.yml index e680d50..c5eabca 100644 --- a/yml/OtherMSBinaries/Createdump.yml +++ b/yml/OtherMSBinaries/Createdump.yml @@ -14,6 +14,8 @@ Commands: Full_Path: - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml - IOC: createdump.exe process with a command line containing the lsass.exe process id Resources: - Link: https://twitter.com/bopin2020/status/1366400799199272960 diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 93c0440..ecc1967 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -26,6 +26,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml Resources: - Link: https://twitter.com/0rbz_/status/988911181422186496 Acknowledgement: diff --git a/yml/OtherMSBinaries/MsoHtmEd.yml b/yml/OtherMSBinaries/MsoHtmEd.yml index d9c42af..fb2ac30 100644 --- a/yml/OtherMSBinaries/MsoHtmEd.yml +++ b/yml/OtherMSBinaries/MsoHtmEd.yml @@ -28,6 +28,7 @@ Full_Path: - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml - IOC: Suspicious Office application internet/network traffic Acknowledgement: - Person: Nir Chako (Pentera) diff --git a/yml/OtherMSBinaries/Mspub.yml b/yml/OtherMSBinaries/Mspub.yml index 8ebc14f..eba4027 100644 --- a/yml/OtherMSBinaries/Mspub.yml +++ b/yml/OtherMSBinaries/Mspub.yml @@ -25,6 +25,7 @@ Full_Path: - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe - Path: C:\Program Files\Microsoft Office\Office14\MSPUB.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml - IOC: Suspicious Office application internet/network traffic Acknowledgement: - Person: 'Nir Chako (Pentera)' diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index cfb96e4..6ea1d45 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -32,7 +32,7 @@ Code_Sample: - Code: Detection: - IOC: remote.exe process spawns - - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml Resources: - Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ Acknowledgement: diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index 0520437..8dd0255 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -44,6 +44,8 @@ Full_Path: Code_Sample: - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml Resources: - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls - Link: https://twitter.com/reegun21/status/1144182772623269889 diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 1d5ee20..428d730 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -16,6 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml - IOC: VSIISExeLauncher.exe spawned an unknown process Resources: - Link: https://github.com/timwhitez diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index 11bc887..f70dd62 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -31,6 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml - IOC: Suspicious Office application Internet/network traffic Resources: - Link: https://twitter.com/reegun21/status/1150032506504151040