diff --git a/yml/HonorableMentions/GfxDownloadWrapper.yml b/yml/HonorableMentions/GfxDownloadWrapper.yml index 9675000..982da38 100644 --- a/yml/HonorableMentions/GfxDownloadWrapper.yml +++ b/yml/HonorableMentions/GfxDownloadWrapper.yml @@ -169,7 +169,7 @@ Full_Path: - Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ - Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\ Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml - IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com. Resources: - Link: https://www.sothis.tech/author/jgalvez/ diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index bc33d0a..3106002 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -14,7 +14,7 @@ Commands: Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/bdb00f403fd8ede0daa04449ad913200af9466ff/rules/windows/dns_query/win_dq_lobas_appinstaller.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml Resources: - Link: https://twitter.com/notwhickey/status/1333900137232523264 Acknowledgement: diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index f653b36..88e3099 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -18,7 +18,7 @@ Code_Sample: - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml Resources: - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 87f446d..eb9743c 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -15,9 +15,9 @@ Full_Path: - Path: C:\WINDOWS\System32\At.exe - Path: C:\WINDOWS\SysWOW64\At.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_interactive_at.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_atsvc_task.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/builtin/security/win_security_atsvc_task.yml - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) - IOC: C:\Windows\Tasks\At1.job - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 2f813bc..dff3368 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -15,8 +15,8 @@ Full_Path: - Path: C:\Windows\System32\Atbroker.exe - Path: C:\Windows\SysWOW64\Atbroker.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml - IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 1a3a7b9..d257f75 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -39,7 +39,7 @@ Code_Sample: - Code: Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_bash.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml - IOC: Child process from bash.exe Resources: - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index b1629e3..c41bcf3 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -38,9 +38,9 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/90ca1a8ad2e5c96d09a9ae4ff92483a2110d49ff/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/abcaf00aeef3769aa2a6f66f7fb6537b867c1691/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/e40b8592544721c689f8ae96477ea1218e4c7a05/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml - IOC: Child process from bitsadmin.exe - IOC: bitsadmin creates new files diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index fc183f6..b505388 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/406f10b583469f7f7c245ff41002f75902693b7d/rules/windows/process_creation/process_creation_certoc_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml - IOC: Process creation with given parameter - IOC: Unsigned DLL load via certoc.exe - IOC: Network connection via certoc.exe diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml index 0396f6b..1200042 100644 --- a/yml/OSBinaries/Certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/eb8c9c046b86e7d412bdcc3235693fa1c00f70d6/rules/windows/process_creation/win_susp_certreq_download.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml - IOC: certreq creates new files - IOC: certreq makes POST requests Resources: diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index 6538aba..d38c052 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -52,9 +52,9 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_certutil_download.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_certutil_encode.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_certutil_decode.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_decode.yml - Elastic: https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index ee469b2..44ec520 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -36,7 +36,7 @@ Full_Path: - Path: C:\Windows\System32\cmd.exe - Path: C:\Windows\SysWOW64\cmd.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - IOC: cmd.exe executing files from alternate data streams. diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index bceafb4..d8d84e1 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -15,7 +15,7 @@ Full_Path: - Path: C:\Windows\System32\cmdkey.exe - Path: C:\Windows\SysWOW64\cmdkey.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml Resources: - Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index 1e4bf25..bf01894 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -15,7 +15,7 @@ Full_Path: - Path: C:\Windows\System32\cmdl32.exe - Path: C:\Windows\SysWOW64\cmdl32.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/3416db73016f25ce115f5597fe74320d2428db66/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml - IOC: Reports of downloading from suspicious URLs in %TMP%\config.log - IOC: Useragent Microsoft(R) Connection Manager Vpn File Update Resources: diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index d4688c8..d46d598 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -22,8 +22,8 @@ Full_Path: - Path: C:\Windows\System32\cmstp.exe - Path: C:\Windows\SysWOW64\cmstp.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index ae65d1d..55e0059 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/5e57e476c29980800dcc88a7a001ddb75d21a58b/rules/windows/process_creation/win_pc_lolbas_configsecuritypolicy.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml - IOC: ConfigSecurityPolicy storing data into alternate data streams. - IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 5e095b2..2ee2b75 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -22,7 +22,7 @@ Full_Path: - Path: c:\windows\system32\conhost.exe Detection: - IOC: conhost.exe spawning unexpected processes - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml Resources: - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ - Link: https://twitter.com/Wietze/status/1511397781159751680 diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 75c857f..acb3f9c 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -17,8 +17,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 733e7fb..945b584 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -24,8 +24,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - IOC: Csc.exe should normally not run as System account unless it is used for development. diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 91ba561..b73f756 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml index a1f7041..2321e38 100644 --- a/yml/OSBinaries/DataSvcUtil.yml +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/dc030e0128a38510b0a866e1210f5ebd7c418c0b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml - IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. - IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. - IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil. diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index ece24db..5e51a01 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -16,8 +16,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_desktopimgdownldr.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - IOC: desktopimgdownldr.exe that creates non-image file - IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index ce13584..2a1cb9d 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -19,7 +19,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index 18d1979..a701ecc 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -24,8 +24,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0593446f96c57a8b64e2b5b9fd15a20f1c56acab/rules/windows/process_creation/win_pc_lolbas_diantz_ads.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_diantz_remote_cab.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml - IOC: diantz storing data into alternate data streams. - IOC: diantz getting a file from a remote machine or the internet. Resources: diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index 382ecf7..7fb9a18 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -24,8 +24,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - IOC: Child process from diskshadow.exe Resources: diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index e5eea9d..ce91519 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml - IOC: Dnscmd.exe loading dll from UNC/arbitrary path Resources: - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 94e7e7a..286d68f 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -24,8 +24,8 @@ Full_Path: Code_Sample: - Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index e671c0a..1503986 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -31,7 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml Resources: - Link: https://twitter.com/infosecn1nja/status/986628482858807297 diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index d1e025c..829f2f8 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -22,8 +22,8 @@ Full_Path: - Path: C:\Windows\explorer.exe - Path: C:\Windows\SysWOW64\explorer.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml - Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious. Resources: diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 91ae717..2d18eeb 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml - IOC: Extexport.exe loads dll and is execute from other folder the original path Resources: - Link: http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index cb25dd8..bfcce17 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -39,8 +39,8 @@ Code_Sample: - Code: Detection: - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 0cf942a..c401a68 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -38,7 +38,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml Resources: - Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index 936098f..440b32a 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -15,7 +15,7 @@ Full_Path: - Path: c:\windows\system32\finger.exe - Path: c:\windows\syswow64\finger.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_finger_usage.yml - IOC: finger.exe should not be run on a normal workstation. - IOC: finger.exe connecting to external resources. Resources: diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index c00cf3e..d8557b4 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -14,7 +14,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\fltMC.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/c27084dd0c432335fa4369e5002a61dfe0ab9c65/rules/windows/process_creation/win_sysmon_driver_unload.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml - IOC: 4688 events with fltMC.exe diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 9bd8a08..62b9a82 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml - IOC: cmd /c as child process of ftp.exe Resources: - Link: https://twitter.com/0xAmit/status/1070063130636640256 diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 6b4fc8b..fba5f6f 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml - IOC: Scripts added in local group policy - IOC: Execution of Gpscript.exe after logon Resources: diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index f8275a1..f6db470 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -24,8 +24,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_hh_chm.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_html_help_spawn.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index e4b9ab1..4c86688 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: https://twitter.com/KyleHanslovan/status/911997635455852544 diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 7cf425b..de392e9 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -31,7 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - IOC: Makecab retrieving files from Internet - IOC: Makecab storing data into alternate data streams diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index be957b7..61d5411 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml#L4 + - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation Resources: - Link: https://twitter.com/gN3mes1s/status/941315826107510784 diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 0b0050e..c26c0c2 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -30,7 +30,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/win_workflow_compiler.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 08a0ded..7dfdb8d 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -24,8 +24,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml Resources: - Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ - Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 7460dcd..7aa009d 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -51,8 +51,8 @@ Code_Sample: - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml#L4 - - Sigma: https://github.com/SigmaHQ/sigma/blob/5a3af872d86903c13e508348f54e3b519eb01dce/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index c4ce1c1..56b2a4f 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -16,8 +16,8 @@ Full_Path: Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml - IOC: mscfgtlc.xml changes in system32 folder Resources: - Link: https://twitter.com/pabraeken/status/991314564896690177 diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 81b4799..2704db8 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -32,7 +32,7 @@ Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_msdt.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml Resources: - Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 26906af..dfb40b3 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -45,12 +45,12 @@ Full_Path: Code_Sample: - Code: https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019 Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/05c58b4892942c34bfa01e9ada88ef2663858e1c/rules/windows/process_creation/win_susp_mshta_pattern.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_lethalhta.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_mshta_javascript.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index ff8f4e1..6e204f5 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -38,8 +38,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_msiexec_web_install.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_msiexec_cwd.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/uninstall_app_using_msiexec.yml - IOC: msiexec.exe retrieving files from Internet diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index aa2dd77..3caa274 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0a410010a2655bc6f2aae73b9fb3b2c00ed589f7/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml - Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/deprecated/processes_created_by_netsh.yml - IOC: Netsh initiating a network connection diff --git a/yml/OSBinaries/Pktmon.yml b/yml/OSBinaries/Pktmon.yml index 2ee954a..0ef714b 100644 --- a/yml/OSBinaries/Pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml - IOC: .etl files found on system Resources: - Link: https://binar-x79.com/windows-10-secret-sniffer/ diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index f93c065..1da2ab6 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml Acknowledgement: - Person: Hai Vaknin(Lux) Handle: '@LuxNoBulIshit' diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index 54834bb..9edacb8 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -31,7 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_print.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml - IOC: Print.exe retrieving files from internet - IOC: Print.exe creating executable files on disk Resources: diff --git a/yml/OSBinaries/Psr.yml b/yml/OSBinaries/Psr.yml index 56b9bd6..1d6d78a 100644 --- a/yml/OSBinaries/Psr.yml +++ b/yml/OSBinaries/Psr.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/c44b22b52fce406d45ddb6743a02b9ff8c62c7c6/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml - IOC: psr.exe spawned - IOC: suspicious activity when running with "/gui 0" flag Resources: diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index 0d903c5..fa6a9fc 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -24,9 +24,9 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regedit_import_keys_ads.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regedit_import_keys.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/9f27ab5426a0b061f1f2787e3dc947d6d75ad8c0/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_dump_registry_hives.toml - IOC: reg.exe writing to an ADS diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 7dccfb1..fec34d0 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -23,7 +23,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regedit_import_keys_ads.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml - IOC: regedit.exe reading and writing to alternate data stream - IOC: regedit.exe should normally not be executed by end-users Resources: diff --git a/yml/OSBinaries/Regini.yml b/yml/OSBinaries/Regini.yml index ff89820..c378df8 100644 --- a/yml/OSBinaries/Regini.yml +++ b/yml/OSBinaries/Regini.yml @@ -17,8 +17,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regini_ads.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regini.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml - IOC: regini.exe reading from ADS Resources: - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 70b2d6a..27067b8 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -40,9 +40,9 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/6d56e400d209daa77a7900d950a7c587dc0cd2e5/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/5951ad1d9a781a49d61df9af03c7b83ac67a0012/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_regsvr32_application_control_bypass.yml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index d240636..af90c13 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -25,7 +25,7 @@ Code_Sample: - Code: Detection: - IOC: Replace.exe retrieving files from remote server - - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml Resources: - Link: https://twitter.com/elceef/status/986334113941655553 - Link: https://twitter.com/elceef/status/986842299861782529 diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml index 6f0d3b1..f20ddd2 100644 --- a/yml/OSBinaries/Rpcping.yml +++ b/yml/OSBinaries/Rpcping.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rpcping.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml Resources: - Link: https://github.com/vysec/RedTips - Link: https://twitter.com/vysecurity/status/974806438316072960 diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index 9d1ef8b..d108266 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -66,8 +66,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_rundll32_net_connections.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml - IOC: Outbount Internet/network connections made from rundll32 - IOC: Suspicious use of cmdline flags such as -sta diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index 53d242d..b3191dc 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -17,8 +17,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/6d2acb166070541925636d1d1273e46020e38387/rules/windows/registry_event/sysmon_runonce_persistence.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runonce_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml - Elastic: https://github.com/elastic/detection-rules/blob/2926e98c5d998706ef7e248a63fb0367c841f685/rules/windows/persistence_run_key_and_startup_broad.toml - IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY Resources: diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index ff6cc63..d54807b 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runscripthelper.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Event 4014 - Powershell logging - IOC: Event 400 diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index 39f40e1..f8fa24a 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -25,8 +25,8 @@ Code_Sample: - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_susp_service_path_modification.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/sc_exe_manipulating_windows_services.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/lateral_movement_cmd_service.toml - IOC: Unexpected service creation diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index b6f023b..f439dc8 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/59000b993d6280d9bf063eefdcdf30ea0e83aa5e/rules/windows/process_creation/win_susp_schtask_creation.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml - Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/persistence_local_scheduled_task_creation.toml - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml - IOC: Suspicious task creation events diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index e5037f9..be2a779 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/765acac3742310764495ed5a2006bc0ced5b1a67/rules/windows/process_creation/win_susp_servu_process_pattern.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml - IOC: Scriptrunner.exe should not be in use unless App-v is deployed Resources: - Link: https://twitter.com/KyleHanslovan/status/914800377580503040 diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index b1a45be..aa20ad9 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -22,7 +22,7 @@ Full_Path: - Path: C:\Windows\System32\SettingSyncHost.exe - Path: C:\Windows\SysWOW64\SettingSyncHost.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml - IOC: SettingSyncHost.exe should not be run on a normal workstation Resources: - Link: https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/ diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml index c1e6138..4c17e63 100644 --- a/yml/OSBinaries/Ssh.yml +++ b/yml/OSBinaries/Ssh.yml @@ -21,7 +21,7 @@ Commands: Full_Path: - Path: c:\windows\system32\OpenSSH\ssh.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml - IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe. - IOC: command line arguments specifying execution. Resources: diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index 754c491..9b47903 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -15,7 +15,7 @@ Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/8b86a79ef0ca2f32c006c327350b76b47b604690/rules/windows/process_creation/process_creation_stordiag_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\ Resources: - Link: https://twitter.com/eral4m/status/1451112385041911809 diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index c752614..31c79c1 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml - IOC: Parent child relationship. Ttdinject.exe parent for executed command - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index 7f8b88c..d2125bd 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -24,8 +24,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/5951ad1d9a781a49d61df9af03c7b83ac67a0012/rules/windows/image_load/process_creation_tttracer_mod_load.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/5951ad1d9a781a49d61df9af03c7b83ac67a0012/rules/windows/image_load/sysmon_tttracer_mod_load.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - IOC: Parent child relationship. Tttracer parent for executed command Resources: diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index ccfd7ef..05b47cf 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml Acknowledgement: - Person: Lior Adar diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index 77ed16e..cf8fa72 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_verclsid_runs_com.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml Resources: - Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index 27377e9..6bec321 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml - IOC: WAB.exe should normally never be used Resources: - Link: https://twitter.com/Hexacorn/status/991447379864932352 diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index 4e9d4e5..cd2588d 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -19,7 +19,7 @@ Detection: - IOC: winget.exe spawned with local manifest file - IOC: Sysmon Event ID 1 - Process Creation - Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html - - Sigma: https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml Resources: - Link: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html - Link: https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 42365ae..9ceccc7 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes Resources: - Link: https://twitter.com/0gtweet/status/1493963591745220608 diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index fad141b..b56b878 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -45,10 +45,10 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/8beb70e970b814d0ab60625206ea0d8a21a9bff8/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_xsl_script_processing.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_bypass_squiblytwo.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/c90e31275d2f98b21e55df8a46d0678cfca458d6/rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_suspicious_wmi_script.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 270f95c..ef8045c 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -14,7 +14,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_workfolders.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml - IOC: WorkFolders.exe should not be run on a normal workstation Resources: - Link: https://www.ctus.io/2021/04/12/exploading/ diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index de91cdc..3371fef 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -24,9 +24,9 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index 425d972..2382a71 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -16,9 +16,9 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/af599e487728ec95eab96d8a980718aa6a0699e4/rules/windows/process_creation/win_uac_bypass_wsreset.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml# - Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/wsreset_uac_bypass.yml - IOC: wsreset.exe launching child process other than mmc.exe - IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml index ada37a0..2c57aac 100644 --- a/yml/OSBinaries/Wuauclt.yml +++ b/yml/OSBinaries/Wuauclt.yml @@ -16,9 +16,9 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/f16aca7a353bb01d9862ea1f2a10fa0d866e83c3/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml - IOC: wuauclt run with a parameter of a DLL path - IOC: Suspicious wuauclt Internet/network connections Resources: diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 2968aa3..c7d36a7 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -31,8 +31,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_class_exec_xwizard.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/8909eefb90c799fb642f6d9d0d6ee6d855a6a654/rules/windows/process_creation/win_dll_sideload_xwizard.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/execution_com_object_xwizard.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml Resources: diff --git a/yml/OSBinaries/wt.yml b/yml/OSBinaries/wt.yml index ba4f939..7b54dac 100644 --- a/yml/OSBinaries/wt.yml +++ b/yml/OSBinaries/wt.yml @@ -14,7 +14,7 @@ Commands: Full_Path: - Path: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/add077b8f54474cbfa859cf45a1ca62be5462b0f/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml Resources: - Link: https://twitter.com/nas_bench/status/1552100271668469761 Acknowledgement: diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 080b9b8..aca788a 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -46,7 +46,7 @@ Code_Sample: - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml Resources: - Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 8198d8f..163badf 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -22,8 +22,8 @@ Full_Path: - Path: C:\Windows\System32\desk.cpl - Path: C:\Windows\SysWOW64\desk.cpl Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/1d7ee1cd197d3b35508e2a5bf34d9d3b6ca4f504/rules/windows/file/file_event/file_event_win_new_src_file.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_new_src_file.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml Resources: - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index a281e25..36fd9d9 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -19,7 +19,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 8c43331..5fae88d 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -46,7 +46,7 @@ Code_Sample: - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf - Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml Resources: - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index c87fc51..5bcb8b4 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 3b9100a..576dd09 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://twitter.com/pabraeken/status/998567549670477824 - Link: https://windows10dll.nirsoft.net/mshtml_dll.html diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index a47dc59..61fd919 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -18,7 +18,7 @@ Code_Sample: - Code: Detection: - Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/ - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://twitter.com/harr0ey/status/989617817849876488 - Link: https://windows10dll.nirsoft.net/pcwutl_dll.html diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index a67a5fe..ea6653c 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -27,8 +27,8 @@ Code_Sample: - Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml Resources: - Link: https://github.com/huntresslabs/evading-autoruns diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 16455a5..e7ab9a0 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -17,7 +17,7 @@ Full_Path: Code_Sample: - Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index a2da3f8..5cb3f90 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -31,7 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml Resources: - Link: https://twitter.com/Hexacorn/status/885258886428725250 diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index b98e3a5..3911593 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -26,7 +26,7 @@ Code_Sample: - Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct - Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415 Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml Resources: - Link: https://twitter.com/pabraeken/status/994392481927258113 diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index b9db059..8e7a070 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -52,7 +52,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ - Link: https://twitter.com/DissectMalware/status/995348436353470465 diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index 7940eec..65cadf0 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml Resources: - Link: https://twitter.com/moriarty_meng/status/977848311603380224 - Link: https://twitter.com/bohops/status/997896811904929792 diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index c2bd112..7b60af7 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -16,9 +16,8 @@ Full_Path: Code_Sample: - Code: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_comsvcs_dll.yml Resources: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index dbfb9f9..37099e5 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -20,7 +20,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_mutexverifiers.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml Resources: - Link: https://twitter.com/pabraeken/status/995111125447577600 Acknowledgement: diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index b2b0239..dd113f9 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -19,7 +19,7 @@ Code_Sample: - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml#L4 + - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml Resources: - Link: Acknowledgement: diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index 6ff1a85..cf3c4b7 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -23,7 +23,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/3107ede1c4d253c89a26f3a0be79122a3a562f29/rules/windows/process_creation/win_manage_bde_lolbas.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml - IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations Resources: - Link: https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index aefd43d..d25e08d 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/973e0666acffb8fd7ea8356449eb916381ab0cc6/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml Resources: - Link: https://twitter.com/monoxgas/status/895045566090010624 - Link: https://twitter.com/subTee/status/855738126882316288 diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 4281138..ecfee7e 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -32,9 +32,9 @@ Code_Sample: - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/10b70edff055cfb12b16d934c77f9ccf4b97a529/rules/windows/process_creation/win_susp_winrm_awl_bypass.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/process_creation/win_susp_winrm_execution.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/3107ede1c4d253c89a26f3a0be79122a3a562f29/rules/windows/file_event/file_event_winrm_awl_bypass.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules Resources: - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index a8a4465..bb4fd22 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -31,7 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index ad91b5f..e1c9550 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -31,7 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/8b170ff5628376c87632635a5fde4e48bba70275/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml Resources: - Link: https://github.com/MoooKitty/Code-Execution - Link: https://twitter.com/moo_hax/status/892388990686347264 diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 0d94ccf..1512ea6 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -51,7 +51,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_bginfo.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index c6b1e11..290e847 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -33,7 +33,7 @@ Full_Path: Code_Sample: - Code: https://gist.github.com/nasbench/d9c15864f1e21bdd8b7cf55997b45f4b Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_cdb.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules diff --git a/yml/OtherMSBinaries/Createdump.yml b/yml/OtherMSBinaries/Createdump.yml index e89ae89..60b678b 100644 --- a/yml/OtherMSBinaries/Createdump.yml +++ b/yml/OtherMSBinaries/Createdump.yml @@ -18,7 +18,7 @@ Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml - IOC: createdump.exe process with a command line containing the lsass.exe process id Resources: - Link: https://twitter.com/bopin2020/status/1366400799199272960 diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index abd9565..991c1bd 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -17,8 +17,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/process_creation/win_susp_csi.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_use_of_csharp_console.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index 00b82ac..25612a3 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -23,7 +23,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_devtoolslauncher.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml - IOC: DeveloperToolsSvc.exe spawned an unknown process Resources: - Link: https://twitter.com/_felamos/status/1179811992841797632 diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index 7957ca2..c887a20 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_dnx.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 1ad14b0..39b59be 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -35,7 +35,7 @@ Commands: Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0bf262539301693a18646056ea789b9b56b9c7f6/rules/windows/process_creation/process_creation_dotnet.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: dotnet.exe spawned an unknown process Resources: diff --git a/yml/OtherMSBinaries/Dump64.yml b/yml/OtherMSBinaries/Dump64.yml index e4d1c6d..065c30b 100644 --- a/yml/OtherMSBinaries/Dump64.yml +++ b/yml/OtherMSBinaries/Dump64.yml @@ -14,7 +14,7 @@ Commands: Full_Path: - Path: C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/138b06628380468fb8a41fc27770e1630cb64326/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml - IOC: As a Windows SDK binary, execution on a system may be suspicious Resources: - Link: https://twitter.com/mrd0x/status/1460597833917251595 diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 7f1ea9e..72b0145 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -15,7 +15,7 @@ Full_Path: - Path: C:\Windows\System32\dxcap.exe - Path: C:\Windows\SysWOW64\dxcap.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_dxcap.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml Resources: - Link: https://twitter.com/harr0ey/status/992008180904419328 Acknowledgement: diff --git a/yml/OtherMSBinaries/Excel.yml b/yml/OtherMSBinaries/Excel.yml index 0dc1354..025d0ee 100644 --- a/yml/OtherMSBinaries/Excel.yml +++ b/yml/OtherMSBinaries/Excel.yml @@ -30,7 +30,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_msoffice.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml - IOC: Suspicious Office application Internet/network traffic Resources: - Link: https://twitter.com/reegun21/status/1150032506504151040 diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index eefd3ab..2055d91 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -23,7 +23,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/f16aca7a353bb01d9862ea1f2a10fa0d866e83c3/rules/windows/process_creation/process_creation_msdeploy.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml Resources: - Link: https://twitter.com/pabraeken/status/995837734379032576 - Link: https://twitter.com/pabraeken/status/999090532839313408 diff --git a/yml/OtherMSBinaries/Mspub.yml b/yml/OtherMSBinaries/Mspub.yml index eba4027..b810233 100644 --- a/yml/OtherMSBinaries/Mspub.yml +++ b/yml/OtherMSBinaries/Mspub.yml @@ -25,7 +25,7 @@ Full_Path: - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe - Path: C:\Program Files\Microsoft Office\Office14\MSPUB.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml - IOC: Suspicious Office application internet/network traffic Acknowledgement: - Person: 'Nir Chako (Pentera)' diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index 51fe624..7020e0a 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -49,7 +49,7 @@ Commands: Full_Path: - Path: no default Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_xsl_script_processing.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_msxsl_beacon.toml - Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_msxsl_network.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index d9db99f..f95f045 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ntdsutil.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/ntdsutil_export_ntds.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - IOC: ntdsutil.exe with command line including "ifm" diff --git a/yml/OtherMSBinaries/Powerpnt.yml b/yml/OtherMSBinaries/Powerpnt.yml index 91b7dc7..2b7313d 100644 --- a/yml/OtherMSBinaries/Powerpnt.yml +++ b/yml/OtherMSBinaries/Powerpnt.yml @@ -28,7 +28,7 @@ Full_Path: - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml - IOC: Suspicious Office application Internet/network traffic Resources: - Link: https://twitter.com/reegun21/status/1150032506504151040 diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 00c8326..85890cb 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -24,7 +24,7 @@ Full_Path: - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - IOC: Process creation with given '-md' parameter diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 0ef6457..22d880c 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -23,10 +23,10 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/process_creation/win_susp_csi.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - BlockRule: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/process_creation/win_susp_csi.yml + - BlockRule: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml Resources: - Link: https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ Acknowledgement: diff --git a/yml/OtherMSBinaries/Sqldumper.yml b/yml/OtherMSBinaries/Sqldumper.yml index accc4b1..2417441 100644 --- a/yml/OtherMSBinaries/Sqldumper.yml +++ b/yml/OtherMSBinaries/Sqldumper.yml @@ -24,7 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_sqldumper_activity.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml - Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_lsass_memdump_file_created.toml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml Resources: diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 64f3c43..906ca52 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -20,8 +20,8 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/80d2aee9449050652ca02fe8892e7bc23de3b70c/rules/windows/image_load/sysmon_in_memory_powershell.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md Resources: diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 58c2f90..c17ee4a 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md Resources: - Link: https://twitter.com/pabraeken/status/993298228840992768 diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index a701fa2..ab498b9 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -44,7 +44,7 @@ Full_Path: Code_Sample: - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml Resources: - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls - Link: https://twitter.com/reegun21/status/1144182772623269889 diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index ec3001d..1f2f155 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_use_of_te_bin.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml Resources: - Link: https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg Acknowledgement: diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index 2cfb356..90029d4 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -23,7 +23,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_tracker_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml Resources: - Link: https://twitter.com/subTee/status/793151392185589760 - Link: https://attack.mitre.org/wiki/Execution diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index 29cbb5e..9c983a5 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -16,7 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/8beb70e970b814d0ab60625206ea0d8a21a9bff8/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml Resources: - Link: https://twitter.com/pabraeken/status/990758590020452353 Acknowledgement: diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index f70dd62..c1697df 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -31,7 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml - IOC: Suspicious Office application Internet/network traffic Resources: - Link: https://twitter.com/reegun21/status/1150032506504151040 diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 796ad4b..e1a5bda 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -44,7 +44,7 @@ Full_Path: Code_Sample: - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/2a4e6d8ebeb07d294e6d16a083361bd7e53df7b3/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: Child process from wsl.exe Resources: