From 762de3b97c3e58dac6646ef0490b7c325676aed0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 29 Dec 2024 07:12:39 +0000 Subject: [PATCH] Sigma Rule Update (2024-12-29 07:12:33) (#802) Co-authored-by: YamatoSecurity --- ...on_win_susp_rdp_from_domain_controller.yml | 33 +++++++ ...on_win_userdomain_variable_enumeration.yml | 31 ++++++ .../security/win_security_admin_logon.yml | 40 ++++++++ .../win_security_exploit_cve_2020_1472.yml | 35 +++++++ .../win_security_potential_pass_the_hash.yml | 38 ++++++++ ...ity_remote_registry_management_via_reg.yml | 36 +++++++ .../win_security_susp_interactive_logons.yml | 39 ++++++++ .../posh_pc_renamed_powershell.yml | 4 +- ...posh_pc_tamper_windows_defender_set_mp.yml | 87 +++++++++++++++++ ...sh_pc_wsman_com_provider_no_powershell.yml | 4 +- ...posh_ps_tamper_windows_defender_set_mp.yml | 94 +++++++++++++++++++ ...win_powershell_amsi_init_failed_bypass.yml | 38 ++++++++ .../sysmon_wmi_event_subscription.yml | 34 +++++++ .../file_delete_win_delete_own_image.yml | 2 +- ...s_query_win_wscript_cscript_resolution.yml | 50 ++++++++++ ...on_win_susp_rdp_from_domain_controller.yml | 34 +++++++ ...on_win_userdomain_variable_enumeration.yml | 32 +++++++ ...win_powershell_amsi_init_failed_bypass.yml | 39 ++++++++ .../sysmon_wmi_event_subscription.yml | 38 ++++++++ 19 files changed, 703 insertions(+), 5 deletions(-) create mode 100644 sigma/builtin/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml create mode 100644 sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml create mode 100644 sigma/builtin/placeholder/security/win_security_admin_logon.yml create mode 100644 sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml create mode 100644 sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml create mode 100644 sigma/builtin/placeholder/security/win_security_remote_registry_management_via_reg.yml create mode 100644 sigma/builtin/placeholder/security/win_security_susp_interactive_logons.yml create mode 100644 sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml create mode 100644 sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml create mode 100644 sigma/builtin/wmi_event/sysmon_wmi_event_subscription.yml create mode 100644 sigma/sysmon/placeholder/dns_query/dns_query_win_wscript_cscript_resolution.yml create mode 100644 sigma/sysmon/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml create mode 100644 sigma/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml create mode 100644 sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml create mode 100644 sigma/sysmon/wmi_event/sysmon_wmi_event_subscription.yml diff --git a/sigma/builtin/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml b/sigma/builtin/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml new file mode 100644 index 000000000..b250903ae --- /dev/null +++ b/sigma/builtin/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml @@ -0,0 +1,33 @@ +title: New RDP Connection Initiated From Domain Controller +id: 8b0f1458-5a23-5950-ebc7-f8d7a562dc06 +related: + - id: fda34293-718e-4b36-b018-38caab0d1209 + type: derived +status: experimental +description: Detects an RDP connection originating from a domain controller. +references: + - Internal Research +author: Josh Nickels +date: 2024-05-10 +tags: + - attack.lateral-movement + - attack.t1021 +logsource: + product: windows + category: network_connection +detection: + network_connection: + EventID: 5156 + Channel: Security + selection_connection: + Direction: 'True' + DestPort: 3389 + selection_hosts: + Computer|expand: '%domain_controller_hostnames%' + filter_optional_defender_identity: + Application|endswith: \Microsoft.Tri.Sensor.exe + condition: network_connection and (all of selection_* and not 1 of filter_*) +falsepositives: + - Legitimate administration activity +level: high +ruletype: Sigma diff --git a/sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml new file mode 100644 index 000000000..c931ac714 --- /dev/null +++ b/sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -0,0 +1,31 @@ +title: Userdomain Variable Enumeration +id: a0611cee-4fe8-b36f-b9a7-8c31f5d9977b +related: + - id: 43311e65-84d8-42a5-b3d4-c94d9b67038f + type: derived +status: test +description: Detects suspicious enumeration of the domain the user is associated with. +references: + - https://www.arxiv-vanity.com/papers/2008.04676/ + - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ +author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +date: 2023-02-09 +modified: 2024-08-01 +tags: + - attack.discovery + - attack.t1016 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: 'echo ' + CommandLine|contains|expand: '%userdomain%' + condition: process_creation and selection +falsepositives: + - Certain scripts or applications may leverage this. +level: low +ruletype: Sigma diff --git a/sigma/builtin/placeholder/security/win_security_admin_logon.yml b/sigma/builtin/placeholder/security/win_security_admin_logon.yml new file mode 100644 index 000000000..01d8e505e --- /dev/null +++ b/sigma/builtin/placeholder/security/win_security_admin_logon.yml @@ -0,0 +1,40 @@ +title: User with Privileges Logon +id: b3d10465-f171-0ef7-d28e-8ef2f9409cf1 +related: + - id: 94309181-d345-4cbf-b5fe-061769bdf9cb + type: derived +status: test +description: Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges. +references: + - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964 +author: frack113 +date: 2022-10-14 +modified: 2023-12-14 +tags: + - attack.defense-evasion + - attack.lateral-movement + - attack.credential-access + - attack.t1558 + - attack.t1649 + - attack.t1550 +logsource: + service: security + product: windows +detection: + security: + Channel: Security + selection: + EventID: + - 4672 + - 4964 + filter_main_local_system: + SubjectUserSid: S-1-5-18 + filter_main_valid_account: + SubjectUserName|expand: '%Admins_Workstations%' # Set valid internal naming pattern or a list a valid account + condition: security and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: low +ruletype: Sigma diff --git a/sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml b/sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml new file mode 100644 index 000000000..5b0ab7de7 --- /dev/null +++ b/sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml @@ -0,0 +1,35 @@ +title: Potential Zerologon (CVE-2020-1472) Exploitation +id: 7d4b25c3-0cef-1638-1d47-bb18acda0e6c +related: + - id: dd7876d8-0f09-11eb-adc1-0242ac120002 + type: derived +status: test +description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) +references: + - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 + - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ +author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community +date: 2020-10-15 +modified: 2023-12-15 +tags: + - attack.privilege-escalation + - attack.t1068 + - cve.2020-1472 +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: 4742 + SubjectUserName: ANONYMOUS LOGON + TargetUserName|expand: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$' + filter_main: + PasswordLastSet: '-' + condition: security and (selection and not filter_main) +falsepositives: + - Automatic DC computer account password change + - Legitimate DC computer account password change +level: high +ruletype: Sigma diff --git a/sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml b/sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml new file mode 100644 index 000000000..ce0f42779 --- /dev/null +++ b/sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml @@ -0,0 +1,38 @@ +title: Potential Pass the Hash Activity +id: 35890fd4-9ed3-b244-0eff-91fe61e52f8b +related: + - id: f8d98d6c-7a07-4d74-b064-dd4a3c244528 + type: derived +status: test +description: Detects the attack technique pass the hash which is used to move laterally inside the network +references: + - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events +author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) +date: 2017-03-08 +modified: 2023-12-15 +tags: + - attack.lateral-movement + - attack.t1550.002 + - car.2016-04-004 +logsource: + product: windows + service: security + definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 +detection: + security: + Channel: Security + selection: + EventID: + - 4624 + - 4625 + LogonType: 3 + LogonProcessName: NtLmSsp + WorkstationName|expand: '%Workstations%' + ComputerName|expand: '%Workstations%' + filter: + TargetUserName: ANONYMOUS LOGON + condition: security and (selection and not filter) +falsepositives: + - Administrator activity +level: medium +ruletype: Sigma diff --git a/sigma/builtin/placeholder/security/win_security_remote_registry_management_via_reg.yml b/sigma/builtin/placeholder/security/win_security_remote_registry_management_via_reg.yml new file mode 100644 index 000000000..90df2c10e --- /dev/null +++ b/sigma/builtin/placeholder/security/win_security_remote_registry_management_via_reg.yml @@ -0,0 +1,36 @@ +title: Remote Registry Management Using Reg Utility +id: e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a +related: + - id: 68fcba0d-73a5-475e-a915-e8b4c576827e + type: derived +status: test +description: Remote registry management using REG utility from non-admin workstation +references: + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +author: Teymur Kheirkhabarov, oscd.community +date: 2019-10-22 +modified: 2023-12-15 +tags: + - attack.credential-access + - attack.defense-evasion + - attack.discovery + - attack.s0075 + - attack.t1012 + - attack.t1112 + - attack.t1552.002 +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: 5145 + RelativeTargetName|contains: \winreg + filter_main: + IpAddress|expand: '%Admins_Workstations%' + condition: security and (selection and not filter_main) +falsepositives: + - Legitimate usage of remote registry management by administrator +level: medium +ruletype: Sigma diff --git a/sigma/builtin/placeholder/security/win_security_susp_interactive_logons.yml b/sigma/builtin/placeholder/security/win_security_susp_interactive_logons.yml new file mode 100644 index 000000000..c129c6ef6 --- /dev/null +++ b/sigma/builtin/placeholder/security/win_security_susp_interactive_logons.yml @@ -0,0 +1,39 @@ +title: Interactive Logon to Server Systems +id: 7298c707-7564-3229-7c76-ec514847d8c2 +related: + - id: 3ff152b2-1388-4984-9cd9-a323323fdadf + type: derived +status: test +description: Detects interactive console logons to Server Systems +references: + - Internal Research +author: Florian Roth (Nextron Systems) +date: 2017-03-17 +modified: 2023-12-15 +tags: + - attack.lateral-movement + - attack.t1078 +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: + - 528 + - 529 + - 4624 + - 4625 + LogonType: 2 + ComputerName|expand: + - '%ServerSystems%' + - '%DomainControllers%' + filter_main_advapi: + LogonProcessName: Advapi + ComputerName|expand: '%Workstations%' + condition: security and (selection and not 1 of filter_main_*) +falsepositives: + - Administrative activity via KVM or ILO board +level: medium +ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 87327366b..96bf37d7c 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -10,7 +10,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 date: 2020-06-29 -modified: 2024-10-08 +modified: 2024-12-27 tags: - attack.execution - attack.t1059.001 @@ -36,7 +36,7 @@ detection: filter_main_host_application_null: # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. # If you're already mapping and extracting the field, then obviously use that directly. - Data|re: HostId=[a-zA-Z0-9-]{36} EngineVersion= + Data|re: HostId=[a-zA-Z0-9-]{36}\s+EngineVersion= condition: ps_classic_start and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml new file mode 100644 index 000000000..cafa26bef --- /dev/null +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -0,0 +1,87 @@ +title: Tamper Windows Defender - PSClassic +id: 3ec981cc-6521-d6a9-9630-d1df7d2090b9 +related: + - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 + type: similar + - id: ec19ebab-72dc-40e1-9728-4c0b805d722c + type: derived +status: test +description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021-06-07 +modified: 2024-01-02 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + product: windows + category: ps_classic_provider_start +detection: + ps_classic_provider_start: + EventID: 600 + Channel: Windows PowerShell + selection_set_mppreference: + Data|contains: Set-MpPreference + selection_options_bool_allow: + Data|contains: + - -dbaf $true + - -dbaf 1 + - -dbm $true + - -dbm 1 + - -dips $true + - -dips 1 + - -DisableArchiveScanning $true + - -DisableArchiveScanning 1 + - -DisableBehaviorMonitoring $true + - -DisableBehaviorMonitoring 1 + - -DisableBlockAtFirstSeen $true + - -DisableBlockAtFirstSeen 1 + - -DisableCatchupFullScan $true + - -DisableCatchupFullScan 1 + - -DisableCatchupQuickScan $true + - -DisableCatchupQuickScan 1 + - -DisableIntrusionPreventionSystem $true + - -DisableIntrusionPreventionSystem 1 + - -DisableIOAVProtection $true + - -DisableIOAVProtection 1 + - -DisableRealtimeMonitoring $true + - -DisableRealtimeMonitoring 1 + - -DisableRemovableDriveScanning $true + - -DisableRemovableDriveScanning 1 + - -DisableScanningMappedNetworkDrivesForFullScan $true + - -DisableScanningMappedNetworkDrivesForFullScan 1 + - -DisableScanningNetworkFiles $true + - -DisableScanningNetworkFiles 1 + - -DisableScriptScanning $true + - -DisableScriptScanning 1 + - -MAPSReporting $false + - -MAPSReporting 0 + - -drdsc $true + - -drdsc 1 + - -drtm $true + - -drtm 1 + - -dscrptsc $true + - -dscrptsc 1 + - -dsmndf $true + - -dsmndf 1 + - -dsnf $true + - -dsnf 1 + - -dss $true + - -dss 1 + selection_options_actions_func: + Data|contains: + - HighThreatDefaultAction Allow + - htdefac Allow + - LowThreatDefaultAction Allow + - ltdefac Allow + - ModerateThreatDefaultAction Allow + - mtdefac Allow + - SevereThreatDefaultAction Allow + - stdefac Allow + condition: ps_classic_provider_start and (selection_set_mppreference and 1 of selection_options_*) +falsepositives: + - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated. +level: high +ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml index fa461cd1d..f7de40adc 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml @@ -11,7 +11,7 @@ references: - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-24 -modified: 2024-10-08 +modified: 2024-12-27 tags: - attack.execution - attack.t1059.001 @@ -36,7 +36,7 @@ detection: filter_main_host_application_null: # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. # If you're already mapping and extracting the field, then obviously use that directly. - Data|re: HostId=[a-zA-Z0-9-]{36} EngineVersion= + Data|re: HostId=[a-zA-Z0-9-]{36}\s+EngineVersion= condition: powershell_classic and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml new file mode 100644 index 000000000..f348eacd3 --- /dev/null +++ b/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -0,0 +1,94 @@ +title: Tamper Windows Defender - ScriptBlockLogging +id: 6074ad34-a80f-fdd9-5c49-e1a2fc4572c4 +related: + - id: ec19ebab-72dc-40e1-9728-4c0b805d722c + type: derived + - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 + type: derived +status: test +description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md + - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ +author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +date: 2022-01-16 +modified: 2024-01-02 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection_options_disabling_preference: + ScriptBlockText|contains: Set-MpPreference + selection_options_disabling_function: + ScriptBlockText|contains: + - -dbaf $true + - -dbaf 1 + - -dbm $true + - -dbm 1 + - -dips $true + - -dips 1 + - -DisableArchiveScanning $true + - -DisableArchiveScanning 1 + - -DisableBehaviorMonitoring $true + - -DisableBehaviorMonitoring 1 + - -DisableBlockAtFirstSeen $true + - -DisableBlockAtFirstSeen 1 + - -DisableCatchupFullScan $true + - -DisableCatchupFullScan 1 + - -DisableCatchupQuickScan $true + - -DisableCatchupQuickScan 1 + - -DisableIntrusionPreventionSystem $true + - -DisableIntrusionPreventionSystem 1 + - -DisableIOAVProtection $true + - -DisableIOAVProtection 1 + - -DisableRealtimeMonitoring $true + - -DisableRealtimeMonitoring 1 + - -DisableRemovableDriveScanning $true + - -DisableRemovableDriveScanning 1 + - -DisableScanningMappedNetworkDrivesForFullScan $true + - -DisableScanningMappedNetworkDrivesForFullScan 1 + - -DisableScanningNetworkFiles $true + - -DisableScanningNetworkFiles 1 + - -DisableScriptScanning $true + - -DisableScriptScanning 1 + - -MAPSReporting $false + - -MAPSReporting 0 + - -drdsc $true + - -drdsc 1 + - -drtm $true + - -drtm 1 + - -dscrptsc $true + - -dscrptsc 1 + - -dsmndf $true + - -dsmndf 1 + - -dsnf $true + - -dsnf 1 + - -dss $true + - -dss 1 + selection_other_default_actions_allow: + ScriptBlockText|contains: Set-MpPreference + selection_other_default_actions_func: + ScriptBlockText|contains: + - HighThreatDefaultAction Allow + - htdefac Allow + - LowThreatDefaultAction Allow + - ltdefac Allow + - ModerateThreatDefaultAction Allow + - mtdefac Allow + - SevereThreatDefaultAction Allow + - stdefac Allow + condition: ps_script and (all of selection_options_disabling_* or all of selection_other_default_actions_*) +falsepositives: + - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated. +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml new file mode 100644 index 000000000..8116373e6 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml @@ -0,0 +1,38 @@ +title: Potential AMSI Bypass Via .NET Reflection +id: 584c503a-bcee-ab44-f773-dea130827275 +related: + - id: 4f927692-68b5-4267-871b-073c45f4f6fe + type: obsolete + - id: 30edb182-aa75-42c0-b0a9-e998bb29067c + type: derived +status: test +description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning +references: + - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/ + - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ +author: Markus Neis, @Kostastsale +date: 2018-08-17 +modified: 2023-02-03 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - CommandLine|contains|all: + - System.Management.Automation.AmsiUtils + - amsiInitFailed + - CommandLine|contains|all: + - '[Ref].Assembly.GetType' + - SetValue($null,$true) + - NonPublic,Static + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/sigma/builtin/wmi_event/sysmon_wmi_event_subscription.yml b/sigma/builtin/wmi_event/sysmon_wmi_event_subscription.yml new file mode 100644 index 000000000..67bc3788b --- /dev/null +++ b/sigma/builtin/wmi_event/sysmon_wmi_event_subscription.yml @@ -0,0 +1,34 @@ +title: WMI Event Subscription +id: 3318e98f-7614-2bef-f5b2-78af7cbba518 +related: + - id: 0f06a3a5-6a09-413f-8743-e6cf35561297 + type: derived +status: test +description: Detects creation of WMI event subscription persistence method +references: + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected +author: Tom Ueltschi (@c_APT_ure) +date: 2019-01-12 +modified: 2021-11-27 +tags: + - attack.persistence + - attack.t1546.003 +logsource: + product: windows + category: wmi_event +detection: + wmi_event: + EventID: 5861 + Channel: Microsoft-Windows-WMI-Activity/Operational + selection: + EventID: + - 19 + - 20 + - 21 + condition: wmi_event and selection +falsepositives: + - Exclude legitimate (vetted) use of WMI event subscription in your network +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_own_image.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_own_image.yml index a0e302859..1d7fbb793 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_own_image.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_own_image.yml @@ -23,7 +23,7 @@ detection: - 26 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetFilename|equalsfield: Image + TargetFilename|fieldref: Image condition: file_delete and selection falsepositives: - Some false positives are to be expected from uninstallers. diff --git a/sigma/sysmon/placeholder/dns_query/dns_query_win_wscript_cscript_resolution.yml b/sigma/sysmon/placeholder/dns_query/dns_query_win_wscript_cscript_resolution.yml new file mode 100644 index 000000000..2dccd48a7 --- /dev/null +++ b/sigma/sysmon/placeholder/dns_query/dns_query_win_wscript_cscript_resolution.yml @@ -0,0 +1,50 @@ +title: DNS Request From Windows Script Host +id: f3d3ae5d-e5d6-3ade-1c58-60cc013ff70e +related: + - id: 12310575-e8b1-475c-a976-57ed540b349c + type: derived +status: experimental +description: | + Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack. +author: Josh Nickels, Marius Rothenbücher +references: + - Internal Research +date: 2024-09-06 +tags: + - attack.execution + - attack.t1059 + - sysmon +logsource: + product: windows + category: dns_query +detection: + dns_query: + EventID: 22 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + Image|endswith: + - \wscript.exe + - \cscript.exe + QueryName|contains: . # Ensures that lookups are for external hosts + filter_main_internal_domains: # Populate this placeholder with known and expected internal domains + QueryName|expand: '%internal_domains%' + filter_optional_trusted_domains: # Mostly certificate distribution domains + - QueryName: + - crl.starfieldtech.com + - ocsp.usertrust.com + - officecdn.microsoft.com + - oneocsp.microsoft.com + - oscp.comodoca.com + - oscp.sectigo.com + - oscp.starfieldtech.com + - www.python.org + - QueryName|endswith: + - .digicert.com + - .entrust.net + - .globalsign.net + - .verisign.com + condition: dns_query and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) +falsepositives: + - Script files making expected domain requests +level: low +ruletype: Sigma diff --git a/sigma/sysmon/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml b/sigma/sysmon/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml new file mode 100644 index 000000000..65b4065c1 --- /dev/null +++ b/sigma/sysmon/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml @@ -0,0 +1,34 @@ +title: New RDP Connection Initiated From Domain Controller +id: 23ef76b6-d6b4-dcb6-d48f-a246567ebccf +related: + - id: fda34293-718e-4b36-b018-38caab0d1209 + type: derived +status: experimental +description: Detects an RDP connection originating from a domain controller. +references: + - Internal Research +author: Josh Nickels +date: 2024-05-10 +tags: + - attack.lateral-movement + - attack.t1021 + - sysmon +logsource: + product: windows + category: network_connection +detection: + network_connection: + EventID: 3 + Channel: Microsoft-Windows-Sysmon/Operational + selection_connection: + Initiated: 'True' + DestinationPort: 3389 + selection_hosts: + Computer|expand: '%domain_controller_hostnames%' + filter_optional_defender_identity: + Image|endswith: \Microsoft.Tri.Sensor.exe # Microsoft Defender for Identity service makes port 3389 connections to hosts + condition: network_connection and (all of selection_* and not 1 of filter_*) +falsepositives: + - Legitimate administration activity +level: high +ruletype: Sigma diff --git a/sigma/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/sigma/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml new file mode 100644 index 000000000..94bde8bcb --- /dev/null +++ b/sigma/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -0,0 +1,32 @@ +title: Userdomain Variable Enumeration +id: 969363fe-fea1-1916-cb94-44b95abc731b +related: + - id: 43311e65-84d8-42a5-b3d4-c94d9b67038f + type: derived +status: test +description: Detects suspicious enumeration of the domain the user is associated with. +references: + - https://www.arxiv-vanity.com/papers/2008.04676/ + - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ +author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +date: 2023-02-09 +modified: 2024-08-01 +tags: + - attack.discovery + - attack.t1016 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + CommandLine|contains: 'echo ' + CommandLine|contains|expand: '%userdomain%' + condition: process_creation and selection +falsepositives: + - Certain scripts or applications may leverage this. +level: low +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml new file mode 100644 index 000000000..91e305700 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml @@ -0,0 +1,39 @@ +title: Potential AMSI Bypass Via .NET Reflection +id: 6f89712c-3f9a-2513-25b3-72698ed0612f +related: + - id: 4f927692-68b5-4267-871b-073c45f4f6fe + type: obsolete + - id: 30edb182-aa75-42c0-b0a9-e998bb29067c + type: derived +status: test +description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning +references: + - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/ + - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ +author: Markus Neis, @Kostastsale +date: 2018-08-17 +modified: 2023-02-03 +tags: + - attack.defense-evasion + - attack.t1562.001 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + - CommandLine|contains|all: + - System.Management.Automation.AmsiUtils + - amsiInitFailed + - CommandLine|contains|all: + - '[Ref].Assembly.GetType' + - SetValue($null,$true) + - NonPublic,Static + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/sigma/sysmon/wmi_event/sysmon_wmi_event_subscription.yml b/sigma/sysmon/wmi_event/sysmon_wmi_event_subscription.yml new file mode 100644 index 000000000..3c9a63adf --- /dev/null +++ b/sigma/sysmon/wmi_event/sysmon_wmi_event_subscription.yml @@ -0,0 +1,38 @@ +title: WMI Event Subscription +id: 3799c466-edf8-bc53-6747-8908ab796483 +related: + - id: 0f06a3a5-6a09-413f-8743-e6cf35561297 + type: derived +status: test +description: Detects creation of WMI event subscription persistence method +references: + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected +author: Tom Ueltschi (@c_APT_ure) +date: 2019-01-12 +modified: 2021-11-27 +tags: + - attack.persistence + - attack.t1546.003 + - sysmon +logsource: + product: windows + category: wmi_event +detection: + wmi_event: + EventID: + - 19 + - 20 + - 21 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + EventID: + - 19 + - 20 + - 21 + condition: wmi_event and selection +falsepositives: + - Exclude legitimate (vetted) use of WMI event subscription in your network +level: medium +ruletype: Sigma