diff --git a/Rules/sigma_tmp/powershell_CL_Invocation_LOLScript.ps1 b/Rules/sigma_tmp/powershell_CL_Invocation_LOLScript.ps1 new file mode 100644 index 00000000..7bad3b2e --- /dev/null +++ b/Rules/sigma_tmp/powershell_CL_Invocation_LOLScript.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CL_Invocation.ps1.*" -and $_.message -match "ScriptBlockText.*.*SyncInvoke.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_CL_Invocation_LOLScript_v2.ps1 b/Rules/sigma_tmp/powershell_CL_Invocation_LOLScript_v2.ps1 new file mode 100644 index 00000000..cc95fad9 --- /dev/null +++ b/Rules/sigma_tmp/powershell_CL_Invocation_LOLScript_v2.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*CL_Invocation.ps1.*" -or $_.message -match "ScriptBlockText.*.*SyncInvoke.*")) } | select Computer, ScriptBlockText | group Computer | foreach { [PSCustomObject]@{'Computer'=$_.name;'Count'=($_.group.ScriptBlockText | sort -u).count} } | sort count -desc | where { $_.count -gt 2 } diff --git a/Rules/sigma_tmp/powershell_CL_Mutexverifiers_LOLScript.ps1 b/Rules/sigma_tmp/powershell_CL_Mutexverifiers_LOLScript.ps1 new file mode 100644 index 00000000..28862893 --- /dev/null +++ b/Rules/sigma_tmp/powershell_CL_Mutexverifiers_LOLScript.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CL_Mutexverifiers.ps1.*" -and $_.message -match "ScriptBlockText.*.*runAfterCancelProcess.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_CL_Mutexverifiers_LOLScript_v2.ps1 b/Rules/sigma_tmp/powershell_CL_Mutexverifiers_LOLScript_v2.ps1 new file mode 100644 index 00000000..e250ae69 --- /dev/null +++ b/Rules/sigma_tmp/powershell_CL_Mutexverifiers_LOLScript_v2.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*CL_Mutexverifiers.ps1.*" -or $_.message -match "ScriptBlockText.*.*runAfterCancelProcess.*")) } | select Computer, ScriptBlockText | group Computer | foreach { [PSCustomObject]@{'Computer'=$_.name;'Count'=($_.group.ScriptBlockText | sort -u).count} } | sort count -desc | where { $_.count -gt 2 } diff --git a/Rules/sigma_tmp/powershell_alternate_powershell_hosts.ps1 b/Rules/sigma_tmp/powershell_alternate_powershell_hosts.ps1 new file mode 100644 index 00000000..98559d4f --- /dev/null +++ b/Rules/sigma_tmp/powershell_alternate_powershell_hosts.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.ID -eq "4103" -and $_.message -match "ContextInfo.*.*") -and -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "ContextInfo.*.*") -and -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_automated_collection.ps1 b/Rules/sigma_tmp/powershell_automated_collection.ps1 new file mode 100644 index 00000000..20df7298 --- /dev/null +++ b/Rules/sigma_tmp/powershell_automated_collection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*.doc.*" -or $_.message -match "ScriptBlockText.*.*.docx.*" -or $_.message -match "ScriptBlockText.*.*.xls.*" -or $_.message -match "ScriptBlockText.*.*.xlsx.*" -or $_.message -match "ScriptBlockText.*.*.ppt.*" -or $_.message -match "ScriptBlockText.*.*.pptx.*" -or $_.message -match "ScriptBlockText.*.*.rtf.*" -or $_.message -match "ScriptBlockText.*.*.pdf.*" -or $_.message -match "ScriptBlockText.*.*.txt.*") -and $_.message -match "ScriptBlockText.*.*Get-ChildItem.*" -and $_.message -match "ScriptBlockText.*.* -Recurse .*" -and $_.message -match "ScriptBlockText.*.* -Include .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_bad_opsec_artifacts.ps1 b/Rules/sigma_tmp/powershell_bad_opsec_artifacts.ps1 new file mode 100644 index 00000000..c40180c7 --- /dev/null +++ b/Rules/sigma_tmp/powershell_bad_opsec_artifacts.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*$DoIt.*" -or $_.message -match "ScriptBlockText.*.*harmj0y.*" -or $_.message -match "ScriptBlockText.*.*mattifestation.*" -or $_.message -match "ScriptBlockText.*.*_RastaMouse.*" -or $_.message -match "ScriptBlockText.*.*tifkin_.*" -or $_.message -match "ScriptBlockText.*.*0xdeadbeef.*")) -or ($_.ID -eq "4103" -and ($_.message -match "Payload.*.*$DoIt.*" -or $_.message -match "Payload.*.*harmj0y.*" -or $_.message -match "Payload.*.*mattifestation.*" -or $_.message -match "Payload.*.*_RastaMouse.*" -or $_.message -match "Payload.*.*tifkin_.*" -or $_.message -match "Payload.*.*0xdeadbeef.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_clear_powershell_history.ps1 b/Rules/sigma_tmp/powershell_clear_powershell_history.ps1 new file mode 100644 index 00000000..dfb002d2 --- /dev/null +++ b/Rules/sigma_tmp/powershell_clear_powershell_history.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and ((($_.message -match "ScriptBlockText.*.*del.*" -or $_.message -match "ScriptBlockText.*.*Remove-Item.*" -or $_.message -match "ScriptBlockText.*.*rm.*") -and $_.message -match "ScriptBlockText.*.*(Get-PSReadlineOption).HistorySavePath.*") -or ($_.message -match "ScriptBlockText.*.*Set-PSReadlineOption.*" -and $_.message -match "ScriptBlockText.*.*–HistorySaveStyle.*" -and $_.message -match "ScriptBlockText.*.*SaveNothing.*"))) -or ($_.ID -eq "4103" -and ((($_.message -match "Payload.*.*del.*" -or $_.message -match "Payload.*.*Remove-Item.*" -or $_.message -match "Payload.*.*rm.*") -and $_.message -match "Payload.*.*(Get-PSReadlineOption).HistorySavePath.*") -or ($_.message -match "Payload.*.*Set-PSReadlineOption.*" -and $_.message -match "Payload.*.*–HistorySaveStyle.*" -and $_.message -match "Payload.*.*SaveNothing.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_cmdline_reversed_strings.ps1 b/Rules/sigma_tmp/powershell_cmdline_reversed_strings.ps1 new file mode 100644 index 00000000..34744e77 --- /dev/null +++ b/Rules/sigma_tmp/powershell_cmdline_reversed_strings.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*hctac.*" -or $_.message -match "CommandLine.*.*kearb.*" -or $_.message -match "CommandLine.*.*dnammoc.*" -or $_.message -match "CommandLine.*.*ekovn.*" -or $_.message -match "CommandLine.*.*eliFd.*" -or $_.message -match "CommandLine.*.*rahc.*" -or $_.message -match "CommandLine.*.*etirw.*" -or $_.message -match "CommandLine.*.*golon.*" -or $_.message -match "CommandLine.*.*tninon.*" -or $_.message -match "CommandLine.*.*eddih.*" -or $_.message -match "CommandLine.*.*tpircS.*" -or $_.message -match "CommandLine.*.*ssecorp.*" -or $_.message -match "CommandLine.*.*llehsrewop.*" -or $_.message -match "CommandLine.*.*esnopser.*" -or $_.message -match "CommandLine.*.*daolnwod.*" -or $_.message -match "CommandLine.*.*tneilCbeW.*" -or $_.message -match "CommandLine.*.*tneilc.*" -or $_.message -match "CommandLine.*.*ptth.*" -or $_.message -match "CommandLine.*.*elifotevas.*" -or $_.message -match "CommandLine.*.*46esab.*" -or $_.message -match "CommandLine.*.*htaPpmeTteG.*" -or $_.message -match "CommandLine.*.*tcejbO.*" -or $_.message -match "CommandLine.*.*maerts.*" -or $_.message -match "CommandLine.*.*hcaerof.*" -or $_.message -match "CommandLine.*.*ekovni.*" -or $_.message -match "CommandLine.*.*retupmoc.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_cmdline_specific_comb_methods.ps1 b/Rules/sigma_tmp/powershell_cmdline_specific_comb_methods.ps1 new file mode 100644 index 00000000..f2994a2f --- /dev/null +++ b/Rules/sigma_tmp/powershell_cmdline_specific_comb_methods.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and (((($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*ToInt.*" -or $_.message -match "CommandLine.*.*ToDecimal.*" -or $_.message -match "CommandLine.*.*ToByte.*" -or $_.message -match "CommandLine.*.*ToUint.*" -or $_.message -match "CommandLine.*.*ToSingle.*" -or $_.message -match "CommandLine.*.*ToSByte.*") -and ($_.message -match "CommandLine.*.*ToChar.*" -or $_.message -match "CommandLine.*.*ToString.*" -or $_.message -match "CommandLine.*.*String.*")) -or ($_.message -match "CommandLine.*.*char.*" -and $_.message -match "CommandLine.*.*join.*")) -or ($_.message -match "CommandLine.*.*split.*" -and $_.message -match "CommandLine.*.*join.*")) -or ($_.message -match "CommandLine.*.*ForEach.*" -and $_.message -match "CommandLine.*.*Xor.*") -or ($_.message -match "CommandLine.*.*cOnvErTTO-SECUreStRIng.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_code_injection.ps1 b/Rules/sigma_tmp/powershell_code_injection.ps1 new file mode 100644 index 00000000..57538ea2 --- /dev/null +++ b/Rules/sigma_tmp/powershell_code_injection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\\powershell.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_create_local_user.ps1 b/Rules/sigma_tmp/powershell_create_local_user.ps1 new file mode 100644 index 00000000..74dcae98 --- /dev/null +++ b/Rules/sigma_tmp/powershell_create_local_user.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*New-LocalUser.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_data_compressed.ps1 b/Rules/sigma_tmp/powershell_data_compressed.ps1 new file mode 100644 index 00000000..96e2f9e5 --- /dev/null +++ b/Rules/sigma_tmp/powershell_data_compressed.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*-Recurse.*" -and $_.message -match "ScriptBlockText.*.*|.*" -and $_.message -match "ScriptBlockText.*.*Compress-Archive.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_decompress_commands.ps1 b/Rules/sigma_tmp/powershell_decompress_commands.ps1 new file mode 100644 index 00000000..008ab520 --- /dev/null +++ b/Rules/sigma_tmp/powershell_decompress_commands.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Expand-Archive.*") -or ($_.ID -eq "4103" -and $_.message -match "Payload.*.*Expand-Archive.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_delete_volume_shadow_copies.ps1 b/Rules/sigma_tmp/powershell_delete_volume_shadow_copies.ps1 new file mode 100644 index 00000000..33f7d4e7 --- /dev/null +++ b/Rules/sigma_tmp/powershell_delete_volume_shadow_copies.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Windows PowerShell | where {($_.message -match "CommandLine.*.*Get-WmiObject.*" -and $_.message -match "CommandLine.*.* Win32_Shadowcopy.*" -and ($_.message -match "CommandLine.*.*Delete().*" -or $_.message -match "CommandLine.*.*Remove-WmiObject.*") -and $_.ID -eq "400") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_dnscat_execution.ps1 b/Rules/sigma_tmp/powershell_dnscat_execution.ps1 new file mode 100644 index 00000000..07d9f6cc --- /dev/null +++ b/Rules/sigma_tmp/powershell_dnscat_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Start-Dnscat2.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_downgrade_attack.ps1 b/Rules/sigma_tmp/powershell_downgrade_attack.ps1 new file mode 100644 index 00000000..c49583c1 --- /dev/null +++ b/Rules/sigma_tmp/powershell_downgrade_attack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "EngineVersion.*2..*") -and -not ($_.message -match "HostVersion.*2..*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_exe_calling_ps.ps1 b/Rules/sigma_tmp/powershell_exe_calling_ps.ps1 new file mode 100644 index 00000000..689b1ae8 --- /dev/null +++ b/Rules/sigma_tmp/powershell_exe_calling_ps.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and ($_.message -match "EngineVersion.*2..*" -or $_.message -match "EngineVersion.*4..*" -or $_.message -match "EngineVersion.*5..*") -and $_.message -match "HostVersion.*3..*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_get_clipboard.ps1 b/Rules/sigma_tmp/powershell_get_clipboard.ps1 new file mode 100644 index 00000000..8c8e09bd --- /dev/null +++ b/Rules/sigma_tmp/powershell_get_clipboard.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-Clipboard.*") -or ($_.ID -eq "4103" -and $_.message -match "Payload.*.*Get-Clipboard.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_icmp_exfiltration.ps1 b/Rules/sigma_tmp/powershell_icmp_exfiltration.ps1 new file mode 100644 index 00000000..ffeb8c83 --- /dev/null +++ b/Rules/sigma_tmp/powershell_icmp_exfiltration.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*New-Object.*" -and $_.message -match "ScriptBlockText.*.*System.Net.NetworkInformation.Ping.*" -and $_.message -match "ScriptBlockText.*.*.Send(.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_keylogging.ps1 b/Rules/sigma_tmp/powershell_keylogging.ps1 new file mode 100644 index 00000000..b7e2a537 --- /dev/null +++ b/Rules/sigma_tmp/powershell_keylogging.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Keystrokes.*" -or ($_.message -match "ScriptBlockText.*.*Get-ProcAddress user32.dll GetAsyncKeyState.*" -and $_.message -match "ScriptBlockText.*.*Get-ProcAddress user32.dll GetForegroundWindow.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_malicious_commandlets.ps1 b/Rules/sigma_tmp/powershell_malicious_commandlets.ps1 new file mode 100644 index 00000000..ad4993f0 --- /dev/null +++ b/Rules/sigma_tmp/powershell_malicious_commandlets.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Invoke-DllInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Shellcode.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WmiCommand.*" -or $_.message -match "ScriptBlockText.*.*Get-GPPPassword.*" -or $_.message -match "ScriptBlockText.*.*Get-Keystrokes.*" -or $_.message -match "ScriptBlockText.*.*Get-TimedScreenshot.*" -or $_.message -match "ScriptBlockText.*.*Get-VaultCredential.*" -or $_.message -match "ScriptBlockText.*.*Invoke-CredentialInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Mimikatz.*" -or $_.message -match "ScriptBlockText.*.*Invoke-NinjaCopy.*" -or $_.message -match "ScriptBlockText.*.*Invoke-TokenManipulation.*" -or $_.message -match "ScriptBlockText.*.*Out-Minidump.*" -or $_.message -match "ScriptBlockText.*.*VolumeShadowCopyTools.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ReflectivePEInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-UserHunter.*" -or $_.message -match "ScriptBlockText.*.*Find-GPOLocation.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ACLScanner.*" -or $_.message -match "ScriptBlockText.*.*Invoke-DowngradeAccount.*" -or $_.message -match "ScriptBlockText.*.*Get-ServiceUnquoted.*" -or $_.message -match "ScriptBlockText.*.*Get-ServiceFilePermission.*" -or $_.message -match "ScriptBlockText.*.*Get-ServicePermission.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ServiceAbuse.*" -or $_.message -match "ScriptBlockText.*.*Install-ServiceBinary.*" -or $_.message -match "ScriptBlockText.*.*Get-RegAutoLogon.*" -or $_.message -match "ScriptBlockText.*.*Get-VulnAutoRun.*" -or $_.message -match "ScriptBlockText.*.*Get-VulnSchTask.*" -or $_.message -match "ScriptBlockText.*.*Get-UnattendedInstallFile.*" -or $_.message -match "ScriptBlockText.*.*Get-ApplicationHost.*" -or $_.message -match "ScriptBlockText.*.*Get-RegAlwaysInstallElevated.*" -or $_.message -match "ScriptBlockText.*.*Get-Unconstrained.*" -or $_.message -match "ScriptBlockText.*.*Add-RegBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Add-ScrnSaveBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Gupt-Backdoor.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ADSBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Enabled-DuplicateToken.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PsUaCme.*" -or $_.message -match "ScriptBlockText.*.*Remove-Update.*" -or $_.message -match "ScriptBlockText.*.*Check-VM.*" -or $_.message -match "ScriptBlockText.*.*Get-LSASecret.*" -or $_.message -match "ScriptBlockText.*.*Get-PassHashes.*" -or $_.message -match "ScriptBlockText.*.*Show-TargetScreen.*" -or $_.message -match "ScriptBlockText.*.*Port-Scan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PoshRatHttp.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerShellTCP.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerShellWMI.*" -or $_.message -match "ScriptBlockText.*.*Add-Exfiltration.*" -or $_.message -match "ScriptBlockText.*.*Add-Persistence.*" -or $_.message -match "ScriptBlockText.*.*Do-Exfiltration.*" -or $_.message -match "ScriptBlockText.*.*Start-CaptureServer.*" -or $_.message -match "ScriptBlockText.*.*Get-ChromeDump.*" -or $_.message -match "ScriptBlockText.*.*Get-ClipboardContents.*" -or $_.message -match "ScriptBlockText.*.*Get-FoxDump.*" -or $_.message -match "ScriptBlockText.*.*Get-IndexedItem.*" -or $_.message -match "ScriptBlockText.*.*Get-Screenshot.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Inveigh.*" -or $_.message -match "ScriptBlockText.*.*Invoke-NetRipper.*" -or $_.message -match "ScriptBlockText.*.*Invoke-EgressCheck.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PostExfil.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PSInject.*" -or $_.message -match "ScriptBlockText.*.*Invoke-RunAs.*" -or $_.message -match "ScriptBlockText.*.*MailRaider.*" -or $_.message -match "ScriptBlockText.*.*New-HoneyHash.*" -or $_.message -match "ScriptBlockText.*.*Set-MacAttribute.*" -or $_.message -match "ScriptBlockText.*.*Invoke-DCSync.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerDump.*" -or $_.message -match "ScriptBlockText.*.*Exploit-Jboss.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ThunderStruck.*" -or $_.message -match "ScriptBlockText.*.*Invoke-VoiceTroll.*" -or $_.message -match "ScriptBlockText.*.*Set-Wallpaper.*" -or $_.message -match "ScriptBlockText.*.*Invoke-InveighRelay.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PsExec.*" -or $_.message -match "ScriptBlockText.*.*Invoke-SSHCommand.*" -or $_.message -match "ScriptBlockText.*.*Get-SecurityPackages.*" -or $_.message -match "ScriptBlockText.*.*Install-SSP.*" -or $_.message -match "ScriptBlockText.*.*Invoke-BackdoorLNK.*" -or $_.message -match "ScriptBlockText.*.*PowerBreach.*" -or $_.message -match "ScriptBlockText.*.*Get-SiteListPassword.*" -or $_.message -match "ScriptBlockText.*.*Get-System.*" -or $_.message -match "ScriptBlockText.*.*Invoke-BypassUAC.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Tater.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WScriptBypassUAC.*" -or $_.message -match "ScriptBlockText.*.*PowerUp.*" -or $_.message -match "ScriptBlockText.*.*PowerView.*" -or $_.message -match "ScriptBlockText.*.*Get-RickAstley.*" -or $_.message -match "ScriptBlockText.*.*Find-Fruit.*" -or $_.message -match "ScriptBlockText.*.*HTTP-Login.*" -or $_.message -match "ScriptBlockText.*.*Find-TrustedDocuments.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Paranoia.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WinEnum.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ARPScan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PortScan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ReverseDNSLookup.*" -or $_.message -match "ScriptBlockText.*.*Invoke-SMBScanner.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Mimikittenz.*" -or $_.message -match "ScriptBlockText.*.*Invoke-AllChecks.*")) -and -not ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-SystemDriveInfo.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_malicious_keywords.ps1 b/Rules/sigma_tmp/powershell_malicious_keywords.ps1 new file mode 100644 index 00000000..eac77513 --- /dev/null +++ b/Rules/sigma_tmp/powershell_malicious_keywords.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match ".*AdjustTokenPrivileges.*" -or $_.message -match ".*IMAGE_NT_OPTIONAL_HDR64_MAGIC.*" -or $_.message -match ".*Microsoft.Win32.UnsafeNativeMethods.*" -or $_.message -match ".*ReadProcessMemory.Invoke.*" -or $_.message -match ".*SE_PRIVILEGE_ENABLED.*" -or $_.message -match ".*LSA_UNICODE_STRING.*" -or $_.message -match ".*MiniDumpWriteDump.*" -or $_.message -match ".*PAGE_EXECUTE_READ.*" -or $_.message -match ".*SECURITY_DELEGATION.*" -or $_.message -match ".*TOKEN_ADJUST_PRIVILEGES.*" -or $_.message -match ".*TOKEN_ALL_ACCESS.*" -or $_.message -match ".*TOKEN_ASSIGN_PRIMARY.*" -or $_.message -match ".*TOKEN_DUPLICATE.*" -or $_.message -match ".*TOKEN_ELEVATION.*" -or $_.message -match ".*TOKEN_IMPERSONATE.*" -or $_.message -match ".*TOKEN_INFORMATION_CLASS.*" -or $_.message -match ".*TOKEN_PRIVILEGES.*" -or $_.message -match ".*TOKEN_QUERY.*" -or $_.message -match ".*Metasploit.*" -or $_.message -match ".*Mimikatz.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_nishang_malicious_commandlets.ps1 b/Rules/sigma_tmp/powershell_nishang_malicious_commandlets.ps1 new file mode 100644 index 00000000..eb85850d --- /dev/null +++ b/Rules/sigma_tmp/powershell_nishang_malicious_commandlets.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "Payload.*.*Add-ConstrainedDelegationBackdoor.*" -or $_.message -match "Payload.*.*Set-DCShadowPermissions.*" -or $_.message -match "Payload.*.*DNS_TXT_Pwnage.*" -or $_.message -match "Payload.*.*Execute-OnTime.*" -or $_.message -match "Payload.*.*HTTP-Backdoor.*" -or $_.message -match "Payload.*.*Set-RemotePSRemoting.*" -or $_.message -match "Payload.*.*Set-RemoteWMI.*" -or $_.message -match "Payload.*.*Invoke-AmsiBypass.*" -or $_.message -match "Payload.*.*Out-CHM.*" -or $_.message -match "Payload.*.*Out-HTA.*" -or $_.message -match "Payload.*.*Out-SCF.*" -or $_.message -match "Payload.*.*Out-SCT.*" -or $_.message -match "Payload.*.*Out-Shortcut.*" -or $_.message -match "Payload.*.*Out-WebQuery.*" -or $_.message -match "Payload.*.*Out-Word.*" -or $_.message -match "Payload.*.*Enable-Duplication.*" -or $_.message -match "Payload.*.*Remove-Update.*" -or $_.message -match "Payload.*.*Download-Execute-PS.*" -or $_.message -match "Payload.*.*Download_Execute.*" -or $_.message -match "Payload.*.*Execute-Command-MSSQL.*" -or $_.message -match "Payload.*.*Execute-DNSTXT-Code.*" -or $_.message -match "Payload.*.*Out-RundllCommand.*" -or $_.message -match "Payload.*.*Copy-VSS.*" -or $_.message -match "Payload.*.*FireBuster.*" -or $_.message -match "Payload.*.*FireListener.*" -or $_.message -match "Payload.*.*Get-Information.*" -or $_.message -match "Payload.*.*Get-PassHints.*" -or $_.message -match "Payload.*.*Get-WLAN-Keys.*" -or $_.message -match "Payload.*.*Get-Web-Credentials.*" -or $_.message -match "Payload.*.*Invoke-CredentialsPhish.*" -or $_.message -match "Payload.*.*Invoke-MimikatzWDigestDowngrade.*" -or $_.message -match "Payload.*.*Invoke-SSIDExfil.*" -or $_.message -match "Payload.*.*Invoke-SessionGopher.*" -or $_.message -match "Payload.*.*Keylogger.*" -or $_.message -match "Payload.*.*Invoke-Interceptor.*" -or $_.message -match "Payload.*.*Create-MultipleSessions.*" -or $_.message -match "Payload.*.*Invoke-NetworkRelay.*" -or $_.message -match "Payload.*.*Run-EXEonRemote.*" -or $_.message -match "Payload.*.*Invoke-Prasadhak.*" -or $_.message -match "Payload.*.*Invoke-BruteForce.*" -or $_.message -match "Payload.*.*Password-List.*" -or $_.message -match "Payload.*.*Invoke-JSRatRegsvr.*" -or $_.message -match "Payload.*.*Invoke-JSRatRundll.*" -or $_.message -match "Payload.*.*Invoke-PoshRatHttps.*" -or $_.message -match "Payload.*.*Invoke-PowerShellIcmp.*" -or $_.message -match "Payload.*.*Invoke-PowerShellUdp.*" -or $_.message -match "Payload.*.*Invoke-PSGcat.*" -or $_.message -match "Payload.*.*Invoke-PsGcatAgent.*" -or $_.message -match "Payload.*.*Remove-PoshRat.*" -or $_.message -match "Payload.*.*Add-Persistance.*" -or $_.message -match "Payload.*.*ExetoText.*" -or $_.message -match "Payload.*.*Invoke-Decode.*" -or $_.message -match "Payload.*.*Invoke-Encode.*" -or $_.message -match "Payload.*.*Parse_Keys.*" -or $_.message -match "Payload.*.*Remove-Persistence.*" -or $_.message -match "Payload.*.*StringtoBase64.*" -or $_.message -match "Payload.*.*TexttoExe.*" -or $_.message -match "Payload.*.*Powerpreter.*" -or $_.message -match "Payload.*.*Nishang.*" -or $_.message -match "Payload.*.*DataToEncode.*" -or $_.message -match "Payload.*.*LoggedKeys.*" -or $_.message -match "Payload.*.*OUT-DNSTXT.*" -or $_.message -match "Payload.*.*ExfilOption.*" -or $_.message -match "Payload.*.*DumpCerts.*" -or $_.message -match "Payload.*.*DumpCreds.*" -or $_.message -match "Payload.*.*Shellcode32.*" -or $_.message -match "Payload.*.*Shellcode64.*" -or $_.message -match "Payload.*.*NotAllNameSpaces.*" -or $_.message -match "Payload.*.*exfill.*" -or $_.message -match "Payload.*.*FakeDC.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_ntfs_ads_access.ps1 b/Rules/sigma_tmp/powershell_ntfs_ads_access.ps1 new file mode 100644 index 00000000..435f890e --- /dev/null +++ b/Rules/sigma_tmp/powershell_ntfs_ads_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "set-content" -or $_.message -match "add-content") -and $_.message -match "-stream") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_powercat.ps1 b/Rules/sigma_tmp/powershell_powercat.ps1 new file mode 100644 index 00000000..b7dac08e --- /dev/null +++ b/Rules/sigma_tmp/powershell_powercat.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and ($_.message -match "HostApplication.*.*powercat .*" -or $_.message -match "HostApplication.*.*powercat.ps1.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4103" -and ($_.message -match "ContextInfo.*.*powercat .*" -or $_.message -match "ContextInfo.*.*powercat.ps1.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_powerview_malicious_commandlets.ps1 b/Rules/sigma_tmp/powershell_powerview_malicious_commandlets.ps1 new file mode 100644 index 00000000..467c22ae --- /dev/null +++ b/Rules/sigma_tmp/powershell_powerview_malicious_commandlets.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "Export-PowerViewCSV" -or $_.message -match "Get-IPAddress" -or $_.message -match "Resolve-IPAddress" -or $_.message -match "Convert-NameToSid" -or $_.message -match "ConvertTo-SID" -or $_.message -match "Convert-ADName" -or $_.message -match "ConvertFrom-UACValue" -or $_.message -match "Add-RemoteConnection" -or $_.message -match "Remove-RemoteConnection" -or $_.message -match "Invoke-UserImpersonation" -or $_.message -match "Invoke-RevertToSelf" -or $_.message -match "Request-SPNTicket" -or $_.message -match "Get-DomainSPNTicket" -or $_.message -match "Invoke-Kerberoast" -or $_.message -match "Get-PathAcl" -or $_.message -match "Get-DNSZone" -or $_.message -match "Get-DomainDNSZone" -or $_.message -match "Get-DNSRecord" -or $_.message -match "Get-DomainDNSRecord" -or $_.message -match "Get-NetDomain" -or $_.message -match "Get-Domain" -or $_.message -match "Get-NetDomainController" -or $_.message -match "Get-DomainController" -or $_.message -match "Get-NetForest" -or $_.message -match "Get-Forest" -or $_.message -match "Get-NetForestDomain" -or $_.message -match "Get-ForestDomain" -or $_.message -match "Get-NetForestCatalog" -or $_.message -match "Get-ForestGlobalCatalog" -or $_.message -match "Find-DomainObjectPropertyOutlier" -or $_.message -match "Get-NetUser" -or $_.message -match "Get-DomainUser" -or $_.message -match "New-DomainUser" -or $_.message -match "Set-DomainUserPassword" -or $_.message -match "Get-UserEvent" -or $_.message -match "Get-DomainUserEvent" -or $_.message -match "Get-NetComputer" -or $_.message -match "Get-DomainComputer" -or $_.message -match "Get-ADObject" -or $_.message -match "Get-DomainObject" -or $_.message -match "Set-ADObject" -or $_.message -match "Set-DomainObject" -or $_.message -match "Get-ObjectAcl" -or $_.message -match "Get-DomainObjectAcl" -or $_.message -match "Add-ObjectAcl" -or $_.message -match "Add-DomainObjectAcl" -or $_.message -match "Invoke-ACLScanner" -or $_.message -match "Find-InterestingDomainAcl" -or $_.message -match "Get-NetOU" -or $_.message -match "Get-DomainOU" -or $_.message -match "Get-NetSite" -or $_.message -match "Get-DomainSite" -or $_.message -match "Get-NetSubnet" -or $_.message -match "Get-DomainSubnet" -or $_.message -match "Get-DomainSID" -or $_.message -match "Get-NetGroup" -or $_.message -match "Get-DomainGroup" -or $_.message -match "New-DomainGroup" -or $_.message -match "Find-ManagedSecurityGroups" -or $_.message -match "Get-DomainManagedSecurityGroup" -or $_.message -match "Get-NetGroupMember" -or $_.message -match "Get-DomainGroupMember" -or $_.message -match "Add-DomainGroupMember" -or $_.message -match "Get-NetFileServer" -or $_.message -match "Get-DomainFileServer" -or $_.message -match "Get-DFSshare" -or $_.message -match "Get-DomainDFSShare" -or $_.message -match "Get-NetGPO" -or $_.message -match "Get-DomainGPO" -or $_.message -match "Get-NetGPOGroup" -or $_.message -match "Get-DomainGPOLocalGroup" -or $_.message -match "Find-GPOLocation" -or $_.message -match "Get-DomainGPOUserLocalGroupMapping" -or $_.message -match "Find-GPOComputerAdmin" -or $_.message -match "Get-DomainGPOComputerLocalGroupMapping" -or $_.message -match "Get-DomainPolicy" -or $_.message -match "Get-NetLocalGroup" -or $_.message -match "Get-NetLocalGroupMember" -or $_.message -match "Get-NetShare" -or $_.message -match "Get-NetLoggedon" -or $_.message -match "Get-NetSession" -or $_.message -match "Get-LoggedOnLocal" -or $_.message -match "Get-RegLoggedOn" -or $_.message -match "Get-NetRDPSession" -or $_.message -match "Invoke-CheckLocalAdminAccess" -or $_.message -match "Test-AdminAccess" -or $_.message -match "Get-SiteName" -or $_.message -match "Get-NetComputerSiteName" -or $_.message -match "Get-Proxy" -or $_.message -match "Get-WMIRegProxy" -or $_.message -match "Get-LastLoggedOn" -or $_.message -match "Get-WMIRegLastLoggedOn" -or $_.message -match "Get-CachedRDPConnection" -or $_.message -match "Get-WMIRegCachedRDPConnection" -or $_.message -match "Get-RegistryMountedDrive" -or $_.message -match "Get-WMIRegMountedDrive" -or $_.message -match "Get-NetProcess" -or $_.message -match "Get-WMIProcess" -or $_.message -match "Find-InterestingFile" -or $_.message -match "Invoke-UserHunter" -or $_.message -match "Find-DomainUserLocation" -or $_.message -match "Invoke-ProcessHunter" -or $_.message -match "Find-DomainProcess" -or $_.message -match "Invoke-EventHunter" -or $_.message -match "Find-DomainUserEvent" -or $_.message -match "Invoke-ShareFinder" -or $_.message -match "Find-DomainShare" -or $_.message -match "Invoke-FileFinder" -or $_.message -match "Find-InterestingDomainShareFile" -or $_.message -match "Find-LocalAdminAccess" -or $_.message -match "Invoke-EnumerateLocalAdmin" -or $_.message -match "Find-DomainLocalGroupMember" -or $_.message -match "Get-NetDomainTrust" -or $_.message -match "Get-DomainTrust" -or $_.message -match "Get-NetForestTrust" -or $_.message -match "Get-ForestTrust" -or $_.message -match "Find-ForeignUser" -or $_.message -match "Get-DomainForeignUser" -or $_.message -match "Find-ForeignGroup" -or $_.message -match "Get-DomainForeignGroupMember" -or $_.message -match "Invoke-MapDomainTrust" -or $_.message -match "Get-DomainTrustMapping")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_prompt_credentials.ps1 b/Rules/sigma_tmp/powershell_prompt_credentials.ps1 new file mode 100644 index 00000000..73a6f3e8 --- /dev/null +++ b/Rules/sigma_tmp/powershell_prompt_credentials.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*PromptForCredential.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_psattack.ps1 b/Rules/sigma_tmp/powershell_psattack.ps1 new file mode 100644 index 00000000..85411ff1 --- /dev/null +++ b/Rules/sigma_tmp/powershell_psattack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4103" -and $_.message -match "PS ATTACK!!!") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_remote_powershell_session.ps1 b/Rules/sigma_tmp/powershell_remote_powershell_session.ps1 new file mode 100644 index 00000000..bb57f2b7 --- /dev/null +++ b/Rules/sigma_tmp/powershell_remote_powershell_session.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4103" -and $_.message -match "HostName.*ServerRemoteHost" -and $_.message -match "HostApplication.*.*wsmprovhost.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and $_.message -match "HostName.*ServerRemoteHost" -and $_.message -match "HostApplication.*.*wsmprovhost.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_renamed_powershell.ps1 b/Rules/sigma_tmp/powershell_renamed_powershell.ps1 new file mode 100644 index 00000000..2dd1f9a4 --- /dev/null +++ b/Rules/sigma_tmp/powershell_renamed_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "HostName.*ConsoleHost") -and -not (($_.message -match "HostApplication.*powershell.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_shellcode_b64.ps1 b/Rules/sigma_tmp/powershell_shellcode_b64.ps1 new file mode 100644 index 00000000..84c58846 --- /dev/null +++ b/Rules/sigma_tmp/powershell_shellcode_b64.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*AAAAYInlM.*" -and ($_.message -match "ScriptBlockText.*.*OiCAAAAYInlM.*" -or $_.message -match "ScriptBlockText.*.*OiJAAAAYInlM.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_download.ps1 b/Rules/sigma_tmp/powershell_suspicious_download.ps1 new file mode 100644 index 00000000..0160c4c3 --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_download.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match ".*System.Net.WebClient.*" -and ($_.message -match ".*.DownloadFile(.*" -or $_.message -match ".*.DownloadString(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and $_.message -match "HostApplication.*.*System.Net.WebClient.*" -and ($_.message -match "HostApplication.*.*.DownloadFile(.*" -or $_.message -match "HostApplication.*.*.DownloadString(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_export_pfxcertificate.ps1 b/Rules/sigma_tmp/powershell_suspicious_export_pfxcertificate.ps1 new file mode 100644 index 00000000..6e7d0b5e --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_export_pfxcertificate.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Export-PfxCertificate.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_getprocess_lsass.ps1 b/Rules/sigma_tmp/powershell_suspicious_getprocess_lsass.ps1 new file mode 100644 index 00000000..a75e080f --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_getprocess_lsass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-Process lsass.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_invocation_generic.ps1 b/Rules/sigma_tmp/powershell_suspicious_invocation_generic.ps1 new file mode 100644 index 00000000..755efd8e --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_invocation_generic.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match " -enc " -or $_.message -match " -EncodedCommand ") -and ($_.message -match " -w hidden " -or $_.message -match " -window hidden " -or $_.message -match " -windowstyle hidden ") -and ($_.message -match " -noni " -or $_.message -match " -noninteractive ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_invocation_specific.ps1 b/Rules/sigma_tmp/powershell_suspicious_invocation_specific.ps1 new file mode 100644 index 00000000..819612c6 --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_invocation_specific.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.message -match ".*-nop.*" -and $_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".* -c .*" -and $_.message -match ".*[Convert]::FromBase64String.*") -or ($_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*-noni.*" -and $_.message -match ".*-nop.*" -and $_.message -match ".* -c .*" -and $_.message -match ".*iex.*" -and $_.message -match ".*New-Object.*") -or ($_.message -match ".* -w .*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*-ep.*" -and $_.message -match ".*bypass.*" -and $_.message -match ".*-Enc.*") -or ($_.message -match ".*powershell.*" -and $_.message -match ".*reg.*" -and $_.message -match ".*add.*" -and $_.message -match ".*HKCU\\software\\microsoft\\windows\\currentversion\\run.*") -or ($_.message -match ".*bypass.*" -and $_.message -match ".*-noprofile.*" -and $_.message -match ".*-windowstyle.*" -and $_.message -match ".*hidden.*" -and $_.message -match ".*new-object.*" -and $_.message -match ".*system.net.webclient.*" -and $_.message -match ".*.download.*") -or ($_.message -match ".*iex.*" -and $_.message -match ".*New-Object.*" -and $_.message -match ".*Net.WebClient.*" -and $_.message -match ".*.Download.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_keywords.ps1 b/Rules/sigma_tmp/powershell_suspicious_keywords.ps1 new file mode 100644 index 00000000..dd59e856 --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_keywords.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match ".*System.Reflection.Assembly.Load.*" -or $_.message -match ".*[System.Reflection.Assembly]::Load.*" -or $_.message -match ".*[Reflection.Assembly]::Load.*" -or $_.message -match ".*System.Reflection.AssemblyName.*" -or $_.message -match ".*Reflection.Emit.AssemblyBuilderAccess.*" -or $_.message -match ".*Runtime.InteropServices.DllImportAttribute.*" -or $_.message -match ".*SuspendThread.*" -or $_.message -match ".*rundll32.*" -or $_.message -match ".*FromBase64.*" -or $_.message -match ".*Invoke-WMIMethod.*" -or $_.message -match ".*http://127.0.0.1.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_mail_acces.ps1 b/Rules/sigma_tmp/powershell_suspicious_mail_acces.ps1 new file mode 100644 index 00000000..34399bb4 --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_mail_acces.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Inbox.ps1.*" -or $_.message -match "ScriptBlockText.*.*Microsoft.Office.Interop.Outlook.*" -or $_.message -match "ScriptBlockText.*.*Microsoft.Office.Interop.Outlook.olDefaultFolders.*" -or $_.message -match "ScriptBlockText.*.*-comobject outlook.application.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_mounted_share_deletion.ps1 b/Rules/sigma_tmp/powershell_suspicious_mounted_share_deletion.ps1 new file mode 100644 index 00000000..560da73c --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_mounted_share_deletion.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Remove-SmbShare.*" -or $_.message -match "ScriptBlockText.*.*Remove-FileShare.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_profile_create.ps1 b/Rules/sigma_tmp/powershell_suspicious_profile_create.ps1 new file mode 100644 index 00000000..18c2dd27 --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_profile_create.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\profile.ps1.*" -and ($_.message -match "TargetFilename.*.*\\My Documents\\PowerShell\\.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_suspicious_recon.ps1 b/Rules/sigma_tmp/powershell_suspicious_recon.ps1 new file mode 100644 index 00000000..91505ccd --- /dev/null +++ b/Rules/sigma_tmp/powershell_suspicious_recon.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Service .*" -or $_.message -match "ScriptBlockText.*.*Get-ChildItem .*" -or $_.message -match "ScriptBlockText.*.*Get-Process .*") -and $_.message -match "ScriptBlockText.*.*> $env:TEMP\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_tamper_with_windows_defender.ps1 b/Rules/sigma_tmp/powershell_tamper_with_windows_defender.ps1 new file mode 100644 index 00000000..9dd30910 --- /dev/null +++ b/Rules/sigma_tmp/powershell_tamper_with_windows_defender.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {($_.ID -eq "600" -and $_.message -match "HostApplication.*.*Set-MpPreference.*" -and ($_.message -match "HostApplication.*.*-DisableRealtimeMonitoring 1.*" -or $_.message -match "HostApplication.*.*-DisableBehaviorMonitoring 1.*" -or $_.message -match "HostApplication.*.*-DisableScriptScanning 1.*" -or $_.message -match "HostApplication.*.*-DisableBlockAtFirstSeen 1.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_timestomp.ps1 b/Rules/sigma_tmp/powershell_timestomp.ps1 new file mode 100644 index 00000000..a0fe5b86 --- /dev/null +++ b/Rules/sigma_tmp/powershell_timestomp.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*.CreationTime =.*" -or $_.message -match "ScriptBlockText.*.*.LastWriteTime =.*" -or $_.message -match "ScriptBlockText.*.*.LastAccessTime =.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetCreationTime.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetLastAccessTime.*" -or $_.message -match "ScriptBlockText.*.*[IO.File]::SetLastWriteTime.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_winlogon_helper_dll.ps1 b/Rules/sigma_tmp/powershell_winlogon_helper_dll.ps1 new file mode 100644 index 00000000..040b1312 --- /dev/null +++ b/Rules/sigma_tmp/powershell_winlogon_helper_dll.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CurrentVersion\\Winlogon.*" -and ($_.message -match "ScriptBlockText.*.*Set-ItemProperty.*" -or $_.message -match "ScriptBlockText.*.*New-Item.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_wmimplant.ps1 b/Rules/sigma_tmp/powershell_wmimplant.ps1 new file mode 100644 index 00000000..8442fe5f --- /dev/null +++ b/Rules/sigma_tmp/powershell_wmimplant.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "ScriptBlockText.*.*WMImplant.*" -or $_.message -match "ScriptBlockText.*.* change_user .*" -or $_.message -match "ScriptBlockText.*.* gen_cli .*" -or $_.message -match "ScriptBlockText.*.* command_exec .*" -or $_.message -match "ScriptBlockText.*.* disable_wdigest .*" -or $_.message -match "ScriptBlockText.*.* disable_winrm .*" -or $_.message -match "ScriptBlockText.*.* enable_wdigest .*" -or $_.message -match "ScriptBlockText.*.* enable_winrm .*" -or $_.message -match "ScriptBlockText.*.* registry_mod .*" -or $_.message -match "ScriptBlockText.*.* remote_posh .*" -or $_.message -match "ScriptBlockText.*.* sched_job .*" -or $_.message -match "ScriptBlockText.*.* service_mod .*" -or $_.message -match "ScriptBlockText.*.* process_kill .*" -or $_.message -match "ScriptBlockText.*.* active_users .*" -or $_.message -match "ScriptBlockText.*.* basic_info .*" -or $_.message -match "ScriptBlockText.*.* power_off .*" -or $_.message -match "ScriptBlockText.*.* vacant_system .*" -or $_.message -match "ScriptBlockText.*.* logon_events .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_wsman_com_provider_no_powershell.ps1 b/Rules/sigma_tmp/powershell_wsman_com_provider_no_powershell.ps1 new file mode 100644 index 00000000..cb44d5b1 --- /dev/null +++ b/Rules/sigma_tmp/powershell_wsman_com_provider_no_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match ".*ProviderName=WSMan.*" -and -not ($_.message -match ".*HostApplication=.*powershell.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/powershell_xor_commandline.ps1 b/Rules/sigma_tmp/powershell_xor_commandline.ps1 new file mode 100644 index 00000000..989a6691 --- /dev/null +++ b/Rules/sigma_tmp/powershell_xor_commandline.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and $_.message -match "HostName.*ConsoleHost" -and ($_.message -match "CommandLine.*.*bxor.*" -or $_.message -match "CommandLine.*.*join.*" -or $_.message -match "CommandLine.*.*char.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/poweshell_detect_vm_env.ps1 b/Rules/sigma_tmp/poweshell_detect_vm_env.ps1 new file mode 100644 index 00000000..e062b515 --- /dev/null +++ b/Rules/sigma_tmp/poweshell_detect_vm_env.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-WmiObject.*" -and ($_.message -match "ScriptBlockText.*.*MSAcpi_ThermalZoneTemperature.*" -or $_.message -match "ScriptBlockText.*.*Win32_ComputerSystem.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_SDelete.ps1 b/Rules/sigma_tmp/process_creation_SDelete.ps1 new file mode 100644 index 00000000..0fdf3e9e --- /dev/null +++ b/Rules/sigma_tmp/process_creation_SDelete.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "OriginalFileName.*sdelete.exe" -and -not (($_.message -match "CommandLine.*.* -h.*" -or $_.message -match "CommandLine.*.* -c.*" -or $_.message -match "CommandLine.*.* -z.*" -or $_.message -match "CommandLine.*.* /?.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_automated_collection.ps1 b/Rules/sigma_tmp/process_creation_automated_collection.ps1 new file mode 100644 index 00000000..1027a996 --- /dev/null +++ b/Rules/sigma_tmp/process_creation_automated_collection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*.doc.*" -or $_.message -match "CommandLine.*.*.docx.*" -or $_.message -match "CommandLine.*.*.xls.*" -or $_.message -match "CommandLine.*.*.xlsx.*" -or $_.message -match "CommandLine.*.*.ppt.*" -or $_.message -match "CommandLine.*.*.pptx.*" -or $_.message -match "CommandLine.*.*.rtf.*" -or $_.message -match "CommandLine.*.*.pdf.*" -or $_.message -match "CommandLine.*.*.txt.*") -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*dir .*" -and $_.message -match "CommandLine.*.* /b .*" -and $_.message -match "CommandLine.*.* /s .*") -or ($_.message -match "OriginalFileName.*FINDSTR.EXE" -and $_.message -match "CommandLine.*.* /e .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_c3_load_by_rundll32.ps1 b/Rules/sigma_tmp/process_creation_c3_load_by_rundll32.ps1 new file mode 100644 index 00000000..2ce037c4 --- /dev/null +++ b/Rules/sigma_tmp/process_creation_c3_load_by_rundll32.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*StartNodeRelay.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_clip.ps1 b/Rules/sigma_tmp/process_creation_clip.ps1 new file mode 100644 index 00000000..94623367 --- /dev/null +++ b/Rules/sigma_tmp/process_creation_clip.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "OriginalFileName.*clip.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_cobaltstrike_load_by_rundll32.ps1 b/Rules/sigma_tmp/process_creation_cobaltstrike_load_by_rundll32.ps1 new file mode 100644 index 00000000..b0ee592a --- /dev/null +++ b/Rules/sigma_tmp/process_creation_cobaltstrike_load_by_rundll32.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*StartW.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_discover_private_keys.ps1 b/Rules/sigma_tmp/process_creation_discover_private_keys.ps1 new file mode 100644 index 00000000..f2845d81 --- /dev/null +++ b/Rules/sigma_tmp/process_creation_discover_private_keys.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*dir .*" -or $_.message -match "CommandLine.*.*findstr .*") -and ($_.message -match "CommandLine.*.*.key.*" -or $_.message -match "CommandLine.*.*.pgp.*" -or $_.message -match "CommandLine.*.*.gpg.*" -or $_.message -match "CommandLine.*.*.ppk.*" -or $_.message -match "CommandLine.*.*.p12.*" -or $_.message -match "CommandLine.*.*.pem.*" -or $_.message -match "CommandLine.*.*.pfx.*" -or $_.message -match "CommandLine.*.*.cer.*" -or $_.message -match "CommandLine.*.*.p7b.*" -or $_.message -match "CommandLine.*.*.asc.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_dotnet.ps1 b/Rules/sigma_tmp/process_creation_dotnet.ps1 new file mode 100644 index 00000000..5cbe2a99 --- /dev/null +++ b/Rules/sigma_tmp/process_creation_dotnet.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*.dll" -or $_.message -match "CommandLine.*.*.csproj") -and ($_.message -match "Image.*.*\\dotnet.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_infdefaultinstall.ps1 b/Rules/sigma_tmp/process_creation_infdefaultinstall.ps1 new file mode 100644 index 00000000..736e5df4 --- /dev/null +++ b/Rules/sigma_tmp/process_creation_infdefaultinstall.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*InfDefaultInstall.exe .*" -and $_.message -match "CommandLine.*.*.inf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_msdeploy.ps1 b/Rules/sigma_tmp/process_creation_msdeploy.ps1 new file mode 100644 index 00000000..c1ef4cff --- /dev/null +++ b/Rules/sigma_tmp/process_creation_msdeploy.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*verb:sync.*" -and $_.message -match "CommandLine.*.*-source:RunCommand.*" -and $_.message -match "CommandLine.*.*-dest:runCommand.*" -and ($_.message -match "Image.*.*\\msdeploy.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_protocolhandler_suspicious_file.ps1 b/Rules/sigma_tmp/process_creation_protocolhandler_suspicious_file.ps1 new file mode 100644 index 00000000..a803c66d --- /dev/null +++ b/Rules/sigma_tmp/process_creation_protocolhandler_suspicious_file.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\protocolhandler.exe" -and $_.message -match "CommandLine.*.*\"ms-word.*" -and $_.message -match "CommandLine.*.*.docx\".*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_susp_7z.ps1 b/Rules/sigma_tmp/process_creation_susp_7z.ps1 new file mode 100644 index 00000000..3fc95a58 --- /dev/null +++ b/Rules/sigma_tmp/process_creation_susp_7z.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*7z.exe.*" -or $_.message -match "CommandLine.*.*7za.exe.*") -and $_.message -match "CommandLine.*.* -p.*" -and ($_.message -match "CommandLine.*.* a .*" -or $_.message -match "CommandLine.*.* u .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_susp_recon.ps1 b/Rules/sigma_tmp/process_creation_susp_recon.ps1 new file mode 100644 index 00000000..a0bb3e0f --- /dev/null +++ b/Rules/sigma_tmp/process_creation_susp_recon.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\tree.com" -or $_.message -match "Image.*.*\\WMIC.exe" -or $_.message -match "Image.*.*\\doskey.exe" -or $_.message -match "Image.*.*\\sc.exe") -and $_.message -match "ParentCommandLine.*.* > %TEMP%\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_susp_winzip.ps1 b/Rules/sigma_tmp/process_creation_susp_winzip.ps1 new file mode 100644 index 00000000..c27709ad --- /dev/null +++ b/Rules/sigma_tmp/process_creation_susp_winzip.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*winzip.exe.*" -or $_.message -match "CommandLine.*.*winzip64.exe.*") -and ($_.message -match "CommandLine.*.*-s\".*") -and ($_.message -match "CommandLine.*.* -min .*" -or $_.message -match "CommandLine.*.* -a .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.ps1 b/Rules/sigma_tmp/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.ps1 new file mode 100644 index 00000000..dfa14fdb --- /dev/null +++ b/Rules/sigma_tmp/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\SyncAppvPublishingServer.exe" -and $_.message -match "CommandLine.*.*\"n; .*" -and $_.message -match "CommandLine.*.* Start-Process .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_creation_syncappvpublishingserver_vbs_execute_powershell.ps1 b/Rules/sigma_tmp/process_creation_syncappvpublishingserver_vbs_execute_powershell.ps1 new file mode 100644 index 00000000..7ab7164a --- /dev/null +++ b/Rules/sigma_tmp/process_creation_syncappvpublishingserver_vbs_execute_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\SyncAppvPublishingServer.vbs.*" -and $_.message -match "CommandLine.*.*\"n;.*" -and $_.message -match "CommandLine.*.*Start-Process .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_mailboxexport_share.ps1 b/Rules/sigma_tmp/process_mailboxexport_share.ps1 new file mode 100644 index 00000000..43b705e0 --- /dev/null +++ b/Rules/sigma_tmp/process_mailboxexport_share.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*New-MailboxExport.*" -and $_.message -match "CommandLine.*.* -Mailbox .*" -and $_.message -match "CommandLine.*.* -FilePath \\127.0.0.1\\C$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/process_susp_esentutl_params.ps1 b/Rules/sigma_tmp/process_susp_esentutl_params.ps1 new file mode 100644 index 00000000..d053c57e --- /dev/null +++ b/Rules/sigma_tmp/process_susp_esentutl_params.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*esentutl.*" -and $_.message -match "CommandLine.*.* /p.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/silenttrinity_stager_msbuild_activity.ps1 b/Rules/sigma_tmp/silenttrinity_stager_msbuild_activity.ps1 new file mode 100644 index 00000000..589da9f1 --- /dev/null +++ b/Rules/sigma_tmp/silenttrinity_stager_msbuild_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "ParentImage.*.*\\msbuild.exe" -and ($_.message -match "80" -or $_.message -match "443") -and $_.message -match "Initiated.*true") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_abusing_azure_browser_sso.ps1 b/Rules/sigma_tmp/sysmon_abusing_azure_browser_sso.ps1 new file mode 100644 index 00000000..f507081f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_abusing_azure_browser_sso.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and $_.message -match "ImageLoaded.*.*MicrosoftAccountTokenProvider.dll" -and -not (($_.message -match "Image.*.*BackgroundTaskHost.exe" -or $_.message -match "Image.*.*devenv.exe" -or $_.message -match "Image.*.*iexplore.exe" -or $_.message -match "Image.*.*MicrosoftEdge.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_abusing_debug_privilege.ps1 b/Rules/sigma_tmp/sysmon_abusing_debug_privilege.ps1 new file mode 100644 index 00000000..14bee999 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_abusing_debug_privilege.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\winlogon.exe" -or $_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\lsass.exe" -or $_.message -match "ParentImage.*.*\\csrss.exe" -or $_.message -match "ParentImage.*.*\\smss.exe" -or $_.message -match "ParentImage.*.*\\wininit.exe" -or $_.message -match "ParentImage.*.*\\spoolsv.exe" -or $_.message -match "ParentImage.*.*\\searchindexer.exe") -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\cmd.exe") -and $_.message -match "User.*NT AUTHORITY\\SYSTEM") -and -not ($_.message -match "CommandLine.*.* route .*" -and $_.message -match "CommandLine.*.* ADD .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_accesschk_usage_after_priv_escalation.ps1 b/Rules/sigma_tmp/sysmon_accesschk_usage_after_priv_escalation.ps1 new file mode 100644 index 00000000..a34d198c --- /dev/null +++ b/Rules/sigma_tmp/sysmon_accesschk_usage_after_priv_escalation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and ($_.message -match "Product.*.*AccessChk" -or $_.message -match "Description.*.*Reports effective permissions.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_accessing_winapi_in_powershell_credentials_dumping.ps1 b/Rules/sigma_tmp/sysmon_accessing_winapi_in_powershell_credentials_dumping.ps1 new file mode 100644 index 00000000..b3969cb8 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_accessing_winapi_in_powershell_credentials_dumping.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "8" -or $_.ID -eq "10") -and $_.message -match "SourceImage.*.*\\powershell.exe" -and $_.message -match "TargetImage.*.*\\lsass.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_ads_executable.ps1 b/Rules/sigma_tmp/sysmon_ads_executable.ps1 new file mode 100644 index 00000000..3725a6b5 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_ads_executable.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "15") -and -not (($_.message -match "Imphash.*00000000000000000000000000000000") -or (-not Imphash="*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_alternate_powershell_hosts_moduleload.ps1 b/Rules/sigma_tmp/sysmon_alternate_powershell_hosts_moduleload.ps1 new file mode 100644 index 00000000..f51004a4 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_alternate_powershell_hosts_moduleload.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ($_.message -match "Description.*System.Management.Automation" -and $_.message -match "ImageLoaded.*.*System.Management.Automation.*") -and -not ($_.message -match "Image.*.*\\powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_alternate_powershell_hosts_pipe.ps1 b/Rules/sigma_tmp/sysmon_alternate_powershell_hosts_pipe.ps1 new file mode 100644 index 00000000..f266a4ed --- /dev/null +++ b/Rules/sigma_tmp/sysmon_alternate_powershell_hosts_pipe.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "17" -or $_.ID -eq "18")) -and $_.message -match "PipeName.*\\PSHost.*" -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.ps1 b/Rules/sigma_tmp/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.ps1 new file mode 100644 index 00000000..285803ca --- /dev/null +++ b/Rules/sigma_tmp/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe") -and $_.message -match "ParentImage.*.*\\Windows\\Installer\\.*" -and $_.message -match "ParentImage.*.*msi.*" -and ($_.message -match "ParentImage.*.*tmp")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_always_install_elevated_windows_installer.ps1 b/Rules/sigma_tmp/sysmon_always_install_elevated_windows_installer.ps1 new file mode 100644 index 00000000..4c44c06f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_always_install_elevated_windows_installer.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and (($_.message -match "Image.*.*\\Windows\\Installer\\.*" -and $_.message -match "Image.*.*msi.*" -and ($_.message -match "Image.*.*tmp")) -or (($_.message -match "Image.*.*\\msiexec.exe") -and $_.message -match "IntegrityLevel.*System"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_apt_leviathan.ps1 b/Rules/sigma_tmp/sysmon_apt_leviathan.ps1 new file mode 100644 index 00000000..67f1bcd4 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_apt_leviathan.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_apt_muddywater_dnstunnel.ps1 b/Rules/sigma_tmp/sysmon_apt_muddywater_dnstunnel.ps1 new file mode 100644 index 00000000..b0f87bd1 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_apt_muddywater_dnstunnel.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powershell.exe") -and ($_.message -match "ParentImage.*.*\\excel.exe") -and ($_.message -match "CommandLine.*.*DataExchange.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_apt_oceanlotus_registry.ps1 b/Rules/sigma_tmp/sysmon_apt_oceanlotus_registry.ps1 new file mode 100644 index 00000000..eb551f68 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_apt_oceanlotus_registry.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model") -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon")) -or (($_.message -match "TargetObject.*HKU\\.*") -and ($_.message -match "TargetObject.*.*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\.*" -or $_.message -match "TargetObject.*.*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\.*" -or $_.message -match "TargetObject.*.*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\.*" -or $_.message -match "TargetObject.*.*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_apt_pandemic.ps1 b/Rules/sigma_tmp/sysmon_apt_pandemic.ps1 new file mode 100644 index 00000000..75739c9c --- /dev/null +++ b/Rules/sigma_tmp/sysmon_apt_pandemic.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*loaddll -a .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_apt_sourgrum.ps1 b/Rules/sigma_tmp/sysmon_apt_sourgrum.ps1 new file mode 100644 index 00000000..25eb423d --- /dev/null +++ b/Rules/sigma_tmp/sysmon_apt_sourgrum.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*windows\\system32\\Physmem.sys.*" -or ($_.message -match "Image.*.*Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini.*" -or $_.message -match "Image.*.*Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini.*" -or $_.message -match "Image.*.*Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini.*")) -or ($_.ID -eq "1" -and ($_.message -match "Image.*.*windows\\system32\\filepath2.*" -or $_.message -match "Image.*.*windows\\system32\\ime.*") -and ($_.message -match "CommandLine.*.*reg add.*") -and ($_.message -match "CommandLine.*.*HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32.*" -or $_.message -match "CommandLine.*.*HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\inprocserver32.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_apt_turla_namedpipes.ps1 b/Rules/sigma_tmp/sysmon_apt_turla_namedpipes.ps1 new file mode 100644 index 00000000..b14d9998 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_apt_turla_namedpipes.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "\\atctl" -or $_.message -match "\\userpipe" -or $_.message -match "\\iehelper" -or $_.message -match "\\sdlrpc" -or $_.message -match "\\comnap")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_asep_reg_keys_modification.ps1 b/Rules/sigma_tmp/sysmon_asep_reg_keys_modification.ps1 new file mode 100644 index 00000000..2b159ade --- /dev/null +++ b/Rules/sigma_tmp/sysmon_asep_reg_keys_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((((((((((((($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart.*" -or $_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect.*" -or $_.message -match "TargetObject.*.*\\SYSTEM\\Setup\\CmdLine.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Ctf\\LangBarAddin.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Command Processor\\Autorun.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Protocols\\Handler.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Protocols\\Filter.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default).*" -or $_.message -match "TargetObject.*.*\\Environment\\UserInitMprLogonScript.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components.*" -or $_.message -match "TargetObject.*.*\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32.*" -or $_.message -match "TargetObject.*.*\\Control Panel\\Desktop\\Scrnsave.exe.*") -or ($_.message -match "TargetObject.*.*\\System\\CurrentControlSet\\Control\\Session Manager.*" -and ($_.message -match "TargetObject.*.*\\SetupExecute.*" -or $_.message -match "TargetObject.*.*\\S0InitialCommand.*" -or $_.message -match "TargetObject.*.*\\KnownDlls.*" -or $_.message -match "TargetObject.*.*\\Execute.*" -or $_.message -match "TargetObject.*.*\\BootExecute.*" -or $_.message -match "TargetObject.*.*\\AppCertDlls.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\ShellServiceObjectDelayLoad.*" -or $_.message -match "TargetObject.*.*\\Run.*" -or $_.message -match "TargetObject.*.*\\Policies\\System\\Shell.*" -or $_.message -match "TargetObject.*.*\\Policies\\Explorer\\Run.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Startup.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Shutdown.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Logon.*" -or $_.message -match "TargetObject.*.*\\Group Policy\\Scripts\\Logoff.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellServiceObjects.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellIconOverlayIdentifiers.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellExecuteHooks.*" -or $_.message -match "TargetObject.*.*\\Explorer\\SharedTaskScheduler.*" -or $_.message -match "TargetObject.*.*\\Explorer\\Browser Helper Objects.*" -or $_.message -match "TargetObject.*.*\\Authentication\\PLAP Providers.*" -or $_.message -match "TargetObject.*.*\\Authentication\\Credential Providers.*" -or $_.message -match "TargetObject.*.*\\Authentication\\Credential Provider Filters.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\Winlogon\\VmApplet.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Userinit.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Taskman.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\Shell.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\GpExtensions.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\AppSetup.*" -or $_.message -match "TargetObject.*.*\\Winlogon\\AlternateShells\\AvailableShells.*" -or $_.message -match "TargetObject.*.*\\Windows\\IconServiceLib.*" -or $_.message -match "TargetObject.*.*\\Windows\\Appinit_Dlls.*" -or $_.message -match "TargetObject.*.*\\Image File Execution Options.*" -or $_.message -match "TargetObject.*.*\\Font Drivers.*" -or $_.message -match "TargetObject.*.*\\Drivers32.*" -or $_.message -match "TargetObject.*.*\\Windows\\Run.*" -or $_.message -match "TargetObject.*.*\\Windows\\Load.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\ShellServiceObjectDelayLoad.*" -or $_.message -match "TargetObject.*.*\\Run.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellServiceObjects.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellIconOverlayIdentifiers.*" -or $_.message -match "TargetObject.*.*\\Explorer\\ShellExecuteHooks.*" -or $_.message -match "TargetObject.*.*\\Explorer\\SharedTaskScheduler.*" -or $_.message -match "TargetObject.*.*\\Explorer\\Browser Helper Objects.*"))) -or ($_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion.*" -and ($_.message -match "TargetObject.*.*\\Windows\\Appinit_Dlls.*" -or $_.message -match "TargetObject.*.*\\Image File Execution Options.*" -or $_.message -match "TargetObject.*.*\\Drivers32.*"))) -or ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Office.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office.*") -and ($_.message -match "TargetObject.*.*\\Word\\Addins.*" -or $_.message -match "TargetObject.*.*\\PowerPoint\\Addins.*" -or $_.message -match "TargetObject.*.*\\Outlook\\Addins.*" -or $_.message -match "TargetObject.*.*\\Onenote\\Addins.*" -or $_.message -match "TargetObject.*.*\\Excel\\Addins.*" -or $_.message -match "TargetObject.*.*\\Access\\Addins.*" -or $_.message -match "TargetObject.*.*test\\Special\\Perf.*"))) -or ((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Microsoft\\Internet Explorer.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Internet Explorer.*") -and ($_.message -match "TargetObject.*.*\\Toolbar.*" -or $_.message -match "TargetObject.*.*\\Extensions.*" -or $_.message -match "TargetObject.*.*\\Explorer Bars.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Wow6432Node\\Classes.*" -and ($_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ExtShellFolderViews.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ColumnHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\CopyHookHandlers.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance.*" -or $_.message -match "TargetObject.*.*\\AllFileSystemObjects\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\PropertySheetHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\ContextMenuHandlers.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Classes.*" -and ($_.message -match "TargetObject.*.*\\Folder\\ShellEx\\ExtShellFolderViews.*" -or $_.message -match "TargetObject.*.*\\Folder\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Folder\\Shellex\\ColumnHandlers.*" -or $_.message -match "TargetObject.*.*\\Filter.*" -or $_.message -match "TargetObject.*.*\\Exefile\\Shell\\Open\\Command\\(Default).*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\Directory\\Shellex\\CopyHookHandlers.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance.*" -or $_.message -match "TargetObject.*.*\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance.*" -or $_.message -match "TargetObject.*.*\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers.*" -or $_.message -match "TargetObject.*.*\\.exe.*" -or $_.message -match "TargetObject.*.*\\.cmd.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\PropertySheetHandlers.*" -or $_.message -match "TargetObject.*.*\\ShellEx\\ContextMenuHandlers.*"))) -or ($_.message -match "TargetObject.*.*\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts.*" -and ($_.message -match "TargetObject.*.*\\Startup.*" -or $_.message -match "TargetObject.*.*\\Shutdown.*" -or $_.message -match "TargetObject.*.*\\Logon.*" -or $_.message -match "TargetObject.*.*\\Logoff.*"))) -or ($_.message -match "TargetObject.*.*\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters.*" -and ($_.message -match "TargetObject.*.*\\Protocol_Catalog9\\Catalog_Entries.*" -or $_.message -match "TargetObject.*.*\\NameSpace_Catalog5\\Catalog_Entries.*"))) -or ($_.message -match "TargetObject.*.*\\SYSTEM\\CurrentControlSet\\Control.*" -and ($_.message -match "TargetObject.*.*\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram.*" -or $_.message -match "TargetObject.*.*\\Terminal Server\\Wds\\rdpwd\\StartupPrograms.*" -or $_.message -match "TargetObject.*.*\\SecurityProviders\\SecurityProviders.*" -or $_.message -match "TargetObject.*.*\\SafeBoot\\AlternateShell.*" -or $_.message -match "TargetObject.*.*\\Print\\Providers.*" -or $_.message -match "TargetObject.*.*\\Print\\Monitors.*" -or $_.message -match "TargetObject.*.*\\NetworkProvider\\Order.*" -or $_.message -match "TargetObject.*.*\\Lsa\\Notification Packages.*" -or $_.message -match "TargetObject.*.*\\Lsa\\Authentication Packages.*" -or $_.message -match "TargetObject.*.*\\BootVerificationProgram\\ImagePath.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_bypass_via_wsreset.ps1 b/Rules/sigma_tmp/sysmon_bypass_via_wsreset.ps1 new file mode 100644 index 00000000..78562baf --- /dev/null +++ b/Rules/sigma_tmp/sysmon_bypass_via_wsreset.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cactustorch.ps1 b/Rules/sigma_tmp/sysmon_cactustorch.ps1 new file mode 100644 index 00000000..3aec7a28 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cactustorch.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and ($_.message -match "SourceImage.*.*\\System32\\cscript.exe" -or $_.message -match "SourceImage.*.*\\System32\\wscript.exe" -or $_.message -match "SourceImage.*.*\\System32\\mshta.exe" -or $_.message -match "SourceImage.*.*\\winword.exe" -or $_.message -match "SourceImage.*.*\\excel.exe") -and $_.message -match "TargetImage.*.*\\SysWOW64\\.*" -and -not StartModule="*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cmstp_execution_by_access.ps1 b/Rules/sigma_tmp/sysmon_cmstp_execution_by_access.ps1 new file mode 100644 index 00000000..1f4d41d3 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cmstp_execution_by_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "CallTrace.*.*cmlua.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cmstp_execution_by_creation.ps1 b/Rules/sigma_tmp/sysmon_cmstp_execution_by_creation.ps1 new file mode 100644 index 00000000..6feb6de8 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cmstp_execution_by_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\cmstp.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cmstp_execution_by_registry.ps1 b/Rules/sigma_tmp/sysmon_cmstp_execution_by_registry.ps1 new file mode 100644 index 00000000..a9242ad0 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cmstp_execution_by_registry.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\cmmgr32.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cobaltstrike_process_injection.ps1 b/Rules/sigma_tmp/sysmon_cobaltstrike_process_injection.ps1 new file mode 100644 index 00000000..1dde9774 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cobaltstrike_process_injection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and ($_.message -match "TargetProcessAddress.*.*0B80" -or $_.message -match "TargetProcessAddress.*.*0C7C" -or $_.message -match "TargetProcessAddress.*.*0C88")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cobaltstrike_service_installs.ps1 b/Rules/sigma_tmp/sysmon_cobaltstrike_service_installs.ps1 new file mode 100644 index 00000000..8588418f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cobaltstrike_service_installs.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\System\\CurrentControlSet\\Services.*" -and (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "Details.*.*ADMIN$.*" -and $_.message -match "Details.*.*.exe.*") -or ($_.message -match "Details.*.*%COMSPEC%.*" -and $_.message -match "Details.*.*start.*" -and $_.message -match "Details.*.*powershell.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_comhijack_sdclt.ps1 b/Rules/sigma_tmp/sysmon_comhijack_sdclt.ps1 new file mode 100644 index 00000000..c9639759 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_comhijack_sdclt.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_config_modification.ps1 b/Rules/sigma_tmp/sysmon_config_modification.ps1 new file mode 100644 index 00000000..824109b4 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_config_modification.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "4" -or $_.ID -eq "16")) -and ($_.message -match "State.*Stopped" -or ($_.message -match "Sysmon config state changed.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "255" -and ($_.message -match "Description.*.*Failed to open service configuration with error.*" -or $_.message -match "Description.*.*Failed to connect to the driver to update configuration.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_createremotethread_loadlibrary.ps1 b/Rules/sigma_tmp/sysmon_createremotethread_loadlibrary.ps1 new file mode 100644 index 00000000..2479ff53 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_createremotethread_loadlibrary.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "StartModule.*.*\\kernel32.dll" -and $_.message -match "StartFunction.*LoadLibraryA") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_creation_mavinject_dll.ps1 b/Rules/sigma_tmp/sysmon_creation_mavinject_dll.ps1 new file mode 100644 index 00000000..cd745a63 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_creation_mavinject_dll.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /INJECTRUNNING.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "OriginalFileName.*.*mavinject.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_creation_system_file.ps1 b/Rules/sigma_tmp/sysmon_creation_system_file.ps1 new file mode 100644 index 00000000..0e3c7d68 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_creation_system_file.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\\svchost.exe" -or $_.message -match "TargetFilename.*.*\\rundll32.exe" -or $_.message -match "TargetFilename.*.*\\services.exe" -or $_.message -match "TargetFilename.*.*\\powershell.exe" -or $_.message -match "TargetFilename.*.*\\regsvr32.exe" -or $_.message -match "TargetFilename.*.*\\spoolsv.exe" -or $_.message -match "TargetFilename.*.*\\lsass.exe" -or $_.message -match "TargetFilename.*.*\\smss.exe" -or $_.message -match "TargetFilename.*.*\\csrss.exe" -or $_.message -match "TargetFilename.*.*\\conhost.exe" -or $_.message -match "TargetFilename.*.*\\wininit.exe" -or $_.message -match "TargetFilename.*.*\\lsm.exe" -or $_.message -match "TargetFilename.*.*\\winlogon.exe" -or $_.message -match "TargetFilename.*.*\\explorer.exe" -or $_.message -match "TargetFilename.*.*\\taskhost.exe" -or $_.message -match "TargetFilename.*.*\\Taskmgr.exe" -or $_.message -match "TargetFilename.*.*\\taskmgr.exe" -or $_.message -match "TargetFilename.*.*\\sihost.exe" -or $_.message -match "TargetFilename.*.*\\RuntimeBroker.exe" -or $_.message -match "TargetFilename.*.*\\runtimebroker.exe" -or $_.message -match "TargetFilename.*.*\\smartscreen.exe" -or $_.message -match "TargetFilename.*.*\\dllhost.exe" -or $_.message -match "TargetFilename.*.*\\audiodg.exe" -or $_.message -match "TargetFilename.*.*\\wlanext.exe") -and -not (($_.message -match "TargetFilename.*C:\\Windows\\System32\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\system32\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\SysWow64\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\winsxs\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "TargetFilename.*\\SystemRoot\\System32\\.*") -and ($_.message -match "Image.*.*\\Windows\\System32\\dism.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cred_dump_lsass_access.ps1 b/Rules/sigma_tmp/sysmon_cred_dump_lsass_access.ps1 new file mode 100644 index 00000000..e0a4d47f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cred_dump_lsass_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\\lsass.exe" -and ($_.message -match "GrantedAccess.*.*0x40.*" -or $_.message -match "GrantedAccess.*.*0x1000.*" -or $_.message -match "GrantedAccess.*.*0x1400.*" -or $_.message -match "GrantedAccess.*.*0x100000.*" -or $_.message -match "GrantedAccess.*.*0x1410.*" -or $_.message -match "GrantedAccess.*.*0x1010.*" -or $_.message -match "GrantedAccess.*.*0x1438.*" -or $_.message -match "GrantedAccess.*.*0x143a.*" -or $_.message -match "GrantedAccess.*.*0x1418.*" -or $_.message -match "GrantedAccess.*.*0x1f0fff.*" -or $_.message -match "GrantedAccess.*.*0x1f1fff.*" -or $_.message -match "GrantedAccess.*.*0x1f2fff.*" -or $_.message -match "GrantedAccess.*.*0x1f3fff.*")) -and -not (($_.message -match "ProcessName.*.*\\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\\taskmgr.exe" -or $_.message -match "ProcessName.*.*\\procexp64.exe" -or $_.message -match "ProcessName.*.*\\procexp.exe" -or $_.message -match "ProcessName.*.*\\lsm.exe" -or $_.message -match "ProcessName.*.*\\MsMpEng.exe" -or $_.message -match "ProcessName.*.*\\csrss.exe" -or $_.message -match "ProcessName.*.*\\wininit.exe" -or $_.message -match "ProcessName.*.*\\vmtoolsd.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cred_dump_tools_dropped_files.ps1 b/Rules/sigma_tmp/sysmon_cred_dump_tools_dropped_files.ps1 new file mode 100644 index 00000000..4431e9a6 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cred_dump_tools_dropped_files.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\\pwdump.*" -or $_.message -match "TargetFilename.*.*\\kirbi.*" -or $_.message -match "TargetFilename.*.*\\pwhashes.*" -or $_.message -match "TargetFilename.*.*\\wce_ccache.*" -or $_.message -match "TargetFilename.*.*\\wce_krbtkts.*" -or $_.message -match "TargetFilename.*.*\\fgdump-log.*") -and ($_.message -match "TargetFilename.*.*\\test.pwd" -or $_.message -match "TargetFilename.*.*\\lsremora64.dll" -or $_.message -match "TargetFilename.*.*\\lsremora.dll" -or $_.message -match "TargetFilename.*.*\\fgexec.exe" -or $_.message -match "TargetFilename.*.*\\wceaux.dll" -or $_.message -match "TargetFilename.*.*\\SAM.out" -or $_.message -match "TargetFilename.*.*\\SECURITY.out" -or $_.message -match "TargetFilename.*.*\\SYSTEM.out" -or $_.message -match "TargetFilename.*.*\\NTDS.out" -or $_.message -match "TargetFilename.*.*\\DumpExt.dll" -or $_.message -match "TargetFilename.*.*\\DumpSvc.exe" -or $_.message -match "TargetFilename.*.*\\cachedump64.exe" -or $_.message -match "TargetFilename.*.*\\cachedump.exe" -or $_.message -match "TargetFilename.*.*\\pstgdump.exe" -or $_.message -match "TargetFilename.*.*\\servpw.exe" -or $_.message -match "TargetFilename.*.*\\servpw64.exe" -or $_.message -match "TargetFilename.*.*\\pwdump.exe" -or $_.message -match "TargetFilename.*.*\\procdump64.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cred_dump_tools_named_pipes.ps1 b/Rules/sigma_tmp/sysmon_cred_dump_tools_named_pipes.ps1 new file mode 100644 index 00000000..df10f737 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cred_dump_tools_named_pipes.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*.*\\lsadump.*" -or $_.message -match "PipeName.*.*\\cachedump.*" -or $_.message -match "PipeName.*.*\\wceservicepipe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cve-2020-1048.ps1 b/Rules/sigma_tmp/sysmon_cve-2020-1048.ps1 new file mode 100644 index 00000000..81c1dfa6 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cve-2020-1048.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Ports.*" -and ($_.message -match "Details.*.*.dll.*" -or $_.message -match "Details.*.*.exe.*" -or $_.message -match "Details.*.*.bat.*" -or $_.message -match "Details.*.*.com.*" -or $_.message -match "Details.*.*C:.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cve_2021_26857_msexchange.ps1 b/Rules/sigma_tmp/sysmon_cve_2021_26857_msexchange.ps1 new file mode 100644 index 00000000..3657127f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cve_2021_26857_msexchange.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*UMWorkerProcess.exe" -and -not (($_.message -match "Image.*.*wermgr.exe" -or $_.message -match "Image.*.*WerFault.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cve_2021_26858_msexchange.ps1 b/Rules/sigma_tmp/sysmon_cve_2021_26858_msexchange.ps1 new file mode 100644 index 00000000..dda270cf --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cve_2021_26858_msexchange.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and $_.message -match "Image.*.*UMWorkerProcess.exe" -and -not (($_.message -match "TargetFilename.*.*CacheCleanup.bin" -or $_.message -match "TargetFilename.*.*.txt" -or $_.message -match "TargetFilename.*.*.LOG" -or $_.message -match "TargetFilename.*.*.cfg" -or $_.message -match "TargetFilename.*.*cleanup.bin"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_cve_2021_31979_cve_2021_33771_exploits.ps1 b/Rules/sigma_tmp/sysmon_cve_2021_31979_cve_2021_33771_exploits.ps1 new file mode 100644 index 00000000..ff7b0899 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_cve_2021_31979_cve_2021_33771_exploits.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*C:\\Windows\\system32\\physmem.sys.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\config\\config\\startwus.dat.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Software\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32.*") -and $_.message -match "IMJPUEXP.DLL") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_dcom_iertutil_dll_hijack.ps1 b/Rules/sigma_tmp/sysmon_dcom_iertutil_dll_hijack.ps1 new file mode 100644 index 00000000..4ceffe81 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_dcom_iertutil_dll_hijack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "11" -and $_.message -match "Image.*System" -and $_.message -match "TargetFilename.*.*\\Internet Explorer\\iertutil.dll") -or ($_.ID -eq "7" -and $_.message -match "Image.*.*\\Internet Explorer\\iexplore.exe" -and $_.message -match "ImageLoaded.*.*\\Internet Explorer\\iertutil.dll"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_dhcp_calloutdll.ps1 b/Rules/sigma_tmp/sysmon_dhcp_calloutdll.ps1 new file mode 100644 index 00000000..814028ee --- /dev/null +++ b/Rules/sigma_tmp/sysmon_dhcp_calloutdll.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Services\\DHCPServer\\Parameters\\CalloutDlls" -or $_.message -match "TargetObject.*.*\\Services\\DHCPServer\\Parameters\\CalloutEnabled")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_direct_syscall_ntopenprocess.ps1 b/Rules/sigma_tmp/sysmon_direct_syscall_ntopenprocess.ps1 new file mode 100644 index 00000000..12d2888f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_direct_syscall_ntopenprocess.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "CallTrace.*UNKNOWN.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_disable_microsoft_office_security_features.ps1 b/Rules/sigma_tmp/sysmon_disable_microsoft_office_security_features.ps1 new file mode 100644 index 00000000..975720cd --- /dev/null +++ b/Rules/sigma_tmp/sysmon_disable_microsoft_office_security_features.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Office\\.*" -and ($_.message -match "TargetObject.*.*VBAWarnings" -or $_.message -match "TargetObject.*.*DisableInternetFilesInPV" -or $_.message -match "TargetObject.*.*DisableUnsafeLocationsInPV" -or $_.message -match "TargetObject.*.*DisableAttachementsInPV") -and $_.message -match "Details.*DWORD (0x00000001)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_disable_security_events_logging_adding_reg_key_minint.ps1 b/Rules/sigma_tmp/sysmon_disable_security_events_logging_adding_reg_key_minint.ps1 new file mode 100644 index 00000000..72ae7080 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_disable_security_events_logging_adding_reg_key_minint.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "TargetObject.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" -and $_.message -match "EventType.*CreateKey") -or $_.message -match "NewName.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_disable_wdigest_credential_guard.ps1 b/Rules/sigma_tmp/sysmon_disable_wdigest_credential_guard.ps1 new file mode 100644 index 00000000..eb3b0c04 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_disable_wdigest_credential_guard.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\IsCredGuardEnabled") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.ps1 b/Rules/sigma_tmp/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.ps1 new file mode 100644 index 00000000..cf0f7d25 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride.*" -and $_.message -match "Details.*DWORD (00000001)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_disabled_pua_protection_on_microsoft_defender.ps1 b/Rules/sigma_tmp/sysmon_disabled_pua_protection_on_microsoft_defender.ps1 new file mode 100644 index 00000000..a70db54a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_disabled_pua_protection_on_microsoft_defender.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection.*" -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_disabled_tamper_protection_on_microsoft_defender.ps1 b/Rules/sigma_tmp/sysmon_disabled_tamper_protection_on_microsoft_defender.ps1 new file mode 100644 index 00000000..47f5f6fc --- /dev/null +++ b/Rules/sigma_tmp/sysmon_disabled_tamper_protection_on_microsoft_defender.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection.*" -and $_.message -match "Details.*DWORD (0)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_dllhost_net_connections.ps1 b/Rules/sigma_tmp/sysmon_dllhost_net_connections.ps1 new file mode 100644 index 00000000..e13dcdb0 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_dllhost_net_connections.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Image.*.*\\dllhost.exe" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_dns_hybridconnectionmgr_servicebus.ps1 b/Rules/sigma_tmp/sysmon_dns_hybridconnectionmgr_servicebus.ps1 new file mode 100644 index 00000000..6163b1d2 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_dns_hybridconnectionmgr_servicebus.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "22" -and $_.message -match "QueryName.*.*servicebus.windows.net.*" -and $_.message -match "Image.*.*HybridConnectionManager.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_dns_serverlevelplugindll.ps1 b/Rules/sigma_tmp/sysmon_dns_serverlevelplugindll.ps1 new file mode 100644 index 00000000..24f03f9e --- /dev/null +++ b/Rules/sigma_tmp/sysmon_dns_serverlevelplugindll.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\services\\DNS\\Parameters\\ServerLevelPluginDll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\dnscmd.exe" -and $_.message -match "CommandLine.*.*/config.*" -and $_.message -match "CommandLine.*.*/serverlevelplugindll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_enabling_cor_profiler_env_variables.ps1 b/Rules/sigma_tmp/sysmon_enabling_cor_profiler_env_variables.ps1 new file mode 100644 index 00000000..4152671f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_enabling_cor_profiler_env_variables.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\COR_ENABLE_PROFILING" -or $_.message -match "TargetObject.*.*\\COR_PROFILER")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_etw_disabled.ps1 b/Rules/sigma_tmp/sysmon_etw_disabled.ps1 new file mode 100644 index 00000000..12931464 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_etw_disabled.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_expand_cabinet_files.ps1 b/Rules/sigma_tmp/sysmon_expand_cabinet_files.ps1 new file mode 100644 index 00000000..55839b51 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_expand_cabinet_files.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\expand.exe") -and ($_.message -match "CommandLine.*.*.cab.*" -or $_.message -match "CommandLine.*.*/F:.*" -or $_.message -match "CommandLine.*.*C:\\ProgramData\\.*" -or $_.message -match "CommandLine.*.*C:\\Public\\.*" -or $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\.*" -or $_.message -match "CommandLine.*.*\\AppData\\Roaming\\Temp\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_ghostpack_safetykatz.ps1 b/Rules/sigma_tmp/sysmon_ghostpack_safetykatz.ps1 new file mode 100644 index 00000000..056c928f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_ghostpack_safetykatz.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\Temp\\debug.bin") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_hack_dumpert.ps1 b/Rules/sigma_tmp/sysmon_hack_dumpert.ps1 new file mode 100644 index 00000000..51d90e3d --- /dev/null +++ b/Rules/sigma_tmp/sysmon_hack_dumpert.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Imphash.*09D278F9DE118EF09163C6140255C690") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*C:\\Windows\\Temp\\dumpert.dmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_hack_wce.ps1 b/Rules/sigma_tmp/sysmon_hack_wce.ps1 new file mode 100644 index 00000000..abfc2a49 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_hack_wce.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.message -match "a53a02b997935fd8eedcb5f7abab9b9f" -or $_.message -match "e96a73c7bf33a464c510ede582318bf2") -or ($_.message -match "CommandLine.*.*.exe -S" -and $_.message -match "ParentImage.*.*\\services.exe"))) -and -not ($_.message -match "Image.*.*\\clussvc.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_hack_wce_reg.ps1 b/Rules/sigma_tmp/sysmon_hack_wce_reg.ps1 new file mode 100644 index 00000000..76759bf9 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_hack_wce_reg.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Services\\WCESERVICE\\Start.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_high_integrity_sdclt.ps1 b/Rules/sigma_tmp/sysmon_high_integrity_sdclt.ps1 new file mode 100644 index 00000000..cf81da73 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_high_integrity_sdclt.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*sdclt.exe" -and $_.message -match "IntegrityLevel.*High") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_hybridconnectionmgr_svc_installation.ps1 b/Rules/sigma_tmp/sysmon_hybridconnectionmgr_svc_installation.ps1 new file mode 100644 index 00000000..89b2d11d --- /dev/null +++ b/Rules/sigma_tmp/sysmon_hybridconnectionmgr_svc_installation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\Services\\HybridConnectionManager.*" -or $_.message -match "Details.*.*Microsoft.HybridConnectionManager.Listener.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_in_memory_assembly_execution.ps1 b/Rules/sigma_tmp/sysmon_in_memory_assembly_execution.ps1 new file mode 100644 index 00000000..70e02e42 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_in_memory_assembly_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "10") -and ((($_.ID -eq "10") -and (($_.message -match "CallTrace.*.*C:\\Windows\\SYSTEM32\\ntdll.dll\+.*" -and $_.message -match "CallTrace.*.*|C:\\Windows\\System32\\KERNELBASE.dll\+.*" -and $_.message -match "CallTrace.*.*|UNKNOWN(.*" -and $_.message -match "CallTrace.*.*).*") -or ($_.message -match "CallTrace.*.*UNKNOWN(.*" -and $_.message -match "CallTrace.*.*)|UNKNOWN(.*" -and $_.message -match "CallTrace.*.*)"))) -or (($_.ID -eq "10" -and $_.message -match "CallTrace.*.*UNKNOWN.*" -and ($_.message -match "0x1F0FFF" -or $_.message -match "0x1F1FFF" -or $_.message -match "0x143A" -or $_.message -match "0x1410" -or $_.message -match "0x1010" -or $_.message -match "0x1F2FFF" -or $_.message -match "0x1F3FFF" -or $_.message -match "0x1FFFFF")) -and -not (($_.message -match "SourceImage.*.*\\Windows\\System32\\sdiagnhost.exe"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_in_memory_powershell.ps1 b/Rules/sigma_tmp/sysmon_in_memory_powershell.ps1 new file mode 100644 index 00000000..816bf9a0 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_in_memory_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\\System.Management.Automation.Dll" -or $_.message -match "ImageLoaded.*.*\\System.Management.Automation.ni.Dll") -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\WINDOWS\\System32\\sdiagnhost.exe" -or $_.message -match "Image.*.*\\mscorsvw.exe" -or $_.message -match "Image.*.*\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe" -or $_.message -match "Image.*.*\\sqlps.exe" -or $_.message -match "Image.*.*\\wsmprovhost.exe" -or $_.message -match "Image.*.*\\winrshost.exe" -or $_.message -match "Image.*.*\\syncappvpublishingserver.exe" -or $_.message -match "Image.*.*\\runscripthelper.exe" -or $_.message -match "Image.*.*\\ServerManager.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_invoke_phantom.ps1 b/Rules/sigma_tmp/sysmon_invoke_phantom.ps1 new file mode 100644 index 00000000..65e1be99 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_invoke_phantom.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\windows\\system32\\svchost.exe" -and $_.message -match "GrantedAccess.*0x1f3fff" -and ($_.message -match "CallTrace.*.*unknown.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_lazagne_cred_dump_lsass_access.ps1 b/Rules/sigma_tmp/sysmon_lazagne_cred_dump_lsass_access.ps1 new file mode 100644 index 00000000..9cf9ad8c --- /dev/null +++ b/Rules/sigma_tmp/sysmon_lazagne_cred_dump_lsass_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "CallTrace.*.*C:\\Windows\\SYSTEM32\\ntdll.dll\+.*" -and $_.message -match "CallTrace.*.*|C:\\Windows\\System32\\KERNELBASE.dll\+.*" -and $_.message -match "CallTrace.*.*_ctypes.pyd\+.*" -and $_.message -match "CallTrace.*.*python27.dll\+.*" -and $_.message -match "GrantedAccess.*0x1FFFFF") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_load_undocumented_autoelevated_com_interface.ps1 b/Rules/sigma_tmp/sysmon_load_undocumented_autoelevated_com_interface.ps1 new file mode 100644 index 00000000..9ed40eb6 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_load_undocumented_autoelevated_com_interface.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "CallTrace.*.*editionupgrademanagerobj.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_logon_scripts_userinitmprlogonscript_proc.ps1 b/Rules/sigma_tmp/sysmon_logon_scripts_userinitmprlogonscript_proc.ps1 new file mode 100644 index 00000000..c81eb9af --- /dev/null +++ b/Rules/sigma_tmp/sysmon_logon_scripts_userinitmprlogonscript_proc.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\userinit.exe" -and -not ($_.message -match "Image.*.*\\explorer.exe")) -and -not (($_.message -match "CommandLine.*.*netlogon.bat.*" -or $_.message -match "CommandLine.*.*UsrLogon.cmd.*"))) -or $_.message -match "CommandLine.*.*UserInitMprLogonScript.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_logon_scripts_userinitmprlogonscript_reg.ps1 b/Rules/sigma_tmp/sysmon_logon_scripts_userinitmprlogonscript_reg.ps1 new file mode 100644 index 00000000..07ae9f58 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_logon_scripts_userinitmprlogonscript_reg.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*UserInitMprLogonScript.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_lsass_dump_comsvcs_dll.ps1 b/Rules/sigma_tmp/sysmon_lsass_dump_comsvcs_dll.ps1 new file mode 100644 index 00000000..6851f625 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_lsass_dump_comsvcs_dll.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "SourceImage.*C:\\Windows\\System32\\rundll32.exe" -and $_.message -match "CallTrace.*.*comsvcs.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_lsass_memdump.ps1 b/Rules/sigma_tmp/sysmon_lsass_memdump.ps1 new file mode 100644 index 00000000..9000501d --- /dev/null +++ b/Rules/sigma_tmp/sysmon_lsass_memdump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "GrantedAccess.*0x1fffff" -and ($_.message -match "CallTrace.*.*dbghelp.dll.*" -or $_.message -match "CallTrace.*.*dbgcore.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_lsass_memory_dump_file_creation.ps1 b/Rules/sigma_tmp/sysmon_lsass_memory_dump_file_creation.ps1 new file mode 100644 index 00000000..7f62c3c2 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_lsass_memory_dump_file_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*lsass.*" -and $_.message -match "TargetFilename.*.*dmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_mal_cobaltstrike.ps1 b/Rules/sigma_tmp/sysmon_mal_cobaltstrike.ps1 new file mode 100644 index 00000000..3fdbc5db --- /dev/null +++ b/Rules/sigma_tmp/sysmon_mal_cobaltstrike.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "17" -or $_.ID -eq "18")) -and (($_.message -match "PipeName.*.*\\MSSE-.*" -and $_.message -match "PipeName.*.*-server.*") -or $_.message -match "PipeName.*\\postex_.*" -or $_.message -match "PipeName.*\\postex_ssh_.*" -or $_.message -match "PipeName.*\\status_.*" -or $_.message -match "PipeName.*\\msagent_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_mal_namedpipes.ps1 b/Rules/sigma_tmp/sysmon_mal_namedpipes.ps1 new file mode 100644 index 00000000..7c56f907 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_mal_namedpipes.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "\\isapi_http" -or $_.message -match "\\isapi_dg" -or $_.message -match "\\isapi_dg2" -or $_.message -match "\\sdlrpc" -or $_.message -match "\\ahexec" -or $_.message -match "\\winsession" -or $_.message -match "\\lsassw" -or $_.message -match "\\46a676ab7f179e511e30dd2dc41bd388" -or $_.message -match "\\9f81f59bc58452127884ce513865ed20" -or $_.message -match "\\e710f28d59aa529d6792ca6ff0ca1b34" -or $_.message -match "\\rpchlp_3" -or $_.message -match "\\NamePipe_MoreWindows" -or $_.message -match "\\pcheap_reuse" -or $_.message -match "\\gruntsvc" -or $_.message -match "\\583da945-62af-10e8-4902-a8f205c72b2e" -or $_.message -match "\\bizkaz" -or $_.message -match "\\svcctl" -or $_.message -match "PipeName.*\\Posh.*" -or $_.message -match "\\jaccdpqnvbrrxlaf" -or $_.message -match "\\csexecsvc")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_malware_backconnect_ports.ps1 b/Rules/sigma_tmp/sysmon_malware_backconnect_ports.ps1 new file mode 100644 index 00000000..19e746c5 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_malware_backconnect_ports.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Initiated.*true" -and ($_.message -match "4443" -or $_.message -match "2448" -or $_.message -match "8143" -or $_.message -match "1777" -or $_.message -match "1443" -or $_.message -match "243" -or $_.message -match "65535" -or $_.message -match "13506" -or $_.message -match "3360" -or $_.message -match "200" -or $_.message -match "198" -or $_.message -match "49180" -or $_.message -match "13507" -or $_.message -match "6625" -or $_.message -match "4444" -or $_.message -match "4438" -or $_.message -match "1904" -or $_.message -match "13505" -or $_.message -match "13504" -or $_.message -match "12102" -or $_.message -match "9631" -or $_.message -match "5445" -or $_.message -match "2443" -or $_.message -match "777" -or $_.message -match "13394" -or $_.message -match "13145" -or $_.message -match "12103" -or $_.message -match "5552" -or $_.message -match "3939" -or $_.message -match "3675" -or $_.message -match "666" -or $_.message -match "473" -or $_.message -match "5649" -or $_.message -match "4455" -or $_.message -match "4433" -or $_.message -match "1817" -or $_.message -match "100" -or $_.message -match "65520" -or $_.message -match "1960" -or $_.message -match "1515" -or $_.message -match "743" -or $_.message -match "700" -or $_.message -match "14154" -or $_.message -match "14103" -or $_.message -match "14102" -or $_.message -match "12322" -or $_.message -match "10101" -or $_.message -match "7210" -or $_.message -match "4040" -or $_.message -match "9943")) -and -not ((($_.ID -eq "3") -and ($_.message -match "Image.*.*\\Program Files.*" -or (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*") -and $_.message -match "DestinationIsIpv6.*false"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_malware_verclsid_shellcode.ps1 b/Rules/sigma_tmp/sysmon_malware_verclsid_shellcode.ps1 new file mode 100644 index 00000000..8db8b33e --- /dev/null +++ b/Rules/sigma_tmp/sysmon_malware_verclsid_shellcode.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\\verclsid.exe" -and $_.message -match "GrantedAccess.*0x1FFFFF") -and (($_.message -match "CallTrace.*.*|UNKNOWN(.*" -and $_.message -match "CallTrace.*.*VBE7.DLL.*") -or ($_.message -match "SourceImage.*.*\\Microsoft Office\\.*" -and $_.message -match "CallTrace.*.*|UNKNOWN.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_mimikatz_detection_lsass.ps1 b/Rules/sigma_tmp/sysmon_mimikatz_detection_lsass.ps1 new file mode 100644 index 00000000..04df5a76 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_mimikatz_detection_lsass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and ($_.message -match "0x1410" -or $_.message -match "0x1010")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_mimikatz_trough_winrm.ps1 b/Rules/sigma_tmp/sysmon_mimikatz_trough_winrm.ps1 new file mode 100644 index 00000000..f3a71020 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_mimikatz_trough_winrm.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "SourceImage.*C:\\Windows\\system32\\wsmprovhost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_modify_screensaver_binary_path.ps1 b/Rules/sigma_tmp/sysmon_modify_screensaver_binary_path.ps1 new file mode 100644 index 00000000..c546c6c5 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_modify_screensaver_binary_path.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Control Panel\\Desktop\\SCRNSAVE.EXE" -and -not (($_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\explorer.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_narrator_feedback_persistance.ps1 b/Rules/sigma_tmp/sysmon_narrator_feedback_persistance.ps1 new file mode 100644 index 00000000..ed24c0cd --- /dev/null +++ b/Rules/sigma_tmp/sysmon_narrator_feedback_persistance.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "EventType.*DeleteValue" -and $_.message -match "TargetObject.*.*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") -or $_.message -match "TargetObject.*.*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_netcat_execution.ps1 b/Rules/sigma_tmp/sysmon_netcat_execution.ps1 new file mode 100644 index 00000000..c8980ad4 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_netcat_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\ncat.exe") -or ($_.message -match "CommandLine.*.* -lvp .*" -or $_.message -match "CommandLine.*.* -l --proxy-type http .*" -or $_.message -match "CommandLine.*.* --exec cmd.exe .*" -or $_.message -match "CommandLine.*.* -vnl --exec .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_new_application_appcompat.ps1 b/Rules/sigma_tmp/sysmon_new_application_appcompat.ps1 new file mode 100644 index 00000000..bddcb495 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_new_application_appcompat.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\AppCompatFlags\\Compatibility Assistant\\Store\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_new_dll_added_to_appcertdlls_registry_key.ps1 b/Rules/sigma_tmp/sysmon_new_dll_added_to_appcertdlls_registry_key.ps1 new file mode 100644 index 00000000..5a379f0a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_new_dll_added_to_appcertdlls_registry_key.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" -or $_.message -match "NewName.*HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_new_dll_added_to_appinit_dlls_registry_key.ps1 b/Rules/sigma_tmp/sysmon_new_dll_added_to_appinit_dlls_registry_key.ps1 new file mode 100644 index 00000000..ddd3fc17 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_new_dll_added_to_appinit_dlls_registry_key.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") -or ($_.message -match "NewName.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" -or $_.message -match "NewName.*.*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_non_priv_program_files_move.ps1 b/Rules/sigma_tmp/sysmon_non_priv_program_files_move.ps1 new file mode 100644 index 00000000..a55c33ed --- /dev/null +++ b/Rules/sigma_tmp/sysmon_non_priv_program_files_move.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\Program Files\\.*" -or $_.message -match "TargetFilename.*.*\\Program Files (x86)\\.*") -or ($_.message -match "TargetFilename.*\\Windows\\.*" -and -not ($_.message -match "TargetFilename.*.*temp.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_notepad_network_connection.ps1 b/Rules/sigma_tmp/sysmon_notepad_network_connection.ps1 new file mode 100644 index 00000000..acbaac1f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_notepad_network_connection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and $_.message -match "Image.*.*\\notepad.exe" -and -not ($_.message -match "DestinationPort.*9100")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_office_persistence.ps1 b/Rules/sigma_tmp/sysmon_office_persistence.ps1 new file mode 100644 index 00000000..dde80e55 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_office_persistence.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.ID -eq "11") -and ((($_.message -match "TargetFilename.*.*\\Microsoft\\Word\\Startup\\.*" -and $_.message -match "TargetFilename.*.*.wll") -or ($_.message -match "TargetFilename.*.*\\Microsoft\\Excel\\Startup\\.*" -and $_.message -match "TargetFilename.*.*.xll")) -or ($_.message -match "TargetFilename.*.*\\Microsoft\\Addins\\.*" -and ($_.message -match "TargetFilename.*.*.xlam" -or $_.message -match "TargetFilename.*.*.xla")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_office_test_regadd.ps1 b/Rules/sigma_tmp/sysmon_office_test_regadd.ps1 new file mode 100644 index 00000000..2fe99568 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_office_test_regadd.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf" -or $_.message -match "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_office_vsto_persistence.ps1 b/Rules/sigma_tmp/sysmon_office_vsto_persistence.ps1 new file mode 100644 index 00000000..f8523c68 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_office_vsto_persistence.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "EventType.*SetValue" -and ($_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Outlook\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Word\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Excel\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Office\\Powerpoint\\Addins\\.*" -or $_.message -match "TargetObject.*.*\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\.*")) -and -not ($_.message -match "Image.*.*\\msiexec.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_outlook_newform.ps1 b/Rules/sigma_tmp/sysmon_outlook_newform.ps1 new file mode 100644 index 00000000..225336ec --- /dev/null +++ b/Rules/sigma_tmp/sysmon_outlook_newform.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*\\outlook.exe" -and $_.message -match "TargetFilename.*.*\\appdata\\local\\microsoft\\FORMS\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_password_dumper_lsass.ps1 b/Rules/sigma_tmp/sysmon_password_dumper_lsass.ps1 new file mode 100644 index 00000000..1a7b7135 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_password_dumper_lsass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "StartModule.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_pcre_net_load.ps1 b/Rules/sigma_tmp/sysmon_pcre_net_load.ps1 new file mode 100644 index 00000000..497151b7 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_pcre_net_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "ImageLoaded.*.*\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_pcre_net_temp_file.ps1 b/Rules/sigma_tmp/sysmon_pcre_net_temp_file.ps1 new file mode 100644 index 00000000..e52e8b44 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_pcre_net_temp_file.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_pingback_backdoor.ps1 b/Rules/sigma_tmp/sysmon_pingback_backdoor.ps1 new file mode 100644 index 00000000..f62db943 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_pingback_backdoor.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*.*updata.exe" -and $_.message -match "TargetFilename.*C:\\Windows\\oci.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*msdtc.exe" -and $_.message -match "ImageLoaded.*C:\\Windows\\oci.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*updata.exe" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*msdtc.*" -and $_.message -match "CommandLine.*.*start.*" -and $_.message -match "CommandLine.*.*auto.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_possible_dns_rebinding.ps1 b/Rules/sigma_tmp/sysmon_possible_dns_rebinding.ps1 new file mode 100644 index 00000000..cdc394cf --- /dev/null +++ b/Rules/sigma_tmp/sysmon_possible_dns_rebinding.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "22" -and $_.message -match "QueryName.*.*" -and $_.message -match "QueryStatus.*0" -and ($_.message -match "QueryResults.*(::ffff:)?10..*" -or $_.message -match "QueryResults.*(::ffff:)?192.168..*" -or $_.message -match "QueryResults.*(::ffff:)?172.16..*" -or $_.message -match "QueryResults.*(::ffff:)?172.17..*" -or $_.message -match "QueryResults.*(::ffff:)?172.18..*" -or $_.message -match "QueryResults.*(::ffff:)?172.19..*" -or $_.message -match "QueryResults.*(::ffff:)?172.20..*" -or $_.message -match "QueryResults.*(::ffff:)?172.21..*" -or $_.message -match "QueryResults.*(::ffff:)?172.22..*" -or $_.message -match "QueryResults.*(::ffff:)?172.23..*" -or $_.message -match "QueryResults.*(::ffff:)?172.24..*" -or $_.message -match "QueryResults.*(::ffff:)?172.25..*" -or $_.message -match "QueryResults.*(::ffff:)?172.26..*" -or $_.message -match "QueryResults.*(::ffff:)?172.27..*" -or $_.message -match "QueryResults.*(::ffff:)?172.28..*" -or $_.message -match "QueryResults.*(::ffff:)?172.29..*" -or $_.message -match "QueryResults.*(::ffff:)?172.30..*" -or $_.message -match "QueryResults.*(::ffff:)?172.31..*" -or $_.message -match "QueryResults.*(::ffff:)?127..*") -and ($_.ID -eq "22") -and ($_.message -match "QueryName.*.*" -and $_.message -match "QueryStatus.*0") -and -not (($_.message -match "QueryResults.*(::ffff:)?10..*" -or $_.message -match "QueryResults.*(::ffff:)?192.168..*" -or $_.message -match "QueryResults.*(::ffff:)?172.16..*" -or $_.message -match "QueryResults.*(::ffff:)?172.17..*" -or $_.message -match "QueryResults.*(::ffff:)?172.18..*" -or $_.message -match "QueryResults.*(::ffff:)?172.19..*" -or $_.message -match "QueryResults.*(::ffff:)?172.20..*" -or $_.message -match "QueryResults.*(::ffff:)?172.21..*" -or $_.message -match "QueryResults.*(::ffff:)?172.22..*" -or $_.message -match "QueryResults.*(::ffff:)?172.23..*" -or $_.message -match "QueryResults.*(::ffff:)?172.24..*" -or $_.message -match "QueryResults.*(::ffff:)?172.25..*" -or $_.message -match "QueryResults.*(::ffff:)?172.26..*" -or $_.message -match "QueryResults.*(::ffff:)?172.27..*" -or $_.message -match "QueryResults.*(::ffff:)?172.28..*" -or $_.message -match "QueryResults.*(::ffff:)?172.29..*" -or $_.message -match "QueryResults.*(::ffff:)?172.30..*" -or $_.message -match "QueryResults.*(::ffff:)?172.31..*" -or $_.message -match "QueryResults.*(::ffff:)?127..*"))) } | select ComputerName, QueryName | group ComputerName | foreach { [PSCustomObject]@{'ComputerName'=$_.name;'Count'=($_.group.QueryName | sort -u).count} } | sort count -desc | where { $_.count -gt 3 } diff --git a/Rules/sigma_tmp/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.ps1 b/Rules/sigma_tmp/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.ps1 new file mode 100644 index 00000000..642ae418 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "IntegrityLevel.*Medium" -and $_.message -match "TargetObject.*.*\\services\\.*" -and ($_.message -match "TargetObject.*.*\\ImagePath" -or $_.message -match "TargetObject.*.*\\FailureCommand" -or $_.message -match "TargetObject.*.*\\Parameters\\ServiceDll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_powershell_as_service.ps1 b/Rules/sigma_tmp/sysmon_powershell_as_service.ps1 new file mode 100644 index 00000000..39c4daa4 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_powershell_as_service.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Services\\.*" -and $_.message -match "TargetObject.*.*\\ImagePath" -and ($_.message -match "Details.*.*powershell.*" -or $_.message -match "Details.*.*pwsh.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_powershell_execution_moduleload.ps1 b/Rules/sigma_tmp/sysmon_powershell_execution_moduleload.ps1 new file mode 100644 index 00000000..e1ddbfcf --- /dev/null +++ b/Rules/sigma_tmp/sysmon_powershell_execution_moduleload.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Description.*System.Management.Automation" -and $_.message -match "ImageLoaded.*.*System.Management.Automation.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_powershell_execution_pipe.ps1 b/Rules/sigma_tmp/sysmon_powershell_execution_pipe.ps1 new file mode 100644 index 00000000..6e7dfe55 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_powershell_execution_pipe.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and $_.message -match "PipeName.*\\PSHost.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_powershell_exploit_scripts.ps1 b/Rules/sigma_tmp/sysmon_powershell_exploit_scripts.ps1 new file mode 100644 index 00000000..266f8576 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_powershell_exploit_scripts.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\\Invoke-DllInjection.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-WmiCommand.ps1" -or $_.message -match "TargetFilename.*.*\\Get-GPPPassword.ps1" -or $_.message -match "TargetFilename.*.*\\Get-Keystrokes.ps1" -or $_.message -match "TargetFilename.*.*\\Get-VaultCredential.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-CredentialInjection.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Mimikatz.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-NinjaCopy.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-TokenManipulation.ps1" -or $_.message -match "TargetFilename.*.*\\Out-Minidump.ps1" -or $_.message -match "TargetFilename.*.*\\VolumeShadowCopyTools.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ReflectivePEInjection.ps1" -or $_.message -match "TargetFilename.*.*\\Get-TimedScreenshot.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-UserHunter.ps1" -or $_.message -match "TargetFilename.*.*\\Find-GPOLocation.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ACLScanner.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-DowngradeAccount.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ServiceUnquoted.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ServiceFilePermission.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ServicePermission.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ServiceAbuse.ps1" -or $_.message -match "TargetFilename.*.*\\Install-ServiceBinary.ps1" -or $_.message -match "TargetFilename.*.*\\Get-RegAutoLogon.ps1" -or $_.message -match "TargetFilename.*.*\\Get-VulnAutoRun.ps1" -or $_.message -match "TargetFilename.*.*\\Get-VulnSchTask.ps1" -or $_.message -match "TargetFilename.*.*\\Get-UnattendedInstallFile.ps1" -or $_.message -match "TargetFilename.*.*\\Get-WebConfig.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ApplicationHost.ps1" -or $_.message -match "TargetFilename.*.*\\Get-RegAlwaysInstallElevated.ps1" -or $_.message -match "TargetFilename.*.*\\Get-Unconstrained.ps1" -or $_.message -match "TargetFilename.*.*\\Add-RegBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\\Add-ScrnSaveBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\\Gupt-Backdoor.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ADSBackdoor.ps1" -or $_.message -match "TargetFilename.*.*\\Enabled-DuplicateToken.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PsUaCme.ps1" -or $_.message -match "TargetFilename.*.*\\Remove-Update.ps1" -or $_.message -match "TargetFilename.*.*\\Check-VM.ps1" -or $_.message -match "TargetFilename.*.*\\Get-LSASecret.ps1" -or $_.message -match "TargetFilename.*.*\\Get-PassHashes.ps1" -or $_.message -match "TargetFilename.*.*\\Show-TargetScreen.ps1" -or $_.message -match "TargetFilename.*.*\\Port-Scan.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PoshRatHttp.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PowerShellTCP.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PowerShellWMI.ps1" -or $_.message -match "TargetFilename.*.*\\Add-Exfiltration.ps1" -or $_.message -match "TargetFilename.*.*\\Add-Persistence.ps1" -or $_.message -match "TargetFilename.*.*\\Do-Exfiltration.ps1" -or $_.message -match "TargetFilename.*.*\\Start-CaptureServer.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ShellCode.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ChromeDump.ps1" -or $_.message -match "TargetFilename.*.*\\Get-ClipboardContents.ps1" -or $_.message -match "TargetFilename.*.*\\Get-FoxDump.ps1" -or $_.message -match "TargetFilename.*.*\\Get-IndexedItem.ps1" -or $_.message -match "TargetFilename.*.*\\Get-Screenshot.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Inveigh.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-NetRipper.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-EgressCheck.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PostExfil.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PSInject.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-RunAs.ps1" -or $_.message -match "TargetFilename.*.*\\MailRaider.ps1" -or $_.message -match "TargetFilename.*.*\\New-HoneyHash.ps1" -or $_.message -match "TargetFilename.*.*\\Set-MacAttribute.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-DCSync.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PowerDump.ps1" -or $_.message -match "TargetFilename.*.*\\Exploit-Jboss.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ThunderStruck.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-VoiceTroll.ps1" -or $_.message -match "TargetFilename.*.*\\Set-Wallpaper.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-InveighRelay.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PsExec.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-SSHCommand.ps1" -or $_.message -match "TargetFilename.*.*\\Get-SecurityPackages.ps1" -or $_.message -match "TargetFilename.*.*\\Install-SSP.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-BackdoorLNK.ps1" -or $_.message -match "TargetFilename.*.*\\PowerBreach.ps1" -or $_.message -match "TargetFilename.*.*\\Get-SiteListPassword.ps1" -or $_.message -match "TargetFilename.*.*\\Get-System.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-BypassUAC.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Tater.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-WScriptBypassUAC.ps1" -or $_.message -match "TargetFilename.*.*\\PowerUp.ps1" -or $_.message -match "TargetFilename.*.*\\PowerView.ps1" -or $_.message -match "TargetFilename.*.*\\Get-RickAstley.ps1" -or $_.message -match "TargetFilename.*.*\\Find-Fruit.ps1" -or $_.message -match "TargetFilename.*.*\\HTTP-Login.ps1" -or $_.message -match "TargetFilename.*.*\\Find-TrustedDocuments.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Paranoia.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-WinEnum.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ARPScan.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-PortScan.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-ReverseDNSLookup.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-SMBScanner.ps1" -or $_.message -match "TargetFilename.*.*\\Invoke-Mimikittenz.ps1")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_powershell_network_connection.ps1 b/Rules/sigma_tmp/sysmon_powershell_network_connection.ps1 new file mode 100644 index 00000000..a024d03e --- /dev/null +++ b/Rules/sigma_tmp/sysmon_powershell_network_connection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "Initiated.*true" -and $_.message -match "DestinationIsIpv6.*false") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127.0.0.1.*") -and $_.message -match "DestinationIsIpv6.*false" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "User.*.*AUT.*" -and $_.message -match "User.*.* NT.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_proxy_execution_wuauclt.ps1 b/Rules/sigma_tmp/sysmon_proxy_execution_wuauclt.ps1 new file mode 100644 index 00000000..5de42a07 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_proxy_execution_wuauclt.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*wuauclt.*" -or $_.message -match "OriginalFileName.*wuauclt.exe") -and ($_.message -match "CommandLine.*.*UpdateDeploymentProvider.*" -and $_.message -match "CommandLine.*.*.dll.*" -and $_.message -match "CommandLine.*.*RunHandlerComServer.*")) -and -not (($_.message -match "CommandLine.*.* /UpdateDeploymentProvider UpdateDeploymentProvider.dll .*" -or $_.message -match "CommandLine.*.* wuaueng.dll .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_psexec_pipes_artifacts.ps1 b/Rules/sigma_tmp/sysmon_psexec_pipes_artifacts.ps1 new file mode 100644 index 00000000..ef656f2b --- /dev/null +++ b/Rules/sigma_tmp/sysmon_psexec_pipes_artifacts.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*psexec.*" -or $_.message -match "PipeName.*paexec.*" -or $_.message -match "PipeName.*remcom.*" -or $_.message -match "PipeName.*csexec.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_pypykatz_cred_dump_lsass_access.ps1 b/Rules/sigma_tmp/sysmon_pypykatz_cred_dump_lsass_access.ps1 new file mode 100644 index 00000000..bce795c1 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_pypykatz_cred_dump_lsass_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "10" -and $_.message -match "TargetImage.*.*\\lsass.exe" -and $_.message -match "CallTrace.*.*C:\\Windows\\SYSTEM32\\ntdll.dll\+.*" -and $_.message -match "CallTrace.*.*C:\\Windows\\System32\\KERNELBASE.dll\+.*" -and $_.message -match "CallTrace.*.*libffi-7.dll.*" -and $_.message -match "CallTrace.*.*_ctypes.pyd\+.*" -and $_.message -match "CallTrace.*.*python3.*.dll\+.*" -and $_.message -match "GrantedAccess.*0x1FFFFF") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_quarkspw_filedump.ps1 b/Rules/sigma_tmp/sysmon_quarkspw_filedump.ps1 new file mode 100644 index 00000000..080da9b0 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_quarkspw_filedump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\SAM-.*" -and $_.message -match "TargetFilename.*.*.dmp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_raw_disk_access_using_illegitimate_tools.ps1 b/Rules/sigma_tmp/sysmon_raw_disk_access_using_illegitimate_tools.ps1 new file mode 100644 index 00000000..80a97d0a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_raw_disk_access_using_illegitimate_tools.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "9") -and -not ($_.message -match "Device.*.*floppy.*") -and -not (($_.message -match "Image.*.*\\wmiprvse.exe" -or $_.message -match "Image.*.*\\sdiagnhost.exe" -or $_.message -match "Image.*.*\\searchindexer.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\defrag.exe" -or $_.message -match "Image.*.*\\smss.exe" -or $_.message -match "Image.*.*\\vssvc.exe" -or $_.message -match "Image.*.*\\compattelrunner.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\autochk.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\dfsrs.exe" -or $_.message -match "Image.*.*\\vds.exe" -or $_.message -match "Image.*.*\\lsass.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_rclone_execution.ps1 b/Rules/sigma_tmp/sysmon_rclone_execution.ps1 new file mode 100644 index 00000000..354b5d2d --- /dev/null +++ b/Rules/sigma_tmp/sysmon_rclone_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Description.*Rsync for cloud storage" -or ($_.message -match "CommandLine.*.*--config .*" -and $_.message -match "CommandLine.*.*--no-check-certificate .*" -and $_.message -match "CommandLine.*.* copy .*") -or (($_.message -match "Image.*.*\\rclone.exe") -and ($_.message -match "CommandLine.*.*mega.*" -or $_.message -match "CommandLine.*.*pcloud.*" -or $_.message -match "CommandLine.*.*ftp.*" -or $_.message -match "CommandLine.*.*--progress.*" -or $_.message -match "CommandLine.*.*--ignore-existing.*" -or $_.message -match "CommandLine.*.*--auto-confirm.*" -or $_.message -match "CommandLine.*.*--transfers.*" -or $_.message -match "CommandLine.*.*--multi-thread-streams.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_rdp_registry_modification.ps1 b/Rules/sigma_tmp/sysmon_rdp_registry_modification.ps1 new file mode 100644 index 00000000..b1a3535a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_rdp_registry_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication" -or $_.message -match "TargetObject.*.*\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections") -and $_.message -match "Details.*DWORD (0x00000000)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_rdp_reverse_tunnel.ps1 b/Rules/sigma_tmp/sysmon_rdp_reverse_tunnel.ps1 new file mode 100644 index 00000000..d00b3c4e --- /dev/null +++ b/Rules/sigma_tmp/sysmon_rdp_reverse_tunnel.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Image.*.*\\svchost.exe" -and $_.message -match "Initiated.*true" -and $_.message -match "SourcePort.*3389") -and (($_.message -match "DestinationIp.*127..*") -or ($_.message -match "::1"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_rdp_settings_hijack.ps1 b/Rules/sigma_tmp/sysmon_rdp_settings_hijack.ps1 new file mode 100644 index 00000000..6279cf49 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_rdp_settings_hijack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\services\\TermService\\Parameters\\ServiceDll.*" -or $_.message -match "TargetObject.*.*\\Control\\Terminal Server\\fSingleSessionPerUser.*" -or $_.message -match "TargetObject.*.*\\Control\\Terminal Server\\fDenyTSConnections.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_redmimicry_winnti_filedrop.ps1 b/Rules/sigma_tmp/sysmon_redmimicry_winnti_filedrop.ps1 new file mode 100644 index 00000000..8618b107 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_redmimicry_winnti_filedrop.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*gthread-3.6.dll.*" -or $_.message -match "TargetFilename.*.*sigcmm-2.4.dll.*" -or $_.message -match "TargetFilename.*.*\\Windows\\Temp\\tmp.bat.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_redmimicry_winnti_reg.ps1 b/Rules/sigma_tmp/sysmon_redmimicry_winnti_reg.ps1 new file mode 100644 index 00000000..4078ccbc --- /dev/null +++ b/Rules/sigma_tmp/sysmon_redmimicry_winnti_reg.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_reg_office_security.ps1 b/Rules/sigma_tmp/sysmon_reg_office_security.ps1 new file mode 100644 index 00000000..bd51069b --- /dev/null +++ b/Rules/sigma_tmp/sysmon_reg_office_security.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Security\\Trusted Documents\\TrustRecords" -or $_.message -match "TargetObject.*.*\\Security\\AccessVBOM" -or $_.message -match "TargetObject.*.*\\Security\\VBAWarnings")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_reg_silentprocessexit.ps1 b/Rules/sigma_tmp/sysmon_reg_silentprocessexit.ps1 new file mode 100644 index 00000000..e98c7d95 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_reg_silentprocessexit.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit.*" -and $_.message -match "Details.*.*MonitorProcess.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_reg_silentprocessexit_lsass.ps1 b/Rules/sigma_tmp/sysmon_reg_silentprocessexit_lsass.ps1 new file mode 100644 index 00000000..735d3490 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_reg_silentprocessexit_lsass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_reg_vbs_payload_stored.ps1 b/Rules/sigma_tmp/sysmon_reg_vbs_payload_stored.ps1 new file mode 100644 index 00000000..6b4fdf28 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_reg_vbs_payload_stored.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion.*" -and ($_.message -match "Details.*.*vbscript.*" -or $_.message -match "Details.*.*jscript.*" -or $_.message -match "Details.*.*mshtml.*" -or $_.message -match "Details.*.*mshtml,.*" -or $_.message -match "Details.*.*mshtml .*" -or $_.message -match "Details.*.*RunHTMLApplication.*" -or $_.message -match "Details.*.*Execute(.*" -or $_.message -match "Details.*.*CreateObject.*" -or $_.message -match "Details.*.*RegRead.*" -or $_.message -match "Details.*.*window.close.*")) -and -not ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_regedit_export_to_ads.ps1 b/Rules/sigma_tmp/sysmon_regedit_export_to_ads.ps1 new file mode 100644 index 00000000..1e92e11a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_regedit_export_to_ads.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "15" -and $_.message -match "Image.*.*\\regedit.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_registry_add_local_hidden_user.ps1 b/Rules/sigma_tmp/sysmon_registry_add_local_hidden_user.ps1 new file mode 100644 index 00000000..c92334ef --- /dev/null +++ b/Rules/sigma_tmp/sysmon_registry_add_local_hidden_user.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\.*" -and $_.message -match "TargetObject.*.*$" -and $_.message -match "Image.*.*lsass.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_registry_persistence_key_linking.ps1 b/Rules/sigma_tmp/sysmon_registry_persistence_key_linking.ps1 new file mode 100644 index 00000000..d68b2d72 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_registry_persistence_key_linking.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*CreateKey" -and $_.message -match "TargetObject.*.*HKU\\.*" -and $_.message -match "TargetObject.*.*_Classes\\CLSID\\.*" -and $_.message -match "TargetObject.*.*\\TreatAs.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_registry_persistence_search_order.ps1 b/Rules/sigma_tmp/sysmon_registry_persistence_search_order.ps1 new file mode 100644 index 00000000..538cde53 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_registry_persistence_search_order.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*HKU\\.*" -and $_.message -match "TargetObject.*.*_Classes\\CLSID\\.*" -and $_.message -match "TargetObject.*.*\\InProcServer32\\(Default).*") -and -not (((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "Details.*.*%%systemroot%%\\system32\\.*" -or $_.message -match "Details.*.*%%systemroot%%\\SysWow64\\.*") -or (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "Details.*.*\\AppData\\Local\\Microsoft\\OneDrive\\.*" -and ($_.message -match "Details.*.*\\FileCoAuthLib64.dll.*" -or $_.message -match "Details.*.*\\FileSyncShell64.dll.*" -or $_.message -match "Details.*.*\\FileSyncApi64.dll.*"))) -or ($_.message -match "Details.*.*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\.*" -and $_.message -match "Details.*.*\\Microsoft.Teams.AddinLoader.dll.*") -or ($_.message -match "Details.*.*\\AppData\\Roaming\\Dropbox\\.*" -and $_.message -match "Details.*.*\\DropboxExt64..*.dll.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_registry_susp_printer_driver.ps1 b/Rules/sigma_tmp/sysmon_registry_susp_printer_driver.ps1 new file mode 100644 index 00000000..991609f8 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_registry_susp_printer_driver.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers.*" -and $_.message -match "TargetObject.*.*\\Manufacturer.*" -and $_.message -match "Details.*(Empty)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_registry_trust_record_modification.ps1 b/Rules/sigma_tmp/sysmon_registry_trust_record_modification.ps1 new file mode 100644 index 00000000..34aa849c --- /dev/null +++ b/Rules/sigma_tmp/sysmon_registry_trust_record_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*TrustRecords.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_regsvr32_network_activity.ps1 b/Rules/sigma_tmp/sysmon_regsvr32_network_activity.ps1 new file mode 100644 index 00000000..727c03c8 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_regsvr32_network_activity.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "Image.*.*\\regsvr32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "22" -and $_.message -match "Image.*.*\\regsvr32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_remote_powershell_session_network.ps1 b/Rules/sigma_tmp/sysmon_remote_powershell_session_network.ps1 new file mode 100644 index 00000000..975d45e1 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_remote_powershell_session_network.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "5985" -or $_.message -match "5986") -and -not ($_.message -match "User.*NT AUTHORITY\\NETWORK SERVICE")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_removal_amsi_registry_key.ps1 b/Rules/sigma_tmp/sysmon_removal_amsi_registry_key.ps1 new file mode 100644 index 00000000..476e36a7 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_removal_amsi_registry_key.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*DeleteKey" -and ($_.message -match "TargetObject.*.*{2781761E-28E0-4109-99FE-B9D127C57AFE}" -or $_.message -match "TargetObject.*.*{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_removal_com_hijacking_registry_key.ps1 b/Rules/sigma_tmp/sysmon_removal_com_hijacking_registry_key.ps1 new file mode 100644 index 00000000..f011297d --- /dev/null +++ b/Rules/sigma_tmp/sysmon_removal_com_hijacking_registry_key.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*DeleteKey" -and $_.message -match "TargetObject.*.*\\shell\\open\\command") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_remove_windows_defender_definition_files.ps1 b/Rules/sigma_tmp/sysmon_remove_windows_defender_definition_files.ps1 new file mode 100644 index 00000000..199bee71 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_remove_windows_defender_definition_files.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "OriginalFileName.*MpCmdRun.exe" -and $_.message -match "CommandLine.*.* -RemoveDefinitions.*" -and $_.message -match "CommandLine.*.* -All.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_rundll32_net_connections.ps1 b/Rules/sigma_tmp/sysmon_rundll32_net_connections.ps1 new file mode 100644 index 00000000..2a18f0f9 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_rundll32_net_connections.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*172.16..*" -or $_.message -match "DestinationIp.*172.17..*" -or $_.message -match "DestinationIp.*172.18..*" -or $_.message -match "DestinationIp.*172.19..*" -or $_.message -match "DestinationIp.*172.20..*" -or $_.message -match "DestinationIp.*172.21..*" -or $_.message -match "DestinationIp.*172.22..*" -or $_.message -match "DestinationIp.*172.23..*" -or $_.message -match "DestinationIp.*172.24..*" -or $_.message -match "DestinationIp.*172.25..*" -or $_.message -match "DestinationIp.*172.26..*" -or $_.message -match "DestinationIp.*172.27..*" -or $_.message -match "DestinationIp.*172.28..*" -or $_.message -match "DestinationIp.*172.29..*" -or $_.message -match "DestinationIp.*172.30..*" -or $_.message -match "DestinationIp.*172.31..*" -or $_.message -match "DestinationIp.*127..*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_runkey_winekey.ps1 b/Rules/sigma_tmp/sysmon_runkey_winekey.ps1 new file mode 100644 index 00000000..e5a82e2c --- /dev/null +++ b/Rules/sigma_tmp/sysmon_runkey_winekey.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_runonce_persistence.ps1 b/Rules/sigma_tmp/sysmon_runonce_persistence.ps1 new file mode 100644 index 00000000..778d4f91 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_runonce_persistence.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*" -and $_.message -match "TargetObject.*.*\\StubPath") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_scrcons_imageload_wmi_scripteventconsumer.ps1 b/Rules/sigma_tmp/sysmon_scrcons_imageload_wmi_scripteventconsumer.ps1 new file mode 100644 index 00000000..babc75dc --- /dev/null +++ b/Rules/sigma_tmp/sysmon_scrcons_imageload_wmi_scripteventconsumer.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*\\scrcons.exe" -and ($_.message -match "ImageLoaded.*.*\\vbscript.dll" -or $_.message -match "ImageLoaded.*.*\\wbemdisp.dll" -or $_.message -match "ImageLoaded.*.*\\wshom.ocx" -or $_.message -match "ImageLoaded.*.*\\scrrun.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_sdclt_child_process.ps1 b/Rules/sigma_tmp/sysmon_sdclt_child_process.ps1 new file mode 100644 index 00000000..2aa8386a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_sdclt_child_process.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\sdclt.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_spoolsv_dll_load.ps1 b/Rules/sigma_tmp/sysmon_spoolsv_dll_load.ps1 new file mode 100644 index 00000000..573ff710 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_spoolsv_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*spoolsv.exe") -and ($_.message -match "ImageLoaded.*.*\\Windows\\System32\\spool\\drivers\\x64\\3\\.*") -and ($_.message -match "ImageLoaded.*.*.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_ssp_added_lsa_config.ps1 b/Rules/sigma_tmp/sysmon_ssp_added_lsa_config.ps1 new file mode 100644 index 00000000..f9aaf5a8 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_ssp_added_lsa_config.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages" -or $_.message -match "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages") -and -not ($_.message -match "Image.*C:\\Windows\\system32\\msiexec.exe" -or $_.message -match "Image.*C:\\Windows\\syswow64\\MsiExec.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_startup_folder_file_write.ps1 b/Rules/sigma_tmp/sysmon_startup_folder_file_write.ps1 new file mode 100644 index 00000000..f0e299eb --- /dev/null +++ b/Rules/sigma_tmp/sysmon_startup_folder_file_write.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_stickykey_like_backdoor.ps1 b/Rules/sigma_tmp/sysmon_stickykey_like_backdoor.ps1 new file mode 100644 index 00000000..57d52003 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_stickykey_like_backdoor.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\winlogon.exe" -and $_.message -match "Image.*.*\\cmd.exe" -and ($_.message -match "CommandLine.*.*sethc.exe.*" -or $_.message -match "CommandLine.*.*utilman.exe.*" -or $_.message -match "CommandLine.*.*osk.exe.*" -or $_.message -match "CommandLine.*.*Magnify.exe.*" -or $_.message -match "CommandLine.*.*Narrator.exe.*" -or $_.message -match "CommandLine.*.*DisplaySwitch.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_adsi_cache_usage.ps1 b/Rules/sigma_tmp/sysmon_susp_adsi_cache_usage.ps1 new file mode 100644 index 00000000..af451d33 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_adsi_cache_usage.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\\Local\\Microsoft\\Windows\\SchCache\\.*" -and $_.message -match "TargetFilename.*.*.sch") -and -not (($_.message -match "C:\\windows\\system32\\svchost.exe" -or $_.message -match "C:\\windows\\system32\\dllhost.exe" -or $_.message -match "C:\\windows\\system32\\mmc.exe" -or $_.message -match "C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" -or $_.message -match "C:\\Windows\\CCM\\CcmExec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_atbroker_change.ps1 b/Rules/sigma_tmp/sysmon_susp_atbroker_change.ps1 new file mode 100644 index 00000000..a2f2c4d0 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_atbroker_change.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs.*" -or $_.message -match "TargetObject.*.*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_clr_logs.ps1 b/Rules/sigma_tmp/sysmon_susp_clr_logs.ps1 new file mode 100644 index 00000000..7b5d8c50 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_clr_logs.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Microsoft\\CLR.*" -and $_.message -match "TargetFilename.*.*\\UsageLogs\\.*" -and ($_.message -match "TargetFilename.*.*mshta.*" -or $_.message -match "TargetFilename.*.*cscript.*" -or $_.message -match "TargetFilename.*.*wscript.*" -or $_.message -match "TargetFilename.*.*regsvr32.*" -or $_.message -match "TargetFilename.*.*wmic.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_cobaltstrike_pipe_patterns.ps1 b/Rules/sigma_tmp/sysmon_susp_cobaltstrike_pipe_patterns.ps1 new file mode 100644 index 00000000..beb3fc19 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_cobaltstrike_pipe_patterns.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "PipeName.*\\mojo.5688.8052.183894939787088877.*" -or $_.message -match "PipeName.*\\mojo.5688.8052.35780273329370473.*" -or $_.message -match "PipeName.*\\mypipe-f.*" -or $_.message -match "PipeName.*\\mypipe-h.*" -or $_.message -match "PipeName.*\\ntsvcs_.*" -or $_.message -match "PipeName.*\\scerpc_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_desktop_ini.ps1 b/Rules/sigma_tmp/sysmon_susp_desktop_ini.ps1 new file mode 100644 index 00000000..fad3b17c --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_desktop_ini.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and $_.message -match "TargetFilename.*.*\\desktop.ini" -and -not (($_.message -match "C:\\Windows\\explorer.exe" -or $_.message -match "C:\\Windows\\System32\\msiexec.exe" -or $_.message -match "C:\\Windows\\System32\\mmc.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_download_run_key.ps1 b/Rules/sigma_tmp/sysmon_susp_download_run_key.ps1 new file mode 100644 index 00000000..dbe44515 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_download_run_key.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "Image.*.*\\Downloads\\.*" -or $_.message -match "Image.*.*\\Temporary Internet Files\\Content.Outlook\\.*" -or $_.message -match "Image.*.*\\Local Settings\\Temporary Internet Files\\.*") -and $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_driver_load.ps1 b/Rules/sigma_tmp/sysmon_susp_driver_load.ps1 new file mode 100644 index 00000000..ad490e22 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_driver_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "6" -and $_.message -match "ImageLoaded.*.*\\Temp\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_fax_dll.ps1 b/Rules/sigma_tmp/sysmon_susp_fax_dll.ps1 new file mode 100644 index 00000000..09f0bbd4 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_fax_dll.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and (($_.message -match "Image.*.*fxssvc.exe") -and ($_.message -match "ImageLoaded.*.*ualapi.dll")) -and -not (($_.message -match "ImageLoaded.*C:\\Windows\\WinSxS\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_image_load.ps1 b/Rules/sigma_tmp/sysmon_susp_image_load.ps1 new file mode 100644 index 00000000..7fcb2c1a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_image_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\notepad.exe") -and ($_.message -match "ImageLoaded.*.*\\samlib.dll" -or $_.message -match "ImageLoaded.*.*\\WinSCard.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_lsass_dll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_lsass_dll_load.ps1 new file mode 100644 index 00000000..b3e2839c --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_lsass_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt.*" -or $_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_mic_cam_access.ps1 b/Rules/sigma_tmp/sysmon_susp_mic_cam_access.ps1 new file mode 100644 index 00000000..4375d282 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_mic_cam_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\.*" -and $_.message -match "TargetObject.*.*\\NonPackaged.*" -and ($_.message -match "TargetObject.*.*microphone.*" -or $_.message -match "TargetObject.*.*webcam.*") -and ($_.message -match "TargetObject.*.*#C:#Windows#Temp#.*" -or $_.message -match "TargetObject.*.*#C:#$Recycle.bin#.*" -or $_.message -match "TargetObject.*.*#C:#Temp#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Public#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Default#.*" -or $_.message -match "TargetObject.*.*#C:#Users#Desktop#.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_office_dotnet_assembly_dll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_office_dotnet_assembly_dll_load.ps1 new file mode 100644 index 00000000..8faf9a47 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_office_dotnet_assembly_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*C:\\Windows\\assembly\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_office_dotnet_clr_dll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_office_dotnet_clr_dll_load.ps1 new file mode 100644 index 00000000..5b6d8672 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_office_dotnet_clr_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\clr.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_office_dotnet_gac_dll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_office_dotnet_gac_dll_load.ps1 new file mode 100644 index 00000000..30325b5f --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_office_dotnet_gac_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_office_dsparse_dll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_office_dsparse_dll_load.ps1 new file mode 100644 index 00000000..2626b6b5 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_office_dsparse_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\dsparse.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_office_kerberos_dll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_office_kerberos_dll_load.ps1 new file mode 100644 index 00000000..7a3602f1 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_office_kerberos_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\kerberos.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_pfx_file_creation.ps1 b/Rules/sigma_tmp/sysmon_susp_pfx_file_creation.ps1 new file mode 100644 index 00000000..af316864 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_pfx_file_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*.pfx") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_plink_remote_forward.ps1 b/Rules/sigma_tmp/sysmon_susp_plink_remote_forward.ps1 new file mode 100644 index 00000000..4df07cb1 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_plink_remote_forward.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Description.*Command-line SSH, Telnet, and Rlogin client" -and $_.message -match "CommandLine.*.* -R .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_powershell_rundll32.ps1 b/Rules/sigma_tmp/sysmon_susp_powershell_rundll32.ps1 new file mode 100644 index 00000000..c7bd61f6 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_powershell_rundll32.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\\powershell.exe" -and $_.message -match "TargetImage.*.*\\rundll32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_procexplorer_driver_created_in_tmp_folder.ps1 b/Rules/sigma_tmp/sysmon_susp_procexplorer_driver_created_in_tmp_folder.ps1 new file mode 100644 index 00000000..edb4f1d7 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_procexplorer_driver_created_in_tmp_folder.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\.*" -and $_.message -match "TargetFilename.*.*PROCEXP152.sys") -and -not (($_.message -match "Image.*.*\\procexp64.exe.*" -or $_.message -match "Image.*.*\\procexp.exe.*" -or $_.message -match "Image.*.*\\procmon64.exe.*" -or $_.message -match "Image.*.*\\procmon.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_prog_location_network_connection.ps1 b/Rules/sigma_tmp/sysmon_susp_prog_location_network_connection.ps1 new file mode 100644 index 00000000..eff8d622 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_prog_location_network_connection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and (($_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*.*\\Users\\Contacts\\.*" -or $_.message -match "Image.*.*\\Users\\Searches\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*") -or ($_.message -match "Image.*.*\\$Recycle.bin") -or ($_.message -match "Image.*C:\\Perflogs\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_python_image_load.ps1 b/Rules/sigma_tmp/sysmon_susp_python_image_load.ps1 new file mode 100644 index 00000000..c52c74e8 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_python_image_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Description.*Python Core") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_rdp.ps1 b/Rules/sigma_tmp/sysmon_susp_rdp.ps1 new file mode 100644 index 00000000..04d247bf --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_rdp.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "DestinationPort.*3389" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "Image.*.*\\mstsc.exe" -or $_.message -match "Image.*.*\\RTSApp.exe" -or $_.message -match "Image.*.*\\RTS2App.exe" -or $_.message -match "Image.*.*\\RDCMan.exe" -or $_.message -match "Image.*.*\\ws_TunnelService.exe" -or $_.message -match "Image.*.*\\RSSensor.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManagerFree.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManager.exe" -or $_.message -match "Image.*.*\\RemoteDesktopManager64.exe" -or $_.message -match "Image.*.*\\mRemoteNG.exe" -or $_.message -match "Image.*.*\\mRemote.exe" -or $_.message -match "Image.*.*\\Terminals.exe" -or $_.message -match "Image.*.*\\spiceworks-finder.exe" -or $_.message -match "Image.*.*\\FSDiscovery.exe" -or $_.message -match "Image.*.*\\FSAssessment.exe" -or $_.message -match "Image.*.*\\MobaRTE.exe" -or $_.message -match "Image.*.*\\chrome.exe" -or $_.message -match "Image.*.*\\thor.exe" -or $_.message -match "Image.*.*\\thor64.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_reg_persist_explorer_run.ps1 b/Rules/sigma_tmp/sysmon_susp_reg_persist_explorer_run.ps1 new file mode 100644 index 00000000..5c57db1e --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_reg_persist_explorer_run.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" -and (($_.message -match "Details.*C:\\Windows\\Temp\\.*" -or $_.message -match "Details.*C:\\ProgramData\\.*" -or $_.message -match "Details.*C:\\$Recycle.bin\\.*" -or $_.message -match "Details.*C:\\Temp\\.*" -or $_.message -match "Details.*C:\\Users\\Public\\.*" -or $_.message -match "Details.*C:\\Users\\Default\\.*") -or ($_.message -match "Details.*.*\\AppData\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_run_key_img_folder.ps1 b/Rules/sigma_tmp/sysmon_susp_run_key_img_folder.ps1 new file mode 100644 index 00000000..4f755962 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_run_key_img_folder.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*" -or $_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\.*") -and (($_.message -match "Details.*.*C:\\Windows\\Temp\\.*" -or $_.message -match "Details.*.*C:\\$Recycle.bin\\.*" -or $_.message -match "Details.*.*C:\\Temp\\.*" -or $_.message -match "Details.*.*C:\\Users\\Public\\.*" -or $_.message -match "Details.*.*C:\\Users\\Default\\.*" -or $_.message -match "Details.*.*C:\\Users\\Desktop\\.*") -or ($_.message -match "Details.*%Public%\\.*" -or $_.message -match "Details.*wscript.*" -or $_.message -match "Details.*cscript.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_script_dotnet_clr_dll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_script_dotnet_clr_dll_load.ps1 new file mode 100644 index 00000000..df566968 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_script_dotnet_clr_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\mshta.exe") -and ($_.message -match "ImageLoaded.*.*\\clr.dll" -or $_.message -match "ImageLoaded.*.*\\mscoree.dll" -or $_.message -match "ImageLoaded.*.*\\mscorlib.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_service_installed.ps1 b/Rules/sigma_tmp/sysmon_susp_service_installed.ps1 new file mode 100644 index 00000000..da0fda1a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_service_installed.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath" -or $_.message -match "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath") -and -not (($_.message -match "Image.*.*\\procexp64.exe" -or $_.message -match "Image.*.*\\procexp.exe" -or $_.message -match "Image.*.*\\procmon64.exe" -or $_.message -match "Image.*.*\\procmon.exe"))) -and -not (($_.message -match "Details.*.*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_service_modification.ps1 b/Rules/sigma_tmp/sysmon_susp_service_modification.ps1 new file mode 100644 index 00000000..29fe64da --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_service_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Stop-Service .*" -or $_.message -match "CommandLine.*.*Remove-Service .*") -and ($_.message -match "CommandLine.*.* McAfeeDLPAgentService.*" -or $_.message -match "CommandLine.*.* Trend Micro Deep Security Manager.*" -or $_.message -match "CommandLine.*.* TMBMServer.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_system_drawing_load.ps1 b/Rules/sigma_tmp/sysmon_susp_system_drawing_load.ps1 new file mode 100644 index 00000000..ce252bef --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_system_drawing_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and $_.message -match "ImageLoaded.*.*\\System.Drawing.ni.dll" -and -not ($_.message -match "Image.*.*\\WmiPrvSE.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_webdav_client_execution.ps1 b/Rules/sigma_tmp/sysmon_susp_webdav_client_execution.ps1 new file mode 100644 index 00000000..ea73c893 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_webdav_client_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*C:\\windows\\system32\\davclnt.dll,DavSetCookie.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_winword_vbadll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_winword_vbadll_load.ps1 new file mode 100644 index 00000000..e3393816 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_winword_vbadll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\VBE7.DLL" -or $_.message -match "ImageLoaded.*.*\\VBEUI.DLL" -or $_.message -match "ImageLoaded.*.*\\VBE7INTL.DLL")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_susp_winword_wmidll_load.ps1 b/Rules/sigma_tmp/sysmon_susp_winword_wmidll_load.ps1 new file mode 100644 index 00000000..fe1c0eea --- /dev/null +++ b/Rules/sigma_tmp/sysmon_susp_winword_wmidll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\outlook.exe") -and ($_.message -match "ImageLoaded.*.*\\wmiutils.dll" -or $_.message -match "ImageLoaded.*.*\\wbemcomn.dll" -or $_.message -match "ImageLoaded.*.*\\wbemprox.dll" -or $_.message -match "ImageLoaded.*.*\\wbemdisp.dll" -or $_.message -match "ImageLoaded.*.*\\wbemsvc.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_suspicious_dbghelp_dbgcore_load.ps1 b/Rules/sigma_tmp/sysmon_suspicious_dbghelp_dbgcore_load.ps1 new file mode 100644 index 00000000..c5b637b3 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_suspicious_dbghelp_dbgcore_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ((($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\\dbghelp.dll" -or $_.message -match "ImageLoaded.*.*\\dbgcore.dll") -and ($_.message -match "Image.*.*\\msbuild.exe" -or $_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\word.exe" -or $_.message -match "Image.*.*\\excel.exe" -or $_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\outlook.exe" -or $_.message -match "Image.*.*\\monitoringhost.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\dnx.exe" -or $_.message -match "Image.*.*\\regsvcs.exe" -or $_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe")) -and -not ($_.message -match "Image.*.*Visual Studio.*")) -or (($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\\dbghelp.dll" -or $_.message -match "ImageLoaded.*.*\\dbgcore.dll") -and $_.message -match "Signed.*FALSE") -and -not ($_.message -match "Image.*.*Visual Studio.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_suspicious_keyboard_layout_load.ps1 b/Rules/sigma_tmp/sysmon_suspicious_keyboard_layout_load.ps1 new file mode 100644 index 00000000..6e79edc5 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_suspicious_keyboard_layout_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Keyboard Layout\\Preload\\.*" -or $_.message -match "TargetObject.*.*\\Keyboard Layout\\Substitutes\\.*") -and ($_.message -match "Details.*.*00000429.*" -or $_.message -match "Details.*.*00050429.*" -or $_.message -match "Details.*.*0000042a.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_suspicious_outbound_kerberos_connection.ps1 b/Rules/sigma_tmp/sysmon_suspicious_outbound_kerberos_connection.ps1 new file mode 100644 index 00000000..84fd6e6a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_suspicious_outbound_kerberos_connection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and ($_.message -match "DestinationPort.*88" -and $_.message -match "Initiated.*true") -and -not (($_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\opera.exe" -or $_.message -match "Image.*.*\\chrome.exe" -or $_.message -match "Image.*.*\\firefox.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_suspicious_remote_thread.ps1 b/Rules/sigma_tmp/sysmon_suspicious_remote_thread.ps1 new file mode 100644 index 00000000..bcfeba56 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_suspicious_remote_thread.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "8") -and ($_.message -match "SourceImage.*.*\\bash.exe" -or $_.message -match "SourceImage.*.*\\cvtres.exe" -or $_.message -match "SourceImage.*.*\\defrag.exe" -or $_.message -match "SourceImage.*.*\\dnx.exe" -or $_.message -match "SourceImage.*.*\\esentutl.exe" -or $_.message -match "SourceImage.*.*\\excel.exe" -or $_.message -match "SourceImage.*.*\\expand.exe" -or $_.message -match "SourceImage.*.*\\explorer.exe" -or $_.message -match "SourceImage.*.*\\find.exe" -or $_.message -match "SourceImage.*.*\\findstr.exe" -or $_.message -match "SourceImage.*.*\\forfiles.exe" -or $_.message -match "SourceImage.*.*\\git.exe" -or $_.message -match "SourceImage.*.*\\gpupdate.exe" -or $_.message -match "SourceImage.*.*\\hh.exe" -or $_.message -match "SourceImage.*.*\\iexplore.exe" -or $_.message -match "SourceImage.*.*\\installutil.exe" -or $_.message -match "SourceImage.*.*\\lync.exe" -or $_.message -match "SourceImage.*.*\\makecab.exe" -or $_.message -match "SourceImage.*.*\\mDNSResponder.exe" -or $_.message -match "SourceImage.*.*\\monitoringhost.exe" -or $_.message -match "SourceImage.*.*\\msbuild.exe" -or $_.message -match "SourceImage.*.*\\mshta.exe" -or $_.message -match "SourceImage.*.*\\msiexec.exe" -or $_.message -match "SourceImage.*.*\\mspaint.exe" -or $_.message -match "SourceImage.*.*\\outlook.exe" -or $_.message -match "SourceImage.*.*\\ping.exe" -or $_.message -match "SourceImage.*.*\\powerpnt.exe" -or $_.message -match "SourceImage.*.*\\powershell.exe" -or $_.message -match "SourceImage.*.*\\provtool.exe" -or $_.message -match "SourceImage.*.*\\python.exe" -or $_.message -match "SourceImage.*.*\\regsvr32.exe" -or $_.message -match "SourceImage.*.*\\robocopy.exe" -or $_.message -match "SourceImage.*.*\\runonce.exe" -or $_.message -match "SourceImage.*.*\\sapcimc.exe" -or $_.message -match "SourceImage.*.*\\schtasks.exe" -or $_.message -match "SourceImage.*.*\\smartscreen.exe" -or $_.message -match "SourceImage.*.*\\spoolsv.exe" -or $_.message -match "SourceImage.*.*\\tstheme.exe" -or $_.message -match "SourceImage.*.*\\userinit.exe" -or $_.message -match "SourceImage.*.*\\vssadmin.exe" -or $_.message -match "SourceImage.*.*\\vssvc.exe" -or $_.message -match "SourceImage.*.*\\w3wp.exe" -or $_.message -match "SourceImage.*.*\\winlogon.exe" -or $_.message -match "SourceImage.*.*\\winscp.exe" -or $_.message -match "SourceImage.*.*\\wmic.exe" -or $_.message -match "SourceImage.*.*\\word.exe" -or $_.message -match "SourceImage.*.*\\wscript.exe") -and -not ($_.message -match "SourceImage.*.*Visual Studio.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_svchost_cred_dump.ps1 b/Rules/sigma_tmp/sysmon_svchost_cred_dump.ps1 new file mode 100644 index 00000000..609b318a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_svchost_cred_dump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "10") -and ($_.message -match "TargetImage.*.*\\svchost.exe" -and $_.message -match "GrantedAccess.*0x143a") -and -not (($_.message -match "SourceImage.*.*\\services.exe" -or $_.message -match "SourceImage.*.*\\msiexec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_svchost_dll_search_order_hijack.ps1 b/Rules/sigma_tmp/sysmon_svchost_dll_search_order_hijack.ps1 new file mode 100644 index 00000000..d0fbb71e --- /dev/null +++ b/Rules/sigma_tmp/sysmon_svchost_dll_search_order_hijack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and (($_.message -match "Image.*.*\\svchost.exe") -and ($_.message -match "ImageLoaded.*.*\\tsmsisrv.dll" -or $_.message -match "ImageLoaded.*.*\\tsvipsrv.dll" -or $_.message -match "ImageLoaded.*.*\\wlbsctrl.dll")) -and -not (($_.message -match "ImageLoaded.*C:\\Windows\\WinSxS\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_sysinternals_eula_accepted.ps1 b/Rules/sigma_tmp/sysmon_sysinternals_eula_accepted.ps1 new file mode 100644 index 00000000..59881ded --- /dev/null +++ b/Rules/sigma_tmp/sysmon_sysinternals_eula_accepted.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\EulaAccepted") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -accepteula.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_sysinternals_sdelete_file_deletion.ps1 b/Rules/sigma_tmp/sysmon_sysinternals_sdelete_file_deletion.ps1 new file mode 100644 index 00000000..15d514a5 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_sysinternals_sdelete_file_deletion.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "23" -and ($_.message -match "TargetFilename.*.*.AAA" -or $_.message -match "TargetFilename.*.*.ZZZ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_sysinternals_sdelete_registry_keys.ps1 b/Rules/sigma_tmp/sysmon_sysinternals_sdelete_registry_keys.ps1 new file mode 100644 index 00000000..9446b675 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_sysinternals_sdelete_registry_keys.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Software\\Sysinternals\\SDelete.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_taskcache_entry.ps1 b/Rules/sigma_tmp/sysmon_taskcache_entry.ps1 new file mode 100644 index 00000000..72daf8fb --- /dev/null +++ b/Rules/sigma_tmp/sysmon_taskcache_entry.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_tsclient_filewrite_startup.ps1 b/Rules/sigma_tmp/sysmon_tsclient_filewrite_startup.ps1 new file mode 100644 index 00000000..d59cded9 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_tsclient_filewrite_startup.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*.*\\mstsc.exe" -and $_.message -match "TargetFilename.*.*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_tttracer_mod_load.ps1 b/Rules/sigma_tmp/sysmon_tttracer_mod_load.ps1 new file mode 100644 index 00000000..bf15575b --- /dev/null +++ b/Rules/sigma_tmp/sysmon_tttracer_mod_load.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "ImageLoaded.*.*\\ttdrecord.dll" -or $_.message -match "ImageLoaded.*.*\\ttdwriter.dll" -or $_.message -match "ImageLoaded.*.*\\ttdloader.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\tttracer.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_uac_bypass_eventvwr.ps1 b/Rules/sigma_tmp/sysmon_uac_bypass_eventvwr.ps1 new file mode 100644 index 00000000..a5514d9c --- /dev/null +++ b/Rules/sigma_tmp/sysmon_uac_bypass_eventvwr.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKU\\.*" -and $_.message -match "TargetObject.*.*\\mscfile\\shell\\open\\command") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\eventvwr.exe" -and -not ($_.message -match "Image.*.*\\mmc.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_uac_bypass_sdclt.ps1 b/Rules/sigma_tmp/sysmon_uac_bypass_sdclt.ps1 new file mode 100644 index 00000000..2bcc2834 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_uac_bypass_sdclt.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKU\\.*" -and $_.message -match "TargetObject.*.*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_uac_bypass_via_dism.ps1 b/Rules/sigma_tmp/sysmon_uac_bypass_via_dism.ps1 new file mode 100644 index 00000000..f21983c2 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_uac_bypass_via_dism.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and ($_.message -match "Image.*.*\\dism.exe") -and ($_.message -match "ImageLoaded.*.*\\dismcore.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_uipromptforcreds_dlls.ps1 b/Rules/sigma_tmp/sysmon_uipromptforcreds_dlls.ps1 new file mode 100644 index 00000000..105973d1 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_uipromptforcreds_dlls.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\\credui.dll" -or $_.message -match "ImageLoaded.*.*\\wincredui.dll") -or ($_.message -match "credui.dll" -or $_.message -match "wincredui.dll"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_uninstall_crowdstrike_falcon.ps1 b/Rules/sigma_tmp/sysmon_uninstall_crowdstrike_falcon.ps1 new file mode 100644 index 00000000..83dc4696 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_uninstall_crowdstrike_falcon.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\WindowsSensor.exe.*" -and $_.message -match "CommandLine.*.* /uninstall.*" -and $_.message -match "CommandLine.*.* /quiet.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_unsigned_image_loaded_into_lsass.ps1 b/Rules/sigma_tmp/sysmon_unsigned_image_loaded_into_lsass.ps1 new file mode 100644 index 00000000..fab19bb4 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_unsigned_image_loaded_into_lsass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*\\lsass.exe" -and $_.message -match "Signed.*false") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_volume_shadow_copy_service_keys.ps1 b/Rules/sigma_tmp/sysmon_volume_shadow_copy_service_keys.ps1 new file mode 100644 index 00000000..15656469 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_volume_shadow_copy_service_keys.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*System\\CurrentControlSet\\Services\\VSS.*" -and -not ($_.message -match "TargetObject.*.*System\\CurrentControlSet\\Services\\VSS\\Start.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_vuln_dell_driver_load.ps1 b/Rules/sigma_tmp/sysmon_vuln_dell_driver_load.ps1 new file mode 100644 index 00000000..5e76f13a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_vuln_dell_driver_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "6") -and ($_.message -match "ImageLoaded.*.*\\DBUtil_2_3.Sys.*" -or ($_.message -match "Hashes.*.*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5.*" -or $_.message -match "Hashes.*.*c948ae14761095e4d76b55d9de86412258be7afd.*" -or $_.message -match "Hashes.*.*c996d7971c49252c582171d9380360f2.*" -or $_.message -match "Hashes.*.*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1.*" -or $_.message -match "Hashes.*.*10b30bdee43b3a2ec4aa63375577ade650269d25.*" -or $_.message -match "Hashes.*.*d2fd132ab7bbc6bbb87a84f026fa0244.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wab_dllpath_reg_change.ps1 b/Rules/sigma_tmp/sysmon_wab_dllpath_reg_change.ps1 new file mode 100644 index 00000000..bba75888 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wab_dllpath_reg_change.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and $_.message -match "TargetObject.*.*\\Software\\Microsoft\\WAB\\DLLPath" -and -not ($_.message -match "Details.*%CommonProgramFiles%\\System\\wab32.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wdigest_enable_uselogoncredential.ps1 b/Rules/sigma_tmp/sysmon_wdigest_enable_uselogoncredential.ps1 new file mode 100644 index 00000000..7b3ce298 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wdigest_enable_uselogoncredential.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*WDigest\\UseLogonCredential") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_webshell_creation_detect.ps1 b/Rules/sigma_tmp/sysmon_webshell_creation_detect.ps1 new file mode 100644 index 00000000..d11fc8f7 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_webshell_creation_detect.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and (((($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*\\inetpub\\wwwroot\\.*" -and ($_.message -match "TargetFilename.*.*.asp.*" -or $_.message -match "TargetFilename.*.*.ashx.*" -or $_.message -match "TargetFilename.*.*.ph.*")) -and -not (($_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\.*" -or $_.message -match "TargetFilename.*.*\\Windows\\Temp\\.*"))) -or (($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\www\\.*" -or $_.message -match "TargetFilename.*.*\\htdocs\\.*" -or $_.message -match "TargetFilename.*.*\\html\\.*") -and $_.message -match "TargetFilename.*.*.ph.*") -and -not (($_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\.*" -or $_.message -match "TargetFilename.*.*\\Windows\\Temp\\.*")))) -or (($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*.jsp" -or ($_.message -match "TargetFilename.*.*\\cgi-bin\\.*" -and $_.message -match "TargetFilename.*.*.pl.*")) -and -not (($_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\.*" -or $_.message -match "TargetFilename.*.*\\Windows\\Temp\\.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_win_binary_github_com.ps1 b/Rules/sigma_tmp/sysmon_win_binary_github_com.ps1 new file mode 100644 index 00000000..13a176f3 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_win_binary_github_com.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "Initiated.*true" -and ($_.message -match "DestinationHostname.*.*.github.com" -or $_.message -match "DestinationHostname.*.*.githubusercontent.com") -and $_.message -match "Image.*C:\\Windows\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_win_binary_susp_com.ps1 b/Rules/sigma_tmp/sysmon_win_binary_susp_com.ps1 new file mode 100644 index 00000000..00f496e4 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_win_binary_susp_com.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "Initiated.*true" -and ($_.message -match "DestinationHostname.*.*dl.dropboxusercontent.com" -or $_.message -match "DestinationHostname.*.*.pastebin.com" -or $_.message -match "DestinationHostname.*.*.githubusercontent.com") -and $_.message -match "Image.*C:\\Windows\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_win_reg_persistence.ps1 b/Rules/sigma_tmp/sysmon_win_reg_persistence.ps1 new file mode 100644 index 00000000..6620701b --- /dev/null +++ b/Rules/sigma_tmp/sysmon_win_reg_persistence.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion.*") -and (($_.message -match "TargetObject.*.*\\Image File Execution Options\\.*" -and $_.message -match "TargetObject.*.*\\GlobalFlag.*") -or ($_.message -match "TargetObject.*.*SilentProcessExit\\.*" -and $_.message -match "TargetObject.*.*\\ReportingMode.*") -or ($_.message -match "TargetObject.*.*SilentProcessExit\\.*" -and $_.message -match "TargetObject.*.*\\MonitorProcess.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_win_reg_telemetry_persistence.ps1 b/Rules/sigma_tmp/sysmon_win_reg_telemetry_persistence.ps1 new file mode 100644 index 00000000..dcab1416 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_win_reg_telemetry_persistence.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ($_.message -match "TargetObject.*.*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\.*" -and $_.message -match "TargetObject.*.*\\Command.*" -and $_.message -match "Details.*.*.exe.*") -and -not (($_.message -match "Details.*.*\\system32\\CompatTelRunner.exe.*" -or $_.message -match "Details.*.*\\system32\\DeviceCensus.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_windivert_driver_load.ps1 b/Rules/sigma_tmp/sysmon_windivert_driver_load.ps1 new file mode 100644 index 00000000..4c267625 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_windivert_driver_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "6" -and ($_.message -match "ImageLoaded.*.*\\WinDivert.sys.*" -or $_.message -match "ImageLoaded.*.*\\WinDivert64.sys.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wmi_event_subscription.ps1 b/Rules/sigma_tmp/sysmon_wmi_event_subscription.ps1 new file mode 100644 index 00000000..a8b725ca --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wmi_event_subscription.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "19" -or $_.ID -eq "20" -or $_.ID -eq "21")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wmi_module_load.ps1 b/Rules/sigma_tmp/sysmon_wmi_module_load.ps1 new file mode 100644 index 00000000..b18ff68d --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wmi_module_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\\wmiclnt.dll" -or $_.message -match "ImageLoaded.*.*\\WmiApRpl.dll" -or $_.message -match "ImageLoaded.*.*\\wmiprov.dll" -or $_.message -match "ImageLoaded.*.*\\wmiutils.dll" -or $_.message -match "ImageLoaded.*.*\\wbemcomn.dll" -or $_.message -match "ImageLoaded.*.*\\wbemprox.dll" -or $_.message -match "ImageLoaded.*.*\\WMINet_Utils.dll" -or $_.message -match "ImageLoaded.*.*\\wbemsvc.dll" -or $_.message -match "ImageLoaded.*.*\\fastprox.dll") -and -not (($_.message -match "Image.*.*\\WmiPrvSE.exe" -or $_.message -match "Image.*.*\\WmiApSrv.exe" -or $_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\DeviceCensus.exe" -or $_.message -match "Image.*.*\\CompatTelRunner.exe" -or $_.message -match "Image.*.*\\sdiagnhost.exe" -or $_.message -match "Image.*.*\\SIHClient.exe" -or $_.message -match "Image.*.*\\ngentask.exe" -or $_.message -match "Image.*.*\\windows\\system32\\taskhostw.exe" -or $_.message -match "Image.*.*\\windows\\system32\\MoUsoCoreWorker.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wmi_persistence_commandline_event_consumer.ps1 b/Rules/sigma_tmp/sysmon_wmi_persistence_commandline_event_consumer.ps1 new file mode 100644 index 00000000..3f460957 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wmi_persistence_commandline_event_consumer.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" -and $_.message -match "ImageLoaded.*.*\\wbemcons.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wmi_persistence_script_event_consumer_write.ps1 b/Rules/sigma_tmp/sysmon_wmi_persistence_script_event_consumer_write.ps1 new file mode 100644 index 00000000..4def7346 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wmi_persistence_script_event_consumer_write.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*C:\\WINDOWS\\system32\\wbem\\scrcons.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wmi_susp_scripting.ps1 b/Rules/sigma_tmp/sysmon_wmi_susp_scripting.ps1 new file mode 100644 index 00000000..deb2827a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wmi_susp_scripting.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "19" -or $_.ID -eq "20" -or $_.ID -eq "21")) -and $_.ID -eq "20" -and (($_.message -match "Destination.*.*new-object.*" -and $_.message -match "Destination.*.*net.webclient.*" -and $_.message -match "Destination.*.*.downloadstring.*") -or ($_.message -match "Destination.*.*new-object.*" -and $_.message -match "Destination.*.*net.webclient.*" -and $_.message -match "Destination.*.*.downloadfile.*") -or ($_.message -match "Destination.*.* iex(.*" -or $_.message -match "Destination.*.*WScript.shell.*" -or $_.message -match "Destination.*.* -nop .*" -or $_.message -match "Destination.*.* -noprofile .*" -or $_.message -match "Destination.*.* -decode .*" -or $_.message -match "Destination.*.* -enc .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wmic_remote_xsl_scripting_dlls.ps1 b/Rules/sigma_tmp/sysmon_wmic_remote_xsl_scripting_dlls.ps1 new file mode 100644 index 00000000..cb843d6a --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wmic_remote_xsl_scripting_dlls.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*\\wmic.exe" -and ($_.message -match "ImageLoaded.*.*\\jscript.dll" -or $_.message -match "ImageLoaded.*.*\\vbscript.dll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wmiprvse_wbemcomn_dll_hijack.ps1 b/Rules/sigma_tmp/sysmon_wmiprvse_wbemcomn_dll_hijack.ps1 new file mode 100644 index 00000000..bf11b3e9 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wmiprvse_wbemcomn_dll_hijack.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "Image.*System" -and $_.message -match "TargetFilename.*.*\\wbem\\wbemcomn.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Image.*.*\\wmiprvse.exe" -and $_.message -match "ImageLoaded.*.*\\wbem\\wbemcomn.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wsman_provider_image_load.ps1 b/Rules/sigma_tmp/sysmon_wsman_provider_image_load.ps1 new file mode 100644 index 00000000..fd3b02c7 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wsman_provider_image_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ((($_.ID -eq "7") -and (($_.message -match "ImageLoaded.*.*\\WsmSvc.dll" -or $_.message -match "ImageLoaded.*.*\\WsmAuto.dll" -or $_.message -match "ImageLoaded.*.*\\Microsoft.WSMan.Management.ni.dll") -or ($_.message -match "WsmSvc.dll" -or $_.message -match "WSMANAUTOMATION.DLL" -or $_.message -match "Microsoft.WSMan.Management.dll")) -and -not ($_.message -match "Image.*.*\\powershell.exe")) -or ($_.message -match "Image.*.*\\svchost.exe" -and $_.message -match "OriginalFileName.*WsmWmiPl.dll"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/sysmon_wuauclt_network_connection.ps1 b/Rules/sigma_tmp/sysmon_wuauclt_network_connection.ps1 new file mode 100644 index 00000000..e4032493 --- /dev/null +++ b/Rules/sigma_tmp/sysmon_wuauclt_network_connection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "3" -and $_.message -match "Image.*.*wuauclt.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_CL_Invocation_LOLScript.ps1 b/Rules/sigma_tmp/win_CL_Invocation_LOLScript.ps1 new file mode 100644 index 00000000..d477ad20 --- /dev/null +++ b/Rules/sigma_tmp/win_CL_Invocation_LOLScript.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*CL_Invocation.ps1.*" -and $_.message -match "CommandLine.*.*SyncInvoke.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_CL_Mutexverifiers_LOLScript.ps1 b/Rules/sigma_tmp/win_CL_Mutexverifiers_LOLScript.ps1 new file mode 100644 index 00000000..b44fefef --- /dev/null +++ b/Rules/sigma_tmp/win_CL_Mutexverifiers_LOLScript.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*CL_Mutexverifiers.ps1.*" -and $_.message -match "CommandLine.*.*runAfterCancelProcess.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_GPO_scheduledtasks.ps1 b/Rules/sigma_tmp/win_GPO_scheduledtasks.ps1 new file mode 100644 index 00000000..aa1d62bc --- /dev/null +++ b/Rules/sigma_tmp/win_GPO_scheduledtasks.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\SYSVOL" -and $_.message -match "RelativeTargetName.*.*ScheduledTasks.xml" -and ($_.message -match "Accesses.*.*WriteData.*" -or $_.message -match "Accesses.*.*%%4417.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_account_backdoor_dcsync_rights.ps1 b/Rules/sigma_tmp/win_account_backdoor_dcsync_rights.ps1 new file mode 100644 index 00000000..b4b5487a --- /dev/null +++ b/Rules/sigma_tmp/win_account_backdoor_dcsync_rights.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*ntSecurityDescriptor" -and ($_.message -match "AttributeValue.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_account_discovery.ps1 b/Rules/sigma_tmp/win_account_discovery.ps1 new file mode 100644 index 00000000..3f4cf021 --- /dev/null +++ b/Rules/sigma_tmp/win_account_discovery.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP")) -and (($_.message -match "ObjectName.*.*-512" -or $_.message -match "ObjectName.*.*-502" -or $_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-505" -or $_.message -match "ObjectName.*.*-519" -or $_.message -match "ObjectName.*.*-520" -or $_.message -match "ObjectName.*.*-544" -or $_.message -match "ObjectName.*.*-551" -or $_.message -match "ObjectName.*.*-555") -or ($_.message -match "ObjectName.*.*admin.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_ad_find_discovery.ps1 b/Rules/sigma_tmp/win_ad_find_discovery.ps1 new file mode 100644 index 00000000..64045600 --- /dev/null +++ b/Rules/sigma_tmp/win_ad_find_discovery.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*domainlist.*" -or $_.message -match "CommandLine.*.*trustdmp.*" -or $_.message -match "CommandLine.*.*dcmodes.*" -or $_.message -match "CommandLine.*.*adinfo.*" -or $_.message -match "CommandLine.*.* dclist .*" -or $_.message -match "CommandLine.*.*computer_pwdnotreqd.*" -or $_.message -match "CommandLine.*.*objectcategory=.*" -or $_.message -match "CommandLine.*.*-subnets -f.*" -or $_.message -match "CommandLine.*.*name=\"Domain Admins\".*" -or $_.message -match "CommandLine.*.*-sc u:.*" -or $_.message -match "CommandLine.*.*domainncs.*" -or $_.message -match "CommandLine.*.*dompol.*" -or $_.message -match "CommandLine.*.* oudmp .*" -or $_.message -match "CommandLine.*.*subnetdmp.*" -or $_.message -match "CommandLine.*.*gpodmp.*" -or $_.message -match "CommandLine.*.*fspdmp.*" -or $_.message -match "CommandLine.*.*users_noexpire.*" -or $_.message -match "CommandLine.*.*computers_active.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_ad_object_writedac_access.ps1 b/Rules/sigma_tmp/win_ad_object_writedac_access.ps1 new file mode 100644 index 00000000..9f8f2750 --- /dev/null +++ b/Rules/sigma_tmp/win_ad_object_writedac_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectServer.*DS" -and $_.message -match "AccessMask.*0x40000" -and ($_.message -match "19195a5b-6da0-11d0-afd3-00c04fd930c9" -or $_.message -match "domainDNS")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_ad_replication_non_machine_account.ps1 b/Rules/sigma_tmp/win_ad_replication_non_machine_account.ps1 new file mode 100644 index 00000000..17328586 --- /dev/null +++ b/Rules/sigma_tmp/win_ad_replication_non_machine_account.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4662" -and $_.message -match "AccessMask.*0x100" -and ($_.message -match "Properties.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_ad_user_enumeration.ps1 b/Rules/sigma_tmp/win_ad_user_enumeration.ps1 new file mode 100644 index 00000000..0bd354dd --- /dev/null +++ b/Rules/sigma_tmp/win_ad_user_enumeration.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4662" -and ($_.message -match "ObjectType.*.*bf967aba-0de6-11d0-a285-00aa003049e2.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_admin_rdp_login.ps1 b/Rules/sigma_tmp/win_admin_rdp_login.ps1 new file mode 100644 index 00000000..00fcec9a --- /dev/null +++ b/Rules/sigma_tmp/win_admin_rdp_login.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and $_.message -match "AuthenticationPackageName.*Negotiate" -and $_.message -match "TargetUserName.*Admin.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_admin_share_access.ps1 b/Rules/sigma_tmp/win_admin_share_access.ps1 new file mode 100644 index 00000000..0c441c3d --- /dev/null +++ b/Rules/sigma_tmp/win_admin_share_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5140" -and $_.message -match "ShareName.*Admin$") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_advanced_ip_scanner.ps1 b/Rules/sigma_tmp/win_advanced_ip_scanner.ps1 new file mode 100644 index 00000000..c90e9e3c --- /dev/null +++ b/Rules/sigma_tmp/win_advanced_ip_scanner.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\advanced_ip_scanner.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\AppData\\Local\\Temp\\Advanced IP Scanner 2.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_alert_active_directory_user_control.ps1 b/Rules/sigma_tmp/win_alert_active_directory_user_control.ps1 new file mode 100644 index 00000000..d125f191 --- /dev/null +++ b/Rules/sigma_tmp/win_alert_active_directory_user_control.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4704" -and ($_.message -match ".*SeEnableDelegationPrivilege.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_alert_ad_user_backdoors.ps1 b/Rules/sigma_tmp/win_alert_ad_user_backdoors.ps1 new file mode 100644 index 00000000..7be44d6f --- /dev/null +++ b/Rules/sigma_tmp/win_alert_ad_user_backdoors.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(((((($_.ID -eq "4738" -and -not ($_.message -match "AllowedToDelegateTo.*-")) -and -not (-not AllowedToDelegateTo="*")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToDelegateTo")) -or ($_.ID -eq "5136" -and $_.message -match "ObjectClass.*user" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToActOnBehalfOfOtherIdentity"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_alert_enable_weak_encryption.ps1 b/Rules/sigma_tmp/win_alert_enable_weak_encryption.ps1 new file mode 100644 index 00000000..4e5aa324 --- /dev/null +++ b/Rules/sigma_tmp/win_alert_enable_weak_encryption.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4738" -and ($_.message -match ".*DES.*" -or $_.message -match ".*Preauth.*" -or $_.message -match ".*Encrypted.*") -and ($_.message -match ".*Enabled.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_alert_lsass_access.ps1 b/Rules/sigma_tmp/win_alert_lsass_access.ps1 new file mode 100644 index 00000000..3d69c860 --- /dev/null +++ b/Rules/sigma_tmp/win_alert_lsass_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {($_.ID -eq "1121" -and $_.message -match "Path.*.*\\lsass.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_alert_mimikatz_keywords.ps1 b/Rules/sigma_tmp/win_alert_mimikatz_keywords.ps1 new file mode 100644 index 00000000..df6d529a --- /dev/null +++ b/Rules/sigma_tmp/win_alert_mimikatz_keywords.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {($_.message -match ".*mimikatz.*" -or $_.message -match ".*mimilib.*" -or $_.message -match ".*<3 eo.oe.*" -or $_.message -match ".*eo.oe.kiwi.*" -or $_.message -match ".*privilege::debug.*" -or $_.message -match ".*sekurlsa::logonpasswords.*" -or $_.message -match ".*lsadump::sam.*" -or $_.message -match ".*mimidrv.sys.*" -or $_.message -match ".* p::d .*" -or $_.message -match ".* s::l .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_alert_ruler.ps1 b/Rules/sigma_tmp/win_alert_ruler.ps1 new file mode 100644 index 00000000..9d9a4a1a --- /dev/null +++ b/Rules/sigma_tmp/win_alert_ruler.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(((($_.ID -eq "4776") -and $_.message -match "Workstation.*RULER") -or (($_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "WorkstationName.*RULER"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_applocker_file_was_not_allowed_to_run.ps1 b/Rules/sigma_tmp/win_applocker_file_was_not_allowed_to_run.ps1 new file mode 100644 index 00000000..188910d3 --- /dev/null +++ b/Rules/sigma_tmp/win_applocker_file_was_not_allowed_to_run.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {(($_.message -match "Microsoft-Windows-AppLocker/MSI and Script" -or $_.message -match "Microsoft-Windows-AppLocker/EXE and DLL" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Deployment" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Execution") -and ($_.ID -eq "8004" -or $_.ID -eq "8007")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_apt29_thinktanks.ps1 b/Rules/sigma_tmp/win_apt_apt29_thinktanks.ps1 new file mode 100644 index 00000000..e5b63061 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_apt29_thinktanks.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-noni.*" -and $_.message -match "CommandLine.*.*-ep.*" -and $_.message -match "CommandLine.*.*bypass.*" -and $_.message -match "CommandLine.*.*$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_babyshark.ps1 b/Rules/sigma_tmp/win_apt_babyshark.ps1 new file mode 100644 index 00000000..bcfe03f4 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_babyshark.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" -or $_.message -match "CommandLine.*powershell.exe mshta.exe http.*" -or $_.message -match "cmd.exe /c taskkill /im cmd.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_bear_activity_gtr19.ps1 b/Rules/sigma_tmp/win_apt_bear_activity_gtr19.ps1 new file mode 100644 index 00000000..b327de18 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_bear_activity_gtr19.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\xcopy.exe" -and $_.message -match "CommandLine.*.*/S.*" -and $_.message -match "CommandLine.*.*/E.*" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/Q.*" -and $_.message -match "CommandLine.*.*/H.*" -and $_.message -match "CommandLine.*.*\\\.*") -or ($_.message -match "Image.*.*\\adexplorer.exe" -and $_.message -match "CommandLine.*.*-snapshot.*" -and $_.message -match "CommandLine.*.*\"\".*" -and $_.message -match "CommandLine.*.*c:\\users\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_bluemashroom.ps1 b/Rules/sigma_tmp/win_apt_bluemashroom.ps1 new file mode 100644 index 00000000..bd0d4511 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_bluemashroom.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\AppData\\Local\\.*" -and ($_.message -match "CommandLine.*.*\\regsvr32.*" -or $_.message -match "CommandLine.*.*,DllEntry.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_carbonpaper_turla.ps1 b/Rules/sigma_tmp/win_apt_carbonpaper_turla.ps1 new file mode 100644 index 00000000..25bbf8e3 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_carbonpaper_turla.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.message -match "srservice" -or $_.message -match "ipvpn" -or $_.message -match "hkmsvc")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_chafer_mar18.ps1 b/Rules/sigma_tmp/win_apt_chafer_mar18.ps1 new file mode 100644 index 00000000..b0cb6807 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_chafer_mar18.ps1 @@ -0,0 +1,4 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.message -match "SC Scheduled Scan" -or $_.message -match "UpdatMachine")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {($_.ID -eq "4698" -and ($_.message -match "SC Scheduled Scan" -or $_.message -match "UpdatMachine")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" -or $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\Service.exe.*" -and ($_.message -match "CommandLine.*.*i" -or $_.message -match "CommandLine.*.*u")) -or ($_.message -match "CommandLine.*.*\\microsoft\\Taskbar\\autoit3.exe" -or $_.message -match "CommandLine.*C:\\wsc.exe.*") -or ($_.message -match "Image.*.*\\Windows\\Temp\\DB\\.*" -and $_.message -match "Image.*.*.exe") -or ($_.message -match "CommandLine.*.*\\nslookup.exe.*" -and $_.message -match "CommandLine.*.*-q=TXT.*" -and $_.message -match "ParentImage.*.*\\Autoit.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_cloudhopper.ps1 b/Rules/sigma_tmp/win_apt_cloudhopper.ps1 new file mode 100644 index 00000000..fba0a403 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_cloudhopper.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cscript.exe" -and $_.message -match "CommandLine.*.*.vbs.*" -and $_.message -match "CommandLine.*.*/shell.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_dragonfly.ps1 b/Rules/sigma_tmp/win_apt_dragonfly.ps1 new file mode 100644 index 00000000..4a334504 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_dragonfly.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\crackmapexec.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_elise.ps1 b/Rules/sigma_tmp/win_apt_elise.ps1 new file mode 100644 index 00000000..6ecb145d --- /dev/null +++ b/Rules/sigma_tmp/win_apt_elise.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*C:\\Windows\\SysWOW64\\cmd.exe" -and $_.message -match "CommandLine.*.*\\Windows\\Caches\\NavShExt.dll .*") -or $_.message -match "CommandLine.*.*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_emissarypanda_sep19.ps1 b/Rules/sigma_tmp/win_apt_emissarypanda_sep19.ps1 new file mode 100644 index 00000000..0e42536e --- /dev/null +++ b/Rules/sigma_tmp/win_apt_emissarypanda_sep19.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\sllauncher.exe" -and $_.message -match "Image.*.*\\svchost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_empiremonkey.ps1 b/Rules/sigma_tmp/win_apt_empiremonkey.ps1 new file mode 100644 index 00000000..2050fee1 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_empiremonkey.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*/i:%APPDATA%\\logs.txt scrobj.dll") -and (($_.message -match "Image.*.*\\cutil.exe") -or ($_.message -match "Microsoft(C) Registerserver"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_equationgroup_dll_u_load.ps1 b/Rules/sigma_tmp/win_apt_equationgroup_dll_u_load.ps1 new file mode 100644 index 00000000..6d0b9a2f --- /dev/null +++ b/Rules/sigma_tmp/win_apt_equationgroup_dll_u_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*,dll_u") -or $_.message -match "CommandLine.*.* -export dll_u .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_evilnum_jul20.ps1 b/Rules/sigma_tmp/win_apt_evilnum_jul20.ps1 new file mode 100644 index 00000000..580dc1c5 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_evilnum_jul20.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*regsvr32.*" -and $_.message -match "CommandLine.*.*/s.*" -and $_.message -match "CommandLine.*.*/i.*" -and $_.message -match "CommandLine.*.*\\AppData\\Roaming\\.*" -and $_.message -match "CommandLine.*.*.ocx.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_gallium.ps1 b/Rules/sigma_tmp/win_apt_gallium.ps1 new file mode 100644 index 00000000..65068269 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_gallium.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "53a44c2396d15c3a03723fa5e5db54cafd527635" -or $_.message -match "9c5e496921e3bc882dc40694f1dcc3746a75db19" -or $_.message -match "aeb573accfd95758550cf30bf04f389a92922844" -or $_.message -match "79ef78a797403a4ed1a616c68e07fff868a8650a" -or $_.message -match "4f6f38b4cec35e895d91c052b1f5a83d665c2196" -or $_.message -match "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" -or $_.message -match "e841a63e47361a572db9a7334af459ddca11347a" -or $_.message -match "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" -or $_.message -match "2e94b305d6812a9f96e6781c888e48c7fb157b6b" -or $_.message -match "dd44133716b8a241957b912fa6a02efde3ce3025" -or $_.message -match "8793bf166cb89eb55f0593404e4e933ab605e803" -or $_.message -match "a39b57032dbb2335499a51e13470a7cd5d86b138" -or $_.message -match "41cc2b15c662bc001c0eb92f6cc222934f0beeea" -or $_.message -match "d209430d6af54792371174e70e27dd11d3def7a7" -or $_.message -match "1c6452026c56efd2c94cea7e0f671eb55515edb0" -or $_.message -match "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" -or $_.message -match "4923d460e22fbbf165bbbaba168e5a46b8157d9f" -or $_.message -match "f201504bd96e81d0d350c3a8332593ee1c9e09de" -or $_.message -match "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "257" -and ($_.message -match "asyspy256.ddns.net" -or $_.message -match "hotkillmail9sddcc.ddns.net" -or $_.message -match "rosaf112.ddns.net" -or $_.message -match "cvdfhjh1231.myftp.biz" -or $_.message -match "sz2016rose.ddns.net" -or $_.message -match "dffwescwer4325.myftp.biz" -or $_.message -match "cvdfhjh1231.ddns.net")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "e570585edc69f9074cb5e8a790708336bd45ca0f") -and -not (($_.message -match "Image.*.*:\\Program Files(x86)\\.*" -or $_.message -match "Image.*.*:\\Program Files\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_greenbug_may20.ps1 b/Rules/sigma_tmp/win_apt_greenbug_may20.ps1 new file mode 100644 index 00000000..9d5334d9 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_greenbug_may20.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*bitsadmin.*" -and $_.message -match "CommandLine.*.*/transfer.*" -and $_.message -match "CommandLine.*.*CSIDL_APPDATA.*") -or ($_.message -match "CommandLine.*.*CSIDL_SYSTEM_DRIVE.*") -or ($_.message -match "CommandLine.*.*\\msf.ps1.*" -or $_.message -match "CommandLine.*.*8989 -e cmd.exe.*" -or $_.message -match "CommandLine.*.*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill.*" -or $_.message -match "CommandLine.*.*-nop -w hidden -c $k=new-object.*" -or $_.message -match "CommandLine.*.*[Net.CredentialCache]::DefaultCredentials;IEX .*" -or $_.message -match "CommandLine.*.* -nop -w hidden -c $m=new-object net.webclient;$m.*" -or $_.message -match "CommandLine.*.*-noninteractive -executionpolicy bypass whoami.*" -or $_.message -match "CommandLine.*.*-noninteractive -executionpolicy bypass netstat -a.*" -or $_.message -match "CommandLine.*.*L3NlcnZlc.*") -or ($_.message -match "Image.*.*\\adobe\\Adobe.exe" -or $_.message -match "Image.*.*\\oracle\\local.exe" -or $_.message -match "Image.*.*\\revshell.exe" -or $_.message -match "Image.*.*infopagesbackup\\ncat.exe" -or $_.message -match "Image.*.*CSIDL_SYSTEM\\cmd.exe" -or $_.message -match "Image.*.*\\programdata\\oracle\\java.exe" -or $_.message -match "Image.*.*CSIDL_COMMON_APPDATA\\comms\\comms.exe" -or $_.message -match "Image.*.*\\Programdata\\VMware\\Vmware.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_hafnium.ps1 b/Rules/sigma_tmp/win_apt_hafnium.ps1 new file mode 100644 index 00000000..303832f4 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_hafnium.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*attrib.*" -and $_.message -match "CommandLine.*.* \+h .*" -and $_.message -match "CommandLine.*.* \+s .*" -and $_.message -match "CommandLine.*.* \+r .*" -and $_.message -match "CommandLine.*.*.aspx.*") -or ($_.message -match "CommandLine.*.*schtasks.*" -and $_.message -match "CommandLine.*.*VSPerfMon.*") -or ($_.message -match "CommandLine.*.*vssadmin list shadows.*" -and $_.message -match "CommandLine.*.*Temp\\__output.*") -or $_.message -match "CommandLine.*.*%TEMP%\\execute.bat.*" -or $_.message -match "Image.*.*Users\\Public\\opera\\Opera_browser.exe" -or ($_.message -match "Image.*.*Opera_browser.exe" -and ($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe")) -or $_.message -match "Image.*.*\\ProgramData\\VSPerfMon\\.*" -or ($_.message -match "CommandLine.*.* -t7z .*" -and $_.message -match "CommandLine.*.*C:\\Programdata\\pst.*" -and $_.message -match "CommandLine.*.*\\it.zip.*") -or ($_.message -match "Image.*.*\\makecab.exe" -and ($_.message -match "CommandLine.*.*Microsoft\\Exchange Server\\.*" -or $_.message -match "CommandLine.*.*inetpub\\wwwroot.*")) -or ($_.message -match "CommandLine.*.*\\Temp\\xx.bat.*" -or $_.message -match "CommandLine.*.*Windows\\WwanSvcdcs.*" -or $_.message -match "CommandLine.*.*Windows\\Temp\\cw.exe.*") -or ($_.message -match "CommandLine.*.*\\comsvcs.dll.*" -and $_.message -match "CommandLine.*.*Minidump.*" -and $_.message -match "CommandLine.*.*\\inetpub\\wwwroot.*") -or ($_.message -match "CommandLine.*.*dsquery.*" -and $_.message -match "CommandLine.*.* -uco .*" -and $_.message -match "CommandLine.*.*\\inetpub\\wwwroot.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_hurricane_panda.ps1 b/Rules/sigma_tmp/win_apt_hurricane_panda.ps1 new file mode 100644 index 00000000..922a427b --- /dev/null +++ b/Rules/sigma_tmp/win_apt_hurricane_panda.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*localgroup.*" -and $_.message -match "CommandLine.*.*admin.*" -and $_.message -match "CommandLine.*.*/add.*") -or ($_.message -match "CommandLine.*.*\\Win64.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_judgement_panda_gtr19.ps1 b/Rules/sigma_tmp/win_apt_judgement_panda_gtr19.ps1 new file mode 100644 index 00000000..15f09bfb --- /dev/null +++ b/Rules/sigma_tmp/win_apt_judgement_panda_gtr19.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*eprod.ldf" -or ($_.message -match "CommandLine.*.*\\ldifde.exe -f -n .*" -or $_.message -match "CommandLine.*.*\\7za.exe a 1.7z .*" -or $_.message -match "CommandLine.*.*\\aaaa\\procdump64.exe.*" -or $_.message -match "CommandLine.*.*\\aaaa\\netsess.exe.*" -or $_.message -match "CommandLine.*.*\\aaaa\\7za.exe.*" -or $_.message -match "CommandLine.*.*copy .\\1.7z \\.*" -or $_.message -match "CommandLine.*.*copy \\client\\c$\\aaaa\\.*") -or $_.message -match "Image.*C:\\Users\\Public\\7za.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_ke3chang_regadd.ps1 b/Rules/sigma_tmp/win_apt_ke3chang_regadd.ps1 new file mode 100644 index 00000000..f4875308 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_ke3chang_regadd.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force.*" -or $_.message -match "CommandLine.*.*-Property String -name Check_Associations -value.*" -or $_.message -match "CommandLine.*.*-Property DWORD -name IEHarden -value 0 -Force.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_lazarus_activity_apr21.ps1 b/Rules/sigma_tmp/win_apt_lazarus_activity_apr21.ps1 new file mode 100644 index 00000000..3ff6698b --- /dev/null +++ b/Rules/sigma_tmp/win_apt_lazarus_activity_apr21.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*mshta.*" -and $_.message -match "CommandLine.*.*.zip.*") -or (($_.message -match "C:\\Windows\\System32\\wbem\\wmiprvse.exe") -and ($_.message -match "C:\\Windows\\System32\\mshta.exe")) -or (($_.message -match "ParentImage.*.*:\\Users\\Public\\.*") -and ($_.message -match "C:\\Windows\\System32\\rundll32.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_lazarus_activity_dec20.ps1 b/Rules/sigma_tmp/win_apt_lazarus_activity_dec20.ps1 new file mode 100644 index 00000000..66e771cf --- /dev/null +++ b/Rules/sigma_tmp/win_apt_lazarus_activity_dec20.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*reg.exe save hklm\\sam %temp%\\~reg_sam.save.*" -or $_.message -match "CommandLine.*.*1q2w3e4r@#$@#$@#$.*" -or $_.message -match "CommandLine.*.* -hp1q2w3e4 .*" -or $_.message -match "CommandLine.*.*.dat data03 10000 -p .*") -or ($_.message -match "CommandLine.*.*process call create.*" -and $_.message -match "CommandLine.*.* > %temp%\\~.*") -or ($_.message -match "CommandLine.*.*netstat -aon | find .*" -and $_.message -match "CommandLine.*.* > %temp%\\~.*") -or ($_.message -match "CommandLine.*.*.255 10 C:\\ProgramData\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_lazarus_loader.ps1 b/Rules/sigma_tmp/win_apt_lazarus_loader.ps1 new file mode 100644 index 00000000..8da73459 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_lazarus_loader.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "CommandLine.*.*cmd.exe /c .*" -and $_.message -match "CommandLine.*.* -p 0x.*" -and ($_.message -match "CommandLine.*.*C:\\ProgramData\\.*" -or $_.message -match "CommandLine.*.*C:\\RECYCLER\\.*")) -or ($_.message -match "CommandLine.*.*rundll32.exe .*" -and $_.message -match "CommandLine.*.*C:\\ProgramData\\.*" -and ($_.message -match "CommandLine.*.*.bin,.*" -or $_.message -match "CommandLine.*.*.tmp,.*" -or $_.message -match "CommandLine.*.*.dat,.*" -or $_.message -match "CommandLine.*.*.io,.*" -or $_.message -match "CommandLine.*.*.ini,.*" -or $_.message -match "CommandLine.*.*.db,.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_lazarus_session_highjack.ps1 b/Rules/sigma_tmp/win_apt_lazarus_session_highjack.ps1 new file mode 100644 index 00000000..44e207e9 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_lazarus_session_highjack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\msdtc.exe" -or $_.message -match "Image.*.*\\gpvc.exe") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_mustangpanda.ps1 b/Rules/sigma_tmp/win_apt_mustangpanda.ps1 new file mode 100644 index 00000000..87a38b39 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_mustangpanda.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*Temp\\wtask.exe /create.*" -or $_.message -match "CommandLine.*.*%windir:~-3,1%%PUBLIC:~-9,1%.*" -or $_.message -match "CommandLine.*.*/tn \"Security Script .*" -or $_.message -match "CommandLine.*.*%windir:~-1,1%.*") -or ($_.message -match "CommandLine.*.*/E:vbscript.*" -and $_.message -match "CommandLine.*.*C:\\Users\\.*" -and $_.message -match "CommandLine.*.*.txt.*" -and $_.message -match "CommandLine.*.*/F.*") -or $_.message -match "Image.*.*Temp\\winwsh.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_revil_kaseya.ps1 b/Rules/sigma_tmp/win_apt_revil_kaseya.ps1 new file mode 100644 index 00000000..c8567451 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_revil_kaseya.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*C:\\Windows\\cert.exe.*" -or $_.message -match "CommandLine.*.*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled.*" -or $_.message -match "CommandLine.*.*del /q /f c:\\kworking\\agent.crt.*" -or $_.message -match "CommandLine.*.*Kaseya VSA Agent Hot-fix.*" -or $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\MsMpEng.exe.*" -or $_.message -match "CommandLine.*.*rmdir /s /q %SystemDrive%\\inetpub\\logs.*" -or $_.message -match "CommandLine.*.*del /s /q /f %SystemDrive%\\.*.log.*" -or $_.message -match "CommandLine.*.*c:\\kworking1\\agent.exe.*" -or $_.message -match "CommandLine.*.*c:\\kworking1\\agent.crt.*") -and ($_.message -match "C:\\Windows\\MsMpEng.exe" -or $_.message -match "C:\\Windows\\cert.exe" -or $_.message -match "C:\\kworking\\agent.exe" -or $_.message -match "C:\\kworking1\\agent.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_slingshot.ps1 b/Rules/sigma_tmp/win_apt_slingshot.ps1 new file mode 100644 index 00000000..359557fe --- /dev/null +++ b/Rules/sigma_tmp/win_apt_slingshot.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and ($_.message -match "CommandLine.*.*/delete.*" -or $_.message -match "CommandLine.*.*/change.*") -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {($_.ID -eq "4701" -and $_.message -match "TaskName.*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_sofacy.ps1 b/Rules/sigma_tmp/win_apt_sofacy.ps1 new file mode 100644 index 00000000..3ff43329 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_sofacy.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*%APPDATA%\\.*") -and ($_.message -match "CommandLine.*.*.dat\",.*" -or $_.message -match "CommandLine.*.*.dll\",#1")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_stonedrill.ps1 b/Rules/sigma_tmp/win_apt_stonedrill.ps1 new file mode 100644 index 00000000..f1fb48ac --- /dev/null +++ b/Rules/sigma_tmp/win_apt_stonedrill.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*NtsSrv" -and $_.Service File Name -eq "* LocalService") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_ta17_293a_ps.ps1 b/Rules/sigma_tmp/win_apt_ta17_293a_ps.ps1 new file mode 100644 index 00000000..01614c95 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_ta17_293a_ps.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*ps.exe -accepteula") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_ta505_dropper.ps1 b/Rules/sigma_tmp/win_apt_ta505_dropper.ps1 new file mode 100644 index 00000000..1d0b3639 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_ta505_dropper.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\mshta.exe" -and $_.message -match "ParentImage.*.*\\wmiprvse.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_taidoor.ps1 b/Rules/sigma_tmp/win_apt_taidoor.ps1 new file mode 100644 index 00000000..42fc1c1b --- /dev/null +++ b/Rules/sigma_tmp/win_apt_taidoor.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*dll,MyStart.*" -or $_.message -match "CommandLine.*.*dll MyStart.*") -or ($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* MyStart") -and ($_.message -match "CommandLine.*.*rundll32.exe.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_tropictrooper.ps1 b/Rules/sigma_tmp/win_apt_tropictrooper.ps1 new file mode 100644 index 00000000..84d66247 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_tropictrooper.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_turla_comrat_may20.ps1 b/Rules/sigma_tmp/win_apt_turla_comrat_may20.ps1 new file mode 100644 index 00000000..3a739233 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_turla_comrat_may20.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*tracert -h 10 yahoo.com.*" -or $_.message -match "CommandLine.*.*.WSqmCons))|iex;.*" -or $_.message -match "CommandLine.*.*Fr`omBa`se6`4Str`ing.*") -or ($_.message -match "CommandLine.*.*net use https://docs.live.net.*" -and $_.message -match "CommandLine.*.*@aol.co.uk.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_turla_service_png.ps1 b/Rules/sigma_tmp/win_apt_turla_service_png.ps1 new file mode 100644 index 00000000..176bb134 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_turla_service_png.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*WerFaultSvc") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_unc2452_cmds.ps1 b/Rules/sigma_tmp/win_apt_unc2452_cmds.ps1 new file mode 100644 index 00000000..6d1de99a --- /dev/null +++ b/Rules/sigma_tmp/win_apt_unc2452_cmds.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((((($_.message -match "CommandLine.*.*7z.exe a -v500m -mx9 -r0 -p.*") -or ($_.message -match "ParentCommandLine.*.*wscript.exe.*" -and $_.message -match "ParentCommandLine.*.*.vbs.*" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*C:\\Windows.*" -and $_.message -match "CommandLine.*.*.dll,Tk_.*")) -or ($_.message -match "ParentImage.*.*\\rundll32.exe" -and $_.message -match "ParentCommandLine.*.*C:\\Windows.*" -and $_.message -match "CommandLine.*.*cmd.exe /C .*")) -or ($_.message -match "CommandLine.*.*rundll32 c:\\windows\\.*" -and $_.message -match "CommandLine.*.*.dll .*")) -or (($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\rundll32.exe" -and $_.message -match "Image.*.*\\dllhost.exe") -and -not (($_.message -match " " -or $_.message -match ""))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_unc2452_ps.ps1 b/Rules/sigma_tmp/win_apt_unc2452_ps.ps1 new file mode 100644 index 00000000..eaf6f7bd --- /dev/null +++ b/Rules/sigma_tmp/win_apt_unc2452_ps.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*Invoke-WMIMethod win32_process -name create -argumentlist.*" -and $_.message -match "CommandLine.*.*rundll32 c:\\windows.*") -or ($_.message -match "CommandLine.*.*wmic /node:.*" -and $_.message -match "CommandLine.*.*process call create \"rundll32 c:\\windows.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_unidentified_nov_18.ps1 b/Rules/sigma_tmp/win_apt_unidentified_nov_18.ps1 new file mode 100644 index 00000000..f0133ed6 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_unidentified_nov_18.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cyzfc.dat,.*" -and $_.message -match "CommandLine.*.*PointFunctionCall") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*ds7002.lnk.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_winnti_mal_hk_jan20.ps1 b/Rules/sigma_tmp/win_apt_winnti_mal_hk_jan20.ps1 new file mode 100644 index 00000000..ca05729a --- /dev/null +++ b/Rules/sigma_tmp/win_apt_winnti_mal_hk_jan20.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*C:\\Windows\\Temp.*" -or $_.message -match "ParentImage.*.*\\hpqhvind.exe.*") -and $_.message -match "Image.*C:\\ProgramData\\DRM.*") -or ($_.message -match "ParentImage.*C:\\ProgramData\\DRM.*" -and $_.message -match "Image.*.*\\wmplayer.exe") -or ($_.message -match "ParentImage.*.*\\Test.exe" -and $_.message -match "Image.*.*\\wmplayer.exe") -or $_.message -match "Image.*C:\\ProgramData\\DRM\\CLR\\CLR.exe" -or ($_.message -match "ParentImage.*C:\\ProgramData\\DRM\\Windows.*" -and $_.message -match "Image.*.*\\SearchFilterHost.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_winnti_pipemon.ps1 b/Rules/sigma_tmp/win_apt_winnti_pipemon.ps1 new file mode 100644 index 00000000..e8dddd6f --- /dev/null +++ b/Rules/sigma_tmp/win_apt_winnti_pipemon.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*setup0.exe -p.*") -or ($_.message -match "CommandLine.*.*setup.exe.*" -and ($_.message -match "CommandLine.*.*-x:0" -or $_.message -match "CommandLine.*.*-x:1" -or $_.message -match "CommandLine.*.*-x:2")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_wocao.ps1 b/Rules/sigma_tmp/win_apt_wocao.ps1 new file mode 100644 index 00000000..1bf08b79 --- /dev/null +++ b/Rules/sigma_tmp/win_apt_wocao.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4799" -and $_.message -match "TargetUserName.*Administr.*" -and $_.message -match "CallerProcessName.*.*\\checkadmin.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*checkadmin.exe 127.0.0.1 -all.*" -or $_.message -match "CommandLine.*.*netsh advfirewall firewall add rule name=powershell dir=in.*" -or $_.message -match "CommandLine.*.*cmd /c powershell.exe -ep bypass -file c:\\s.ps1.*" -or $_.message -match "CommandLine.*.*/tn win32times /f.*" -or $_.message -match "CommandLine.*.*create win32times binPath=.*" -or $_.message -match "CommandLine.*.*\\c$\\windows\\system32\\devmgr.dll.*" -or $_.message -match "CommandLine.*.* -exec bypass -enc JgAg.*" -or $_.message -match "CommandLine.*.*type .*keepass\\KeePass.config.xml.*" -or $_.message -match "CommandLine.*.*iie.exe iie.txt.*" -or $_.message -match "CommandLine.*.*reg query HKEY_CURRENT_USER\\Software\\.*\\PuTTY\\Sessions\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_apt_zxshell.ps1 b/Rules/sigma_tmp/win_apt_zxshell.ps1 new file mode 100644 index 00000000..06484f7f --- /dev/null +++ b/Rules/sigma_tmp/win_apt_zxshell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\rundll32.exe") -and ($_.message -match "CommandLine.*.*zxFunction.*" -or $_.message -match "CommandLine.*.*RemoteDiskXXXXX.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_arbitrary_shell_execution_via_settingcontent.ps1 b/Rules/sigma_tmp/win_arbitrary_shell_execution_via_settingcontent.ps1 new file mode 100644 index 00000000..40039830 --- /dev/null +++ b/Rules/sigma_tmp/win_arbitrary_shell_execution_via_settingcontent.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.message -match "CommandLine.*.*.SettingContent-ms.*" -and -not (($_.message -match "FilePath.*.*immersivecontrolpanel.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_atsvc_task.ps1 b/Rules/sigma_tmp/win_atsvc_task.ps1 new file mode 100644 index 00000000..0d6df6c4 --- /dev/null +++ b/Rules/sigma_tmp/win_atsvc_task.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*atsvc" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_attrib_hiding_files.ps1 b/Rules/sigma_tmp/win_attrib_hiding_files.ps1 new file mode 100644 index 00000000..d22b30cf --- /dev/null +++ b/Rules/sigma_tmp/win_attrib_hiding_files.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\attrib.exe" -and $_.message -match "CommandLine.*.* \+h .*") -and -not ((($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\desktop.ini .*" -or ($_.message -match "ParentImage.*.*\\cmd.exe" -and $_.message -match "CommandLine.*\+R \+H \+S \+A \\.*.cui" -and $_.message -match "ParentCommandLine.*C:\\WINDOWS\\system32\\.*.bat"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_audit_cve.ps1 b/Rules/sigma_tmp/win_audit_cve.ps1 new file mode 100644 index 00000000..d4622353 --- /dev/null +++ b/Rules/sigma_tmp/win_audit_cve.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Application | where {($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_av_relevant_match.ps1 b/Rules/sigma_tmp/win_av_relevant_match.ps1 new file mode 100644 index 00000000..97e27b14 --- /dev/null +++ b/Rules/sigma_tmp/win_av_relevant_match.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Application | where {(($_.message -match ".*HTool-.*" -or $_.message -match ".*Hacktool.*" -or $_.message -match ".*ASP/Backdoor.*" -or $_.message -match ".*JSP/Backdoor.*" -or $_.message -match ".*PHP/Backdoor.*" -or $_.message -match ".*Backdoor.ASP.*" -or $_.message -match ".*Backdoor.JSP.*" -or $_.message -match ".*Backdoor.PHP.*" -or $_.message -match ".*Webshell.*" -or $_.message -match ".*Portscan.*" -or $_.message -match ".*Mimikatz.*" -or $_.message -match ".*WinCred.*" -or $_.message -match ".*PlugX.*" -or $_.message -match ".*Korplug.*" -or $_.message -match ".*Pwdump.*" -or $_.message -match ".*Chopper.*" -or $_.message -match ".*WmiExec.*" -or $_.message -match ".*Xscan.*" -or $_.message -match ".*Clearlog.*" -or $_.message -match ".*ASPXSpy.*") -and -not (($_.message -match ".*Keygen.*" -or $_.message -match ".*Crack.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_bad_opsec_sacrificial_processes.ps1 b/Rules/sigma_tmp/win_bad_opsec_sacrificial_processes.ps1 new file mode 100644 index 00000000..79f45fdf --- /dev/null +++ b/Rules/sigma_tmp/win_bad_opsec_sacrificial_processes.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\WerFault.exe" -or $_.message -match "CommandLine.*.*\\rundll32.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_bootconf_mod.ps1 b/Rules/sigma_tmp/win_bootconf_mod.ps1 new file mode 100644 index 00000000..4ef051dd --- /dev/null +++ b/Rules/sigma_tmp/win_bootconf_mod.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\bcdedit.exe" -and $_.message -match "CommandLine.*.*set.*") -and (($_.message -match "CommandLine.*.*bootstatuspolicy.*" -and $_.message -match "CommandLine.*.*ignoreallfailures.*") -or ($_.message -match "CommandLine.*.*recoveryenabled.*" -and $_.message -match "CommandLine.*.*no.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_bypass_squiblytwo.ps1 b/Rules/sigma_tmp/win_bypass_squiblytwo.ps1 new file mode 100644 index 00000000..663b9301 --- /dev/null +++ b/Rules/sigma_tmp/win_bypass_squiblytwo.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*http.*" -and ((($_.message -match "Image.*.*\\wmic.exe") -and $_.message -match "CommandLine.*.*wmic.*" -and $_.message -match "CommandLine.*.*format.*") -or (($_.message -match "1B1A3F43BF37B5BFE60751F2EE2F326E" -or $_.message -match "37777A96245A3C74EB217308F3546F4C" -or $_.message -match "9D87C9D67CE724033C0B40CC4CA1B206") -and $_.message -match "CommandLine.*.*format:.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_camera_microphone_access.ps1 b/Rules/sigma_tmp/win_camera_microphone_access.ps1 new file mode 100644 index 00000000..f0514c62 --- /dev/null +++ b/Rules/sigma_tmp/win_camera_microphone_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4657" -or $_.ID -eq "4656" -or $_.ID -eq "4663") -and ($_.message -match "ObjectName.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged.*" -or $_.message -match "ObjectName.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_change_default_file_association.ps1 b/Rules/sigma_tmp/win_change_default_file_association.ps1 new file mode 100644 index 00000000..96d830a6 --- /dev/null +++ b/Rules/sigma_tmp/win_change_default_file_association.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cmd.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*assoc.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_cmdkey_recon.ps1 b/Rules/sigma_tmp/win_cmdkey_recon.ps1 new file mode 100644 index 00000000..91193231 --- /dev/null +++ b/Rules/sigma_tmp/win_cmdkey_recon.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmdkey.exe" -and $_.message -match "CommandLine.*.* /list.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_cmstp_com_object_access.ps1 b/Rules/sigma_tmp/win_cmstp_com_object_access.ps1 new file mode 100644 index 00000000..58670edf --- /dev/null +++ b/Rules/sigma_tmp/win_cmstp_com_object_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*\\DllHost.exe .*" -and ($_.message -match "ParentCommandLine.*.*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" -or $_.message -match "ParentCommandLine.*.*{3E000D72-A845-4CD9-BD83-80C07C3B881F}")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_cobaltstrike_process_patterns.ps1 b/Rules/sigma_tmp/win_cobaltstrike_process_patterns.ps1 new file mode 100644 index 00000000..527bbcac --- /dev/null +++ b/Rules/sigma_tmp/win_cobaltstrike_process_patterns.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\cmd.exe /C whoami.*" -and $_.message -match "ParentImage.*C:\\Temp.*") -or ($_.message -match "CommandLine.*.*conhost.exe 0xffffffff -ForceV1.*" -and ($_.message -match "ParentCommandLine.*.*/C whoami.*" -or $_.message -match "ParentCommandLine.*.*cmd.exe /C echo.*" -or $_.message -match "ParentCommandLine.*.* > \\.\\pipe.*")) -or (($_.message -match "CommandLine.*.*cmd.exe /c echo.*" -or $_.message -match "CommandLine.*.*> \\.\\pipe.*" -or $_.message -match "CommandLine.*.*\\whoami.exe.*") -and $_.message -match "ParentImage.*.*\\dllhost.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_cobaltstrike_service_installs.ps1 b/Rules/sigma_tmp/win_cobaltstrike_service_installs.ps1 new file mode 100644 index 00000000..c30a9c94 --- /dev/null +++ b/Rules/sigma_tmp/win_cobaltstrike_service_installs.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and (($_.Service File Name -eq "*ADMIN$*" -and $_.Service File Name -eq "*.exe*") -or ($_.Service File Name -eq "*%COMSPEC%*" -and $_.Service File Name -eq "*start*" -and $_.Service File Name -eq "*powershell*") -or ($_.Service File Name -eq "*powershell -nop -w hidden -encodedcommand*") -or ($_.Service File Name -eq "*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*" -or $_.message -match "Service File Name.*.*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT.*" -or $_.message -match "Service File Name.*.*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_commandline_path_traversal.ps1 b/Rules/sigma_tmp/win_commandline_path_traversal.ps1 new file mode 100644 index 00000000..4f988533 --- /dev/null +++ b/Rules/sigma_tmp/win_commandline_path_traversal.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*cmd.*" -and $_.message -match "ParentCommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*/../../.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_control_panel_item.ps1 b/Rules/sigma_tmp/win_control_panel_item.ps1 new file mode 100644 index 00000000..c050b68b --- /dev/null +++ b/Rules/sigma_tmp/win_control_panel_item.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "CommandLine.*.*.cpl" -and -not (($_.message -match "CommandLine.*.*\\System32\\.*" -or $_.message -match "CommandLine.*.*%System%.*"))) -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*CurrentVersion\\Control Panel\\CPLs.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_copying_sensitive_files_with_credential_data.ps1 b/Rules/sigma_tmp/win_copying_sensitive_files_with_credential_data.ps1 new file mode 100644 index 00000000..ac4e4fa9 --- /dev/null +++ b/Rules/sigma_tmp/win_copying_sensitive_files_with_credential_data.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\esentutl.exe" -and ($_.message -match "CommandLine.*.*vss.*" -or $_.message -match "CommandLine.*.* /m .*" -or $_.message -match "CommandLine.*.* /y .*")) -or ($_.message -match "CommandLine.*.*\\windows\\ntds\\ntds.dit.*" -or $_.message -match "CommandLine.*.*\\config\\sam.*" -or $_.message -match "CommandLine.*.*\\config\\security.*" -or $_.message -match "CommandLine.*.*\\config\\system .*" -or $_.message -match "CommandLine.*.*\\repair\\sam.*" -or $_.message -match "CommandLine.*.*\\repair\\system.*" -or $_.message -match "CommandLine.*.*\\repair\\security.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\sam.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\system.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\security.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_credential_access_via_password_filter.ps1 b/Rules/sigma_tmp/win_credential_access_via_password_filter.ps1 new file mode 100644 index 00000000..c4d87cab --- /dev/null +++ b/Rules/sigma_tmp/win_credential_access_via_password_filter.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa.*" -and $_.message -match "CommandLine.*.*scecli\\0.*" -and $_.message -match "CommandLine.*.*reg add.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_crime_fireball.ps1 b/Rules/sigma_tmp/win_crime_fireball.ps1 new file mode 100644 index 00000000..8f34e7c2 --- /dev/null +++ b/Rules/sigma_tmp/win_crime_fireball.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*InstallArcherSvc.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_crime_maze_ransomware.ps1 b/Rules/sigma_tmp/win_crime_maze_ransomware.ps1 new file mode 100644 index 00000000..4837f9d7 --- /dev/null +++ b/Rules/sigma_tmp/win_crime_maze_ransomware.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\WINWORD.exe") -and ($_.message -match "Image.*.*.tmp")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "ParentImage.*.*\\Temp\\.*" -and $_.message -match "CommandLine.*.*shadowcopy delete") -or ($_.message -match "CommandLine.*.*shadowcopy delete" -and $_.message -match "CommandLine.*.*\\..\\..\\system32.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_crime_snatch_ransomware.ps1 b/Rules/sigma_tmp/win_crime_snatch_ransomware.ps1 new file mode 100644 index 00000000..eb8605fb --- /dev/null +++ b/Rules/sigma_tmp/win_crime_snatch_ransomware.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*shutdown /r /f /t 00.*" -or $_.message -match "CommandLine.*.*net stop SuperBackupMan.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_cve_2021_1675_printspooler.ps1 b/Rules/sigma_tmp/win_cve_2021_1675_printspooler.ps1 new file mode 100644 index 00000000..e09b1848 --- /dev/null +++ b/Rules/sigma_tmp/win_cve_2021_1675_printspooler.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\123.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_cve_2021_1675_printspooler_del.ps1 b/Rules/sigma_tmp/win_cve_2021_1675_printspooler_del.ps1 new file mode 100644 index 00000000..8339a07b --- /dev/null +++ b/Rules/sigma_tmp/win_cve_2021_1675_printspooler_del.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "23" -and ($_.message -match "Image.*.*spoolsv.exe") -and ($_.message -match "TargetFilename.*.*C:\\Windows\\System32\\spool\\drivers\\x64\\3\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_data_compressed_with_rar.ps1 b/Rules/sigma_tmp/win_data_compressed_with_rar.ps1 new file mode 100644 index 00000000..d905dcaa --- /dev/null +++ b/Rules/sigma_tmp/win_data_compressed_with_rar.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\rar.exe" -and $_.message -match "CommandLine.*.* a .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_dce_rpc_smb_spoolss_named_pipe.ps1 b/Rules/sigma_tmp/win_dce_rpc_smb_spoolss_named_pipe.ps1 new file mode 100644 index 00000000..90fca184 --- /dev/null +++ b/Rules/sigma_tmp/win_dce_rpc_smb_spoolss_named_pipe.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*spoolss") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_dcom_iertutil_dll_hijack.ps1 b/Rules/sigma_tmp/win_dcom_iertutil_dll_hijack.ps1 new file mode 100644 index 00000000..554ab1a8 --- /dev/null +++ b/Rules/sigma_tmp/win_dcom_iertutil_dll_hijack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\\Internet Explorer\\iertutil.dll") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_dcsync.ps1 b/Rules/sigma_tmp/win_dcsync.ps1 new file mode 100644 index 00000000..5b4eedeb --- /dev/null +++ b/Rules/sigma_tmp/win_dcsync.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(((($_.ID -eq "4662" -and ($_.message -match "Properties.*.*Replicating Directory Changes All.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*")) -and -not ($_.message -match "SubjectDomainName.*Window Manager")) -and -not (($_.message -match "SubjectUserName.*NT AUTHORITY.*" -or $_.message -match "SubjectUserName.*MSOL_.*"))) -and -not (($_.message -match "SubjectUserName.*.*$"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_defender_amsi_trigger.ps1 b/Rules/sigma_tmp/win_defender_amsi_trigger.ps1 new file mode 100644 index 00000000..a0af6c54 --- /dev/null +++ b/Rules/sigma_tmp/win_defender_amsi_trigger.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {($_.ID -eq "1116" -and $_.message -match "DetectionSource.*AMSI") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_defender_bypass.ps1 b/Rules/sigma_tmp/win_defender_bypass.ps1 new file mode 100644 index 00000000..d801f745 --- /dev/null +++ b/Rules/sigma_tmp/win_defender_bypass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4657" -or $_.ID -eq "4656" -or $_.ID -eq "4660" -or $_.ID -eq "4663") -and $_.message -match "ObjectName.*.*\\Microsoft\\Windows Defender\\Exclusions\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_defender_disabled.ps1 b/Rules/sigma_tmp/win_defender_disabled.ps1 new file mode 100644 index 00000000..2235fbcb --- /dev/null +++ b/Rules/sigma_tmp/win_defender_disabled.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {((($_.ID -eq "5001" -or $_.ID -eq "5010" -or $_.ID -eq "5012" -or $_.ID -eq "5101") -or (($_.message -match "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" -or $_.message -match "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender" -or $_.message -match "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender") -and $_.message -match "Details.*DWORD (0x00000001)"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "EventType.*SetValue" -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" -and $_.message -match "Details.*DWORD (0x00000001)") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7036" -and $_.message -match "Message.*The Windows Defender Antivirus Service service entered the stopped state") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_defender_exclusions.ps1 b/Rules/sigma_tmp/win_defender_exclusions.ps1 new file mode 100644 index 00000000..55858df7 --- /dev/null +++ b/Rules/sigma_tmp/win_defender_exclusions.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {(($_.ID -eq "5007") -and ($_.message -match "New Value.*.*\\Microsoft\\Windows Defender\\Exclusions.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.ID -eq "13") -and ($_.message -match "TargetObject.*.*\\Microsoft\\Windows Defender\\Exclusions.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_defender_history_delete.ps1 b/Rules/sigma_tmp/win_defender_history_delete.ps1 new file mode 100644 index 00000000..9fefa669 --- /dev/null +++ b/Rules/sigma_tmp/win_defender_history_delete.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {($_.ID -eq "1013" -and $_.message -match "EventType.*4") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_defender_psexec_wmi_asr.ps1 b/Rules/sigma_tmp/win_defender_psexec_wmi_asr.ps1 new file mode 100644 index 00000000..49e2c265 --- /dev/null +++ b/Rules/sigma_tmp/win_defender_psexec_wmi_asr.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {($_.ID -eq "1121" -and ($_.message -match "ProcessName.*.*\\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\\psexesvc.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_defender_tamper_protection_trigger.ps1 b/Rules/sigma_tmp/win_defender_tamper_protection_trigger.ps1 new file mode 100644 index 00000000..840bdd81 --- /dev/null +++ b/Rules/sigma_tmp/win_defender_tamper_protection_trigger.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {(($_.ID -eq "5013") -and ($_.message -match "Value.*.*\\Windows Defender\\DisableAntiSpyware = 0x1()" -or $_.message -match "Value.*.*\\Real-Time Protection\\DisableRealtimeMonitoring = (Current)")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_defender_threat.ps1 b/Rules/sigma_tmp/win_defender_threat.ps1 new file mode 100644 index 00000000..a4bb974d --- /dev/null +++ b/Rules/sigma_tmp/win_defender_threat.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {(($_.ID -eq "1006" -or $_.ID -eq "1116" -or $_.ID -eq "1015" -or $_.ID -eq "1117")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_disable_event_logging.ps1 b/Rules/sigma_tmp/win_disable_event_logging.ps1 new file mode 100644 index 00000000..917f8294 --- /dev/null +++ b/Rules/sigma_tmp/win_disable_event_logging.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4719" -and ($_.message -match "AuditPolicyChanges.*.*%%8448.*" -or $_.message -match "AuditPolicyChanges.*.*%%8450.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_dns_exfiltration_tools_execution.ps1 b/Rules/sigma_tmp/win_dns_exfiltration_tools_execution.ps1 new file mode 100644 index 00000000..5d37dbb3 --- /dev/null +++ b/Rules/sigma_tmp/win_dns_exfiltration_tools_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\iodine.exe" -or $_.message -match "Image.*.*\\dnscat2.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_dnscat2_powershell_implementation.ps1 b/Rules/sigma_tmp/win_dnscat2_powershell_implementation.ps1 new file mode 100644 index 00000000..693a75ae --- /dev/null +++ b/Rules/sigma_tmp/win_dnscat2_powershell_implementation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\nslookup.exe" -and $_.message -match "CommandLine.*.*\\nslookup.exe") } | select ParentImage, Image | group ParentImage | foreach { [PSCustomObject]@{'ParentImage'=$_.name;'Count'=($_.group.Image | sort -u).count} } | sort count -desc | where { $_.count -gt 100 } diff --git a/Rules/sigma_tmp/win_dpapi_domain_backupkey_extraction.ps1 b/Rules/sigma_tmp/win_dpapi_domain_backupkey_extraction.ps1 new file mode 100644 index 00000000..84ad1b9f --- /dev/null +++ b/Rules/sigma_tmp/win_dpapi_domain_backupkey_extraction.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectType.*SecretObject" -and $_.message -match "AccessMask.*0x2" -and $_.message -match "ObjectName.*BCKUPKEY") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_dpapi_domain_masterkey_backup_attempt.ps1 b/Rules/sigma_tmp/win_dpapi_domain_masterkey_backup_attempt.ps1 new file mode 100644 index 00000000..410fe3cf --- /dev/null +++ b/Rules/sigma_tmp/win_dpapi_domain_masterkey_backup_attempt.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4692") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_encoded_frombase64string.ps1 b/Rules/sigma_tmp/win_encoded_frombase64string.ps1 new file mode 100644 index 00000000..a25d4f72 --- /dev/null +++ b/Rules/sigma_tmp/win_encoded_frombase64string.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*OjpGcm9tQmFzZTY0U3RyaW5n.*" -or $_.message -match "CommandLine.*.*o6RnJvbUJhc2U2NFN0cmluZ.*" -or $_.message -match "CommandLine.*.*6OkZyb21CYXNlNjRTdHJpbm.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_encoded_iex.ps1 b/Rules/sigma_tmp/win_encoded_iex.ps1 new file mode 100644 index 00000000..ee7cc01a --- /dev/null +++ b/Rules/sigma_tmp/win_encoded_iex.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*SUVYIChb.*" -or $_.message -match "CommandLine.*.*lFWCAoW.*" -or $_.message -match "CommandLine.*.*JRVggKF.*" -or $_.message -match "CommandLine.*.*aWV4IChb.*" -or $_.message -match "CommandLine.*.*lleCAoW.*" -or $_.message -match "CommandLine.*.*pZXggKF.*" -or $_.message -match "CommandLine.*.*aWV4IChOZX.*" -or $_.message -match "CommandLine.*.*lleCAoTmV3.*" -or $_.message -match "CommandLine.*.*pZXggKE5ld.*" -or $_.message -match "CommandLine.*.*SUVYIChOZX.*" -or $_.message -match "CommandLine.*.*lFWCAoTmV3.*" -or $_.message -match "CommandLine.*.*JRVggKE5ld.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_etw_modification.ps1 b/Rules/sigma_tmp/win_etw_modification.ps1 new file mode 100644 index 00000000..9b0e04fa --- /dev/null +++ b/Rules/sigma_tmp/win_etw_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4657" -and $_.message -match "ObjectName.*.*\\SOFTWARE\\Microsoft\\.NETFramework" -and $_.message -match "ObjectValueName.*ETWEnabled" -and $_.message -match "NewValue.*0") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_etw_modification_cmdline.ps1 b/Rules/sigma_tmp/win_etw_modification_cmdline.ps1 new file mode 100644 index 00000000..87f99267 --- /dev/null +++ b/Rules/sigma_tmp/win_etw_modification_cmdline.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*COMPlus_ETWEnabled=0.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_etw_trace_evasion.ps1 b/Rules/sigma_tmp/win_etw_trace_evasion.ps1 new file mode 100644 index 00000000..7ecee12a --- /dev/null +++ b/Rules/sigma_tmp/win_etw_trace_evasion.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*cl.*" -and $_.message -match "CommandLine.*.*/Trace.*") -or ($_.message -match "CommandLine.*.*clear-log.*" -and $_.message -match "CommandLine.*.*/Trace.*") -or ($_.message -match "CommandLine.*.*sl.*" -and $_.message -match "CommandLine.*.*/e:false.*") -or ($_.message -match "CommandLine.*.*set-log.*" -and $_.message -match "CommandLine.*.*/e:false.*") -or ($_.message -match "CommandLine.*.*Remove-EtwTraceProvider.*" -and $_.message -match "CommandLine.*.*EventLog-Microsoft-Windows-WMI-Activity-Trace.*" -and $_.message -match "CommandLine.*.*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}.*") -or ($_.message -match "CommandLine.*.*Set-EtwTraceProvider.*" -and $_.message -match "CommandLine.*.*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}.*" -and $_.message -match "CommandLine.*.*EventLog-Microsoft-Windows-WMI-Activity-Trace.*" -and $_.message -match "CommandLine.*.*0x11.*") -or ($_.message -match "CommandLine.*.*logman.*" -and $_.message -match "CommandLine.*.*update.*" -and $_.message -match "CommandLine.*.*trace.*" -and $_.message -match "CommandLine.*.*--p.*" -and $_.message -match "CommandLine.*.*-ets.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exchange_TransportAgent_failed.ps1 b/Rules/sigma_tmp/win_exchange_TransportAgent_failed.ps1 new file mode 100644 index 00000000..fa37231e --- /dev/null +++ b/Rules/sigma_tmp/win_exchange_TransportAgent_failed.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName MSExchange Management | where {($_.message -match ".*Install-TransportAgent.*" -and $_.ID -eq "6") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exchange_transportagent.ps1 b/Rules/sigma_tmp/win_exchange_transportagent.ps1 new file mode 100644 index 00000000..ff73729b --- /dev/null +++ b/Rules/sigma_tmp/win_exchange_transportagent.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Install-TransportAgent.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName MSExchange Management | where {($_.message -match ".*Install-TransportAgent.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exfiltration_and_tunneling_tools_execution.ps1 b/Rules/sigma_tmp/win_exfiltration_and_tunneling_tools_execution.ps1 new file mode 100644 index 00000000..7219889a --- /dev/null +++ b/Rules/sigma_tmp/win_exfiltration_and_tunneling_tools_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\plink.exe" -or $_.message -match "Image.*.*\\socat.exe" -or $_.message -match "Image.*.*\\stunnel.exe" -or $_.message -match "Image.*.*\\httptunnel.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2015_1641.ps1 b/Rules/sigma_tmp/win_exploit_cve_2015_1641.ps1 new file mode 100644 index 00000000..d892fcfd --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2015_1641.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\MicroScMgmt.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2017_0261.ps1 b/Rules/sigma_tmp/win_exploit_cve_2017_0261.ps1 new file mode 100644 index 00000000..24acee2f --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2017_0261.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\FLTLDR.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2017_11882.ps1 b/Rules/sigma_tmp/win_exploit_cve_2017_11882.ps1 new file mode 100644 index 00000000..ab74de9e --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2017_11882.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\EQNEDT32.EXE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2017_8759.ps1 b/Rules/sigma_tmp/win_exploit_cve_2017_8759.ps1 new file mode 100644 index 00000000..057420c7 --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2017_8759.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\csc.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2019_1378.ps1 b/Rules/sigma_tmp/win_exploit_cve_2019_1378.ps1 new file mode 100644 index 00000000..a80b272b --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2019_1378.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentCommandLine.*.*\\cmd.exe.*" -and $_.message -match "ParentCommandLine.*.*/c.*" -and $_.message -match "ParentCommandLine.*.*C:\\Windows\\Setup\\Scripts\\.*" -and ($_.message -match "ParentCommandLine.*.*SetupComplete.cmd" -or $_.message -match "ParentCommandLine.*.*PartnerSetupComplete.cmd")) -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "Image.*C:\\Windows\\Setup\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2019_1388.ps1 b/Rules/sigma_tmp/win_exploit_cve_2019_1388.ps1 new file mode 100644 index 00000000..5a8486d0 --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2019_1388.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\consent.exe" -and $_.message -match "Image.*.*\\iexplore.exe" -and $_.message -match "CommandLine.*.* http.*" -and ($_.ID -eq "1") -and ($_.message -match "IntegrityLevel.*System" -or $_.message -match "User.*NT AUTHORITY\\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2020_10189.ps1 b/Rules/sigma_tmp/win_exploit_cve_2020_10189.ps1 new file mode 100644 index 00000000..1c72cddf --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2020_10189.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*DesktopCentral_Server\\jre\\bin\\java.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2020_1048.ps1 b/Rules/sigma_tmp/win_exploit_cve_2020_1048.ps1 new file mode 100644 index 00000000..9cbadcc9 --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2020_1048.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Add-PrinterPort -Name.*") -and ($_.message -match "CommandLine.*.*.exe.*" -or $_.message -match "CommandLine.*.*.dll.*" -or $_.message -match "CommandLine.*.*.bat.*")) -or ($_.message -match "CommandLine.*.*Generic / Text Only.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2020_1350.ps1 b/Rules/sigma_tmp/win_exploit_cve_2020_1350.ps1 new file mode 100644 index 00000000..b28cc5c8 --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2020_1350.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\System32\\dns.exe" -and -not (($_.message -match "Image.*.*\\System32\\werfault.exe" -or $_.message -match "Image.*.*\\System32\\conhost.exe" -or $_.message -match "Image.*.*\\System32\\dnscmd.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler.ps1 b/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler.ps1 new file mode 100644 index 00000000..0cb5e357 --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PrintService/Admin | where {(((($_.ID -eq "808" -or $_.ID -eq "4909") -and ($_.message -match "0x45A" -or $_.message -match "0x7e")) -or ($_.message -match "The print spooler failed to load a plug-in module" -or $_.message -match "MyExploit.dll" -or $_.message -match "evil.dll" -or $_.message -match "\addCube.dll" -or $_.message -match "\rev.dll" -or $_.message -match "\rev2.dll" -or $_.message -match "\main64.dll" -or $_.message -match "\mimilib.dll" -or $_.message -match "\mimispool.dll"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler_Security.ps1 b/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler_Security.ps1 new file mode 100644 index 00000000..ac91bb32 --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler_Security.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*spoolss" -and $_.message -match "AccessMask.*0x3" -and $_.message -match "ObjectType.*File") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler_operational.ps1 b/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler_operational.ps1 new file mode 100644 index 00000000..6cc37069 --- /dev/null +++ b/Rules/sigma_tmp/win_exploit_cve_2021_1675_printspooler_operational.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-PrintService/Operational | where {($_.ID -eq "316" -and ($_.message -match "UNIDRV.DLL, kernelbase.dll, " -or $_.message -match " 123 " -or $_.message -match " 1234 " -or $_.message -match "mimispool")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_external_device.ps1 b/Rules/sigma_tmp/win_external_device.ps1 new file mode 100644 index 00000000..fd605de9 --- /dev/null +++ b/Rules/sigma_tmp/win_external_device.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(((($_.ID -eq "6416") -and $_.message -match "ClassName.*DiskDrive") -or $_.message -match "DeviceDescription.*USB Mass Storage Device")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_file_permission_modifications.ps1 b/Rules/sigma_tmp/win_file_permission_modifications.ps1 new file mode 100644 index 00000000..d9108798 --- /dev/null +++ b/Rules/sigma_tmp/win_file_permission_modifications.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\takeown.exe" -or $_.message -match "Image.*.*\\cacls.exe" -or $_.message -match "Image.*.*\\icacls.exe") -and $_.message -match "CommandLine.*.*/grant.*") -or ($_.message -match "Image.*.*\\attrib.exe" -and $_.message -match "CommandLine.*.*-r.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_global_catalog_enumeration.ps1 b/Rules/sigma_tmp/win_global_catalog_enumeration.ps1 new file mode 100644 index 00000000..aff13ca7 --- /dev/null +++ b/Rules/sigma_tmp/win_global_catalog_enumeration.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5156" -and ($_.message -match "3268" -or $_.message -match "3269")) } | group-object SourceAddress | where { $_.count -gt 2000 } | select name,count | sort -desc diff --git a/Rules/sigma_tmp/win_grabbing_sensitive_hives_via_reg.ps1 b/Rules/sigma_tmp/win_grabbing_sensitive_hives_via_reg.ps1 new file mode 100644 index 00000000..81f759bf --- /dev/null +++ b/Rules/sigma_tmp/win_grabbing_sensitive_hives_via_reg.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and ($_.message -match "CommandLine.*.*save.*" -or $_.message -match "CommandLine.*.*export.*" -or $_.message -match "CommandLine.*.*ˢave.*" -or $_.message -match "CommandLine.*.*eˣport.*") -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hk˪m.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*" -or $_.message -match "CommandLine.*.*hkey_˪ocal_machine.*" -or $_.message -match "CommandLine.*.*hkey_loca˪_machine.*" -or $_.message -match "CommandLine.*.*hkey_˪oca˪_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security" -or $_.message -match "CommandLine.*.*\\ˢystem" -or $_.message -match "CommandLine.*.*\\syˢtem" -or $_.message -match "CommandLine.*.*\\ˢyˢtem" -or $_.message -match "CommandLine.*.*\\ˢam" -or $_.message -match "CommandLine.*.*\\ˢecurity")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hack_adcspwn.ps1 b/Rules/sigma_tmp/win_hack_adcspwn.ps1 new file mode 100644 index 00000000..ebe18b02 --- /dev/null +++ b/Rules/sigma_tmp/win_hack_adcspwn.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* --adcs .*" -and $_.message -match "CommandLine.*.* --port .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hack_bloodhound.ps1 b/Rules/sigma_tmp/win_hack_bloodhound.ps1 new file mode 100644 index 00000000..98187127 --- /dev/null +++ b/Rules/sigma_tmp/win_hack_bloodhound.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\Bloodhound.exe.*" -or $_.message -match "Image.*.*\\SharpHound.exe.*") -or ($_.message -match "CommandLine.*.* -CollectionMethod All .*" -or $_.message -match "CommandLine.*.*.exe -c All -d .*" -or $_.message -match "CommandLine.*.*Invoke-Bloodhound.*" -or $_.message -match "CommandLine.*.*Get-BloodHoundData.*") -or ($_.message -match "CommandLine.*.* -JsonFolder .*" -and $_.message -match "CommandLine.*.* -ZipFileName .*") -or ($_.message -match "CommandLine.*.* DCOnly .*" -and $_.message -match "CommandLine.*.* --NoSaveCache .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hack_koadic.ps1 b/Rules/sigma_tmp/win_hack_koadic.ps1 new file mode 100644 index 00000000..7cfb1cfc --- /dev/null +++ b/Rules/sigma_tmp/win_hack_koadic.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*/q.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*chcp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hack_rubeus.ps1 b/Rules/sigma_tmp/win_hack_rubeus.ps1 new file mode 100644 index 00000000..ba886c3e --- /dev/null +++ b/Rules/sigma_tmp/win_hack_rubeus.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* asreproast .*" -or $_.message -match "CommandLine.*.* dump /service:krbtgt .*" -or $_.message -match "CommandLine.*.* kerberoast .*" -or $_.message -match "CommandLine.*.* createnetonly /program:.*" -or $_.message -match "CommandLine.*.* ptt /ticket:.*" -or $_.message -match "CommandLine.*.* /impersonateuser:.*" -or $_.message -match "CommandLine.*.* renew /ticket:.*" -or $_.message -match "CommandLine.*.* asktgt /user:.*" -or $_.message -match "CommandLine.*.* harvest /interval:.*" -or $_.message -match "CommandLine.*.* s4u /user:.*" -or $_.message -match "CommandLine.*.* s4u /ticket:.*" -or $_.message -match "CommandLine.*.* hash /password:.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hack_secutyxploded.ps1 b/Rules/sigma_tmp/win_hack_secutyxploded.ps1 new file mode 100644 index 00000000..730fd56d --- /dev/null +++ b/Rules/sigma_tmp/win_hack_secutyxploded.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Company.*SecurityXploded" -or $_.message -match "Image.*.*PasswordDump.exe" -or $_.message -match "OriginalFileName.*.*PasswordDump.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hack_smbexec.ps1 b/Rules/sigma_tmp/win_hack_smbexec.ps1 new file mode 100644 index 00000000..e793e584 --- /dev/null +++ b/Rules/sigma_tmp/win_hack_smbexec.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*BTOBTO" -and $_.Service File Name -eq "*\\execute.bat") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hh_chm.ps1 b/Rules/sigma_tmp/win_hh_chm.ps1 new file mode 100644 index 00000000..ac0b500e --- /dev/null +++ b/Rules/sigma_tmp/win_hh_chm.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\hh.exe" -and $_.message -match "CommandLine.*.*.chm.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hidden_user_creation.ps1 b/Rules/sigma_tmp/win_hidden_user_creation.ps1 new file mode 100644 index 00000000..15a01c04 --- /dev/null +++ b/Rules/sigma_tmp/win_hidden_user_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4720" -and $_.message -match "TargetUserName.*.*$") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hivenightmare_file_exports.ps1 b/Rules/sigma_tmp/win_hivenightmare_file_exports.ps1 new file mode 100644 index 00000000..8ee2620a --- /dev/null +++ b/Rules/sigma_tmp/win_hivenightmare_file_exports.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\hive_sam_.*" -or $_.message -match "TargetFilename.*.*\\SAM-2021-.*" -or $_.message -match "TargetFilename.*.*\\SAM-2022-.*" -or $_.message -match "TargetFilename.*.*\\SAM-haxx.*" -or $_.message -match "TargetFilename.*.*\\Sam.save.*") -or ($_.message -match "C:\\windows\\temp\\sam"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hktl_createminidump.ps1 b/Rules/sigma_tmp/win_hktl_createminidump.ps1 new file mode 100644 index 00000000..d1246be3 --- /dev/null +++ b/Rules/sigma_tmp/win_hktl_createminidump.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\CreateMiniDump.exe.*" -or $_.message -match "Imphash.*4a07f944a83e8a7c2525efa35dd30e2f")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\lsass.dmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_html_help_spawn.ps1 b/Rules/sigma_tmp/win_html_help_spawn.ps1 new file mode 100644 index 00000000..4433da7d --- /dev/null +++ b/Rules/sigma_tmp/win_html_help_spawn.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*C:\\Windows\\hh.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\rundll32.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hwp_exploits.ps1 b/Rules/sigma_tmp/win_hwp_exploits.ps1 new file mode 100644 index 00000000..9a2646bf --- /dev/null +++ b/Rules/sigma_tmp/win_hwp_exploits.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\Hwp.exe" -and $_.message -match "Image.*.*\\gbb.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hybridconnectionmgr_svc_installation.ps1 b/Rules/sigma_tmp/win_hybridconnectionmgr_svc_installation.ps1 new file mode 100644 index 00000000..c9abc078 --- /dev/null +++ b/Rules/sigma_tmp/win_hybridconnectionmgr_svc_installation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4697") -and $_.message -match "ServiceName.*HybridConnectionManager" -and $_.Service File Name -eq "*HybridConnectionManager*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_hybridconnectionmgr_svc_running.ps1 b/Rules/sigma_tmp/win_hybridconnectionmgr_svc_running.ps1 new file mode 100644 index 00000000..9f29897f --- /dev/null +++ b/Rules/sigma_tmp/win_hybridconnectionmgr_svc_running.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {(($_.ID -eq "40300" -or $_.ID -eq "40301" -or $_.ID -eq "40302") -and ($_.message -match ".*HybridConnection.*" -or $_.message -match ".*sb://.*" -or $_.message -match ".*servicebus.windows.net.*" -or $_.message -match ".*HybridConnectionManage.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_impacket_compiled_tools.ps1 b/Rules/sigma_tmp/win_impacket_compiled_tools.ps1 new file mode 100644 index 00000000..c4dae24d --- /dev/null +++ b/Rules/sigma_tmp/win_impacket_compiled_tools.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\goldenPac.*" -or $_.message -match "Image.*.*\\karmaSMB.*" -or $_.message -match "Image.*.*\\kintercept.*" -or $_.message -match "Image.*.*\\ntlmrelayx.*" -or $_.message -match "Image.*.*\\rpcdump.*" -or $_.message -match "Image.*.*\\samrdump.*" -or $_.message -match "Image.*.*\\secretsdump.*" -or $_.message -match "Image.*.*\\smbexec.*" -or $_.message -match "Image.*.*\\smbrelayx.*" -or $_.message -match "Image.*.*\\wmiexec.*" -or $_.message -match "Image.*.*\\wmipersist.*") -or ($_.message -match "Image.*.*\\atexec_windows.exe" -or $_.message -match "Image.*.*\\dcomexec_windows.exe" -or $_.message -match "Image.*.*\\dpapi_windows.exe" -or $_.message -match "Image.*.*\\findDelegation_windows.exe" -or $_.message -match "Image.*.*\\GetADUsers_windows.exe" -or $_.message -match "Image.*.*\\GetNPUsers_windows.exe" -or $_.message -match "Image.*.*\\getPac_windows.exe" -or $_.message -match "Image.*.*\\getST_windows.exe" -or $_.message -match "Image.*.*\\getTGT_windows.exe" -or $_.message -match "Image.*.*\\GetUserSPNs_windows.exe" -or $_.message -match "Image.*.*\\ifmap_windows.exe" -or $_.message -match "Image.*.*\\mimikatz_windows.exe" -or $_.message -match "Image.*.*\\netview_windows.exe" -or $_.message -match "Image.*.*\\nmapAnswerMachine_windows.exe" -or $_.message -match "Image.*.*\\opdump_windows.exe" -or $_.message -match "Image.*.*\\psexec_windows.exe" -or $_.message -match "Image.*.*\\rdp_check_windows.exe" -or $_.message -match "Image.*.*\\sambaPipe_windows.exe" -or $_.message -match "Image.*.*\\smbclient_windows.exe" -or $_.message -match "Image.*.*\\smbserver_windows.exe" -or $_.message -match "Image.*.*\\sniffer_windows.exe" -or $_.message -match "Image.*.*\\sniff_windows.exe" -or $_.message -match "Image.*.*\\split_windows.exe" -or $_.message -match "Image.*.*\\ticketer_windows.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_impacket_lateralization.ps1 b/Rules/sigma_tmp/win_impacket_lateralization.ps1 new file mode 100644 index 00000000..6351fc39 --- /dev/null +++ b/Rules/sigma_tmp/win_impacket_lateralization.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.ID -eq "1" -and $_.message -match "CommandLine.*.*cmd.exe.*" -and $_.message -match "CommandLine.*.*&1.*" -and ((($_.message -match "ParentImage.*.*\\wmiprvse.exe" -or $_.message -match "ParentImage.*.*\\mmc.exe" -or $_.message -match "ParentImage.*.*\\explorer.exe" -or $_.message -match "ParentImage.*.*\\services.exe") -and $_.message -match "CommandLine.*.*/Q.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*\\\\127.0.0.1\\.*") -or (($_.message -match "ParentCommandLine.*.*svchost.exe -k netsvcs.*" -or $_.message -match "ParentCommandLine.*.*taskeng.exe.*") -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*Windows\\Temp\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_impacket_psexec.ps1 b/Rules/sigma_tmp/win_impacket_psexec.ps1 new file mode 100644 index 00000000..8f7473bb --- /dev/null +++ b/Rules/sigma_tmp/win_impacket_psexec.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and ($_.message -match "RelativeTargetName.*.*RemCom_stdint.*" -or $_.message -match "RelativeTargetName.*.*RemCom_stdoutt.*" -or $_.message -match "RelativeTargetName.*.*RemCom_stderrt.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_impacket_secretdump.ps1 b/Rules/sigma_tmp/win_impacket_secretdump.ps1 new file mode 100644 index 00000000..758081f3 --- /dev/null +++ b/Rules/sigma_tmp/win_impacket_secretdump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\ADMIN$" -and $_.message -match "RelativeTargetName.*.*SYSTEM32\\.*" -and $_.message -match "RelativeTargetName.*.*.tmp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_indirect_cmd.ps1 b/Rules/sigma_tmp/win_indirect_cmd.ps1 new file mode 100644 index 00000000..e20239e1 --- /dev/null +++ b/Rules/sigma_tmp/win_indirect_cmd.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\pcalua.exe" -or $_.message -match "ParentImage.*.*\\forfiles.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_indirect_cmd_compatibility_assistant.ps1 b/Rules/sigma_tmp/win_indirect_cmd_compatibility_assistant.ps1 new file mode 100644 index 00000000..d148ca1a --- /dev/null +++ b/Rules/sigma_tmp/win_indirect_cmd_compatibility_assistant.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\pcwrun.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_install_reg_debugger_backdoor.ps1 b/Rules/sigma_tmp/win_install_reg_debugger_backdoor.ps1 new file mode 100644 index 00000000..2fef928b --- /dev/null +++ b/Rules/sigma_tmp/win_install_reg_debugger_backdoor.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\.*" -and ($_.message -match "CommandLine.*.*sethc.exe.*" -or $_.message -match "CommandLine.*.*utilman.exe.*" -or $_.message -match "CommandLine.*.*osk.exe.*" -or $_.message -match "CommandLine.*.*magnify.exe.*" -or $_.message -match "CommandLine.*.*narrator.exe.*" -or $_.message -match "CommandLine.*.*displayswitch.exe.*" -or $_.message -match "CommandLine.*.*atbroker.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_interactive_at.ps1 b/Rules/sigma_tmp/win_interactive_at.ps1 new file mode 100644 index 00000000..42188c59 --- /dev/null +++ b/Rules/sigma_tmp/win_interactive_at.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\at.exe" -and $_.message -match "CommandLine.*.*interactive.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_iso_mount.ps1 b/Rules/sigma_tmp/win_iso_mount.ps1 new file mode 100644 index 00000000..9172871d --- /dev/null +++ b/Rules/sigma_tmp/win_iso_mount.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4663" -and $_.message -match "ObjectServer.*Security" -and $_.message -match "ObjectType.*File" -and $_.message -match "ObjectName.*\\Device\\CdRom.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_lateral_movement_condrv.ps1 b/Rules/sigma_tmp/win_lateral_movement_condrv.ps1 new file mode 100644 index 00000000..a8119c4c --- /dev/null +++ b/Rules/sigma_tmp/win_lateral_movement_condrv.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4674" -and $_.message -match "ObjectServer.*Security" -and $_.message -match "ObjectType.*File" -and $_.message -match "ObjectName.*\\Device\\ConDrv") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_ldap_recon.ps1 b/Rules/sigma_tmp/win_ldap_recon.ps1 new file mode 100644 index 00000000..c8edde50 --- /dev/null +++ b/Rules/sigma_tmp/win_ldap_recon.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {((($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483648).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483656).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483652).*" -or $_.message -match "SearchFilter.*.*(groupType:1.2.840.113556.1.4.803:=2147483650).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=805306369).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=805306368).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=536870913).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=536870912).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=268435457).*" -or $_.message -match "SearchFilter.*.*(sAMAccountType=268435456).*" -or $_.message -match "SearchFilter.*.*(objectCategory=groupPolicyContainer).*" -or $_.message -match "SearchFilter.*.*(objectCategory=organizationalUnit).*" -or $_.message -match "SearchFilter.*.*(objectCategory=Computer).*" -or $_.message -match "SearchFilter.*.*(objectCategory=nTDSDSA).*" -or $_.message -match "SearchFilter.*.*(objectCategory=server).*" -or $_.message -match "SearchFilter.*.*(objectCategory=domain).*" -or $_.message -match "SearchFilter.*.*(objectCategory=person).*" -or $_.message -match "SearchFilter.*.*(objectCategory=group).*" -or $_.message -match "SearchFilter.*.*(objectCategory=user).*" -or $_.message -match "SearchFilter.*.*(objectClass=trustedDomain).*" -or $_.message -match "SearchFilter.*.*(objectClass=computer).*" -or $_.message -match "SearchFilter.*.*(objectClass=server).*" -or $_.message -match "SearchFilter.*.*(objectClass=group).*" -or $_.message -match "SearchFilter.*.*(objectClass=user).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=521).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=516).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=515).*" -or $_.message -match "SearchFilter.*.*(primaryGroupID=512).*" -or $_.message -match "SearchFilter.*.*Domain Admins.*")) -and -not ($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(domainSid=.*).*" -or $_.message -match "SearchFilter.*.*(objectSid=.*).*"))) -or ($_.ID -eq "30" -and ($_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=4194304).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=2097152).*" -or $_.message -match "SearchFilter.*.*!(userAccountControl:1.2.840.113556.1.4.803:=1048574).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=524288).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=65536).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=8192).*" -or $_.message -match "SearchFilter.*.*(userAccountControl:1.2.840.113556.1.4.803:=544).*" -or $_.message -match "SearchFilter.*.*!(UserAccountControl:1.2.840.113556.1.4.803:=2).*" -or $_.message -match "SearchFilter.*.*msDS-AllowedToActOnBehalfOfOtherIdentity.*" -or $_.message -match "SearchFilter.*.*msDS-AllowedToDelegateTo.*" -or $_.message -match "SearchFilter.*.*(accountExpires=9223372036854775807).*" -or $_.message -match "SearchFilter.*.*(accountExpires=0).*" -or $_.message -match "SearchFilter.*.*(adminCount=1).*" -or $_.message -match "SearchFilter.*.*ms-MCS-AdmPwd.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_lethalhta.ps1 b/Rules/sigma_tmp/win_lethalhta.ps1 new file mode 100644 index 00000000..7e69d54e --- /dev/null +++ b/Rules/sigma_tmp/win_lethalhta.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\svchost.exe" -and $_.message -match "Image.*.*\\mshta.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_lm_namedpipe.ps1 b/Rules/sigma_tmp/win_lm_namedpipe.ps1 new file mode 100644 index 00000000..f551e7b3 --- /dev/null +++ b/Rules/sigma_tmp/win_lm_namedpipe.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$") -and -not ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and ($_.message -match "atsvc" -or $_.message -match "samr" -or $_.message -match "lsarpc" -or $_.message -match "winreg" -or $_.message -match "netlogon" -or $_.message -match "srvsvc" -or $_.message -match "protected_storage" -or $_.message -match "wkssvc" -or $_.message -match "browser" -or $_.message -match "netdfs" -or $_.message -match "svcctl" -or $_.message -match "spoolss" -or $_.message -match "ntsvcs" -or $_.message -match "LSM_API_service" -or $_.message -match "HydraLsPipe" -or $_.message -match "TermSrv_API_service" -or $_.message -match "MsFteWds"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_local_system_owner_account_discovery.ps1 b/Rules/sigma_tmp/win_local_system_owner_account_discovery.ps1 new file mode 100644 index 00000000..1ea6107f --- /dev/null +++ b/Rules/sigma_tmp/win_local_system_owner_account_discovery.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and ($_.message -match "Image.*.*\\whoami.exe" -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*useraccount.*" -and $_.message -match "CommandLine.*.*get.*") -or ($_.message -match "Image.*.*\\quser.exe" -or $_.message -match "Image.*.*\\qwinsta.exe") -or ($_.message -match "Image.*.*\\cmdkey.exe" -and $_.message -match "CommandLine.*.*/list.*") -or ($_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*dir .*" -and $_.message -match "CommandLine.*.*\\Users\\.*")) -and -not (($_.message -match "CommandLine.*.* rmdir .*"))) -or (($_.ID -eq "1") -and (($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*user.*") -and -not (($_.message -match "CommandLine.*.*/domain.*" -or $_.message -match "CommandLine.*.*/add.*" -or $_.message -match "CommandLine.*.*/delete.*" -or $_.message -match "CommandLine.*.*/active.*" -or $_.message -match "CommandLine.*.*/expires.*" -or $_.message -match "CommandLine.*.*/passwordreq.*" -or $_.message -match "CommandLine.*.*/scriptpath.*" -or $_.message -match "CommandLine.*.*/times.*" -or $_.message -match "CommandLine.*.*/workstations.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_lolbin_execution_via_winget.ps1 b/Rules/sigma_tmp/win_lolbin_execution_via_winget.ps1 new file mode 100644 index 00000000..55273328 --- /dev/null +++ b/Rules/sigma_tmp/win_lolbin_execution_via_winget.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*..*(?i)winget install (--m|-m)..*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_lsass_access_non_system_account.ps1 b/Rules/sigma_tmp/win_lsass_access_non_system_account.ps1 new file mode 100644 index 00000000..49cc3026 --- /dev/null +++ b/Rules/sigma_tmp/win_lsass_access_non_system_account.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(((($_.ID -eq "4663" -or $_.ID -eq "4656") -and ($_.message -match "0x40" -or $_.message -match "0x1400" -or $_.message -match "0x1000" -or $_.message -match "0x100000" -or $_.message -match "0x1410" -or $_.message -match "0x1010" -or $_.message -match "0x1438" -or $_.message -match "0x143a" -or $_.message -match "0x1418" -or $_.message -match "0x1f0fff" -or $_.message -match "0x1f1fff" -or $_.message -match "0x1f2fff" -or $_.message -match "0x1f3fff" -or $_.message -match "40" -or $_.message -match "1400" -or $_.message -match "1000" -or $_.message -match "100000" -or $_.message -match "1410" -or $_.message -match "1010" -or $_.message -match "1438" -or $_.message -match "143a" -or $_.message -match "1418" -or $_.message -match "1f0fff" -or $_.message -match "1f1fff" -or $_.message -match "1f2fff" -or $_.message -match "1f3fff") -and $_.message -match "ObjectType.*Process" -and $_.message -match "ObjectName.*.*\\lsass.exe") -and -not ($_.message -match "SubjectUserName.*.*$")) -and -not ($_.message -match "ProcessName.*C:\\Program Files.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_lsass_dump.ps1 b/Rules/sigma_tmp/win_lsass_dump.ps1 new file mode 100644 index 00000000..65e55cfb --- /dev/null +++ b/Rules/sigma_tmp/win_lsass_dump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "CommandLine.*.*lsass.*" -and $_.message -match "CommandLine.*.*.dmp.*") -and -not ($_.message -match "Image.*.*\\werfault.exe")) -or ($_.message -match "Image.*.*\\procdump.*" -and $_.message -match "Image.*.*.exe" -and $_.message -match "CommandLine.*.*lsass.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_adwind.ps1 b/Rules/sigma_tmp/win_mal_adwind.ps1 new file mode 100644 index 00000000..d998f73d --- /dev/null +++ b/Rules/sigma_tmp/win_mal_adwind.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\AppData\\Roaming\\Oracle.*" -and $_.message -match "CommandLine.*.*\\java.*" -and $_.message -match "CommandLine.*.*.exe .*") -or ($_.message -match "CommandLine.*.*cscript.exe.*" -and $_.message -match "CommandLine.*.*Retrive.*" -and $_.message -match "CommandLine.*.*.vbs .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and (($_.message -match "TargetFilename.*.*\\AppData\\Roaming\\Oracle\\bin\\java.*" -and $_.message -match "TargetFilename.*.*.exe.*") -or ($_.message -match "TargetFilename.*.*\\Retrive.*" -and $_.message -match "TargetFilename.*.*.vbs.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*" -and $_.message -match "Details.*%AppData%\\Roaming\\Oracle\\bin\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_blue_mockingbird.ps1 b/Rules/sigma_tmp/win_mal_blue_mockingbird.ps1 new file mode 100644 index 00000000..169ee4bd --- /dev/null +++ b/Rules/sigma_tmp/win_mal_blue_mockingbird.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*sc config.*" -and $_.message -match "CommandLine.*.*wercplsupporte.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*COR_PROFILER") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_creddumper.ps1 b/Rules/sigma_tmp/win_mal_creddumper.ps1 new file mode 100644 index 00000000..e0313ea4 --- /dev/null +++ b/Rules/sigma_tmp/win_mal_creddumper.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName System | where {((($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "6") -and (($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {((($_.message -match "ServiceName.*.*fgexec.*" -or $_.message -match "ServiceName.*.*wceservice.*" -or $_.message -match "ServiceName.*.*wce service.*" -or $_.message -match "ServiceName.*.*pwdump.*" -or $_.message -match "ServiceName.*.*gsecdump.*" -or $_.message -match "ServiceName.*.*cachedump.*" -or $_.message -match "ServiceName.*.*mimikatz.*" -or $_.message -match "ServiceName.*.*mimidrv.*") -or ($_.message -match "ImagePath.*.*fgexec.*" -or $_.message -match "ImagePath.*.*dumpsvc.*" -or $_.message -match "ImagePath.*.*cachedump.*" -or $_.message -match "ImagePath.*.*mimidrv.*" -or $_.message -match "ImagePath.*.*gsecdump.*" -or $_.message -match "ImagePath.*.*servpw.*" -or $_.message -match "ImagePath.*.*pwdump.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_darkside.ps1 b/Rules/sigma_tmp/win_mal_darkside.ps1 new file mode 100644 index 00000000..529eb0ce --- /dev/null +++ b/Rules/sigma_tmp/win_mal_darkside.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*=[char][byte]('0x'\+.*" -or $_.message -match "CommandLine.*.* -work worker0 -path .*") -or (($_.message -match "ParentCommandLine.*.*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}.*") -and ($_.message -match "Image.*.*\\AppData\\Local\\Temp\\.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_flowcloud.ps1 b/Rules/sigma_tmp/win_mal_flowcloud.ps1 new file mode 100644 index 00000000..710a8660 --- /dev/null +++ b/Rules/sigma_tmp/win_mal_flowcloud.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and (($_.message -match "HKLM\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" -or $_.message -match "HKLM\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" -or $_.message -match "HKLM\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}") -or ($_.message -match "TargetObject.*HKLM\\SYSTEM\\Setup\\PrintResponsor\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_lockergoga.ps1 b/Rules/sigma_tmp/win_mal_lockergoga.ps1 new file mode 100644 index 00000000..0067a360 --- /dev/null +++ b/Rules/sigma_tmp/win_mal_lockergoga.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-i SM-tgytutrc -s.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_octopus_scanner.ps1 b/Rules/sigma_tmp/win_mal_octopus_scanner.ps1 new file mode 100644 index 00000000..4d5e34b9 --- /dev/null +++ b/Rules/sigma_tmp/win_mal_octopus_scanner.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\\AppData\\Local\\Microsoft\\Cache134.dat" -or $_.message -match "TargetFilename.*.*\\AppData\\Local\\Microsoft\\ExplorerSync.db")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_ryuk.ps1 b/Rules/sigma_tmp/win_mal_ryuk.ps1 new file mode 100644 index 00000000..5d162300 --- /dev/null +++ b/Rules/sigma_tmp/win_mal_ryuk.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*stop.*" -and ($_.message -match "CommandLine.*.*samss.*" -or $_.message -match "CommandLine.*.*audioendpointbuilder.*" -or $_.message -match "CommandLine.*.*unistoresvc_?????.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_service_installs.ps1 b/Rules/sigma_tmp/win_mal_service_installs.ps1 new file mode 100644 index 00000000..428cb0c7 --- /dev/null +++ b/Rules/sigma_tmp/win_mal_service_installs.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.Service File Name -eq "*\\PAExec*" -or $_.message -match "ServiceName.*mssecsvc2.0" -or $_.Service File Name -eq "*net user*" -or $_.message -match "ServiceName.*Java(TM) Virtual Machine Support Service")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {($_.ID -eq "4697" -and $_.message -match "ServiceName.*javamtsup") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_ursnif.ps1 b/Rules/sigma_tmp/win_mal_ursnif.ps1 new file mode 100644 index 00000000..3d504efe --- /dev/null +++ b/Rules/sigma_tmp/win_mal_ursnif.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*\\Software\\AppDataLow\\Software\\Microsoft\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mal_wceaux_dll.ps1 b/Rules/sigma_tmp/win_mal_wceaux_dll.ps1 new file mode 100644 index 00000000..9de688f5 --- /dev/null +++ b/Rules/sigma_tmp/win_mal_wceaux_dll.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4658" -or $_.ID -eq "4660" -or $_.ID -eq "4663") -and $_.message -match "ObjectName.*.*\\wceaux.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_dridex.ps1 b/Rules/sigma_tmp/win_malware_dridex.ps1 new file mode 100644 index 00000000..b5053d65 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_dridex.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\svchost.exe" -and $_.message -match "CommandLine.*.*C:\\Users\\.*" -and $_.message -match "CommandLine.*.*\\Desktop\\.*") -or ($_.message -match "ParentImage.*.*\\svchost.exe" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\whoami.exe" -and $_.message -match "CommandLine.*.*all.*") -or (($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*view.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_dtrack.ps1 b/Rules/sigma_tmp/win_malware_dtrack.ps1 new file mode 100644 index 00000000..a9b90c79 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_dtrack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* echo EEEE > .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_emotet.ps1 b/Rules/sigma_tmp/win_malware_emotet.ps1 new file mode 100644 index 00000000..d75ed725 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_emotet.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -e.* PAA.*" -or $_.message -match "CommandLine.*.*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ.*" -or $_.message -match "CommandLine.*.*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA.*" -or $_.message -match "CommandLine.*.*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA.*" -or $_.message -match "CommandLine.*.*IgAoACcAKgAnACkAOwAkA.*" -or $_.message -match "CommandLine.*.*IAKAAnACoAJwApADsAJA.*" -or $_.message -match "CommandLine.*.*iACgAJwAqACcAKQA7ACQA.*" -or $_.message -match "CommandLine.*.*JABGAGwAeAByAGgAYwBmAGQ.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_formbook.ps1 b/Rules/sigma_tmp/win_malware_formbook.ps1 new file mode 100644 index 00000000..bd22f220 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_formbook.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentCommandLine.*C:\\Windows\\System32\\.*" -or $_.message -match "ParentCommandLine.*C:\\Windows\\SysWOW64\\.*") -and ($_.message -match "ParentCommandLine.*.*.exe") -and $_.message -match "CommandLine.*.*C:\\Users\\.*" -and (($_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*del.*" -and $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\.*") -or ($_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*del.*" -and $_.message -match "CommandLine.*.*\\Desktop\\.*") -or ($_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*type nul >.*" -and $_.message -match "CommandLine.*.*\\Desktop\\.*")) -and $_.message -match "CommandLine.*.*.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_notpetya.ps1 b/Rules/sigma_tmp/win_malware_notpetya.ps1 new file mode 100644 index 00000000..d210c014 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_notpetya.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\.*" -and $_.message -match "CommandLine.*.*\\.\\pipe\\\.*") -or ($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*.dat,#1") -or $_.message -match "\perfc.dat")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_qbot.ps1 b/Rules/sigma_tmp/win_malware_qbot.ps1 new file mode 100644 index 00000000..b97cc142 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_qbot.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\WinRAR.exe" -and $_.message -match "Image.*.*\\wscript.exe") -or $_.message -match "CommandLine.*.* /c ping.exe -n 6 127.0.0.1 & type .*") -or ($_.message -match "CommandLine.*.*regsvr32.exe.*" -and $_.message -match "CommandLine.*.*C:\\ProgramData.*" -and $_.message -match "CommandLine.*.*.tmp.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_ryuk.ps1 b/Rules/sigma_tmp/win_malware_ryuk.ps1 new file mode 100644 index 00000000..8b773ae6 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_ryuk.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Microsoft\\Windows\\CurrentVersion\\Run.*" -and $_.message -match "CommandLine.*.*C:\\users\\Public\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_script_dropper.ps1 b/Rules/sigma_tmp/win_malware_script_dropper.ps1 new file mode 100644 index 00000000..71216f11 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_script_dropper.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*C:\\Users\\.*" -or $_.message -match "CommandLine.*.*C:\\ProgramData\\.*") -and ($_.message -match "CommandLine.*.*.jse.*" -or $_.message -match "CommandLine.*.*.vbe.*" -or $_.message -match "CommandLine.*.*.js.*" -or $_.message -match "CommandLine.*.*.vba.*" -or $_.message -match "CommandLine.*.*.vbs.*")) -and -not ($_.message -match "ParentImage.*.*\\winzip.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_trickbot_recon_activity.ps1 b/Rules/sigma_tmp/win_malware_trickbot_recon_activity.ps1 new file mode 100644 index 00000000..9e4e54b5 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_trickbot_recon_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\cmd.exe") -and ($_.message -match "Image.*.*\\nltest.exe") -and ($_.message -match "CommandLine.*.*/domain_trusts /all_trusts.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_trickbot_wermgr.ps1 b/Rules/sigma_tmp/win_malware_trickbot_wermgr.ps1 new file mode 100644 index 00000000..b301017d --- /dev/null +++ b/Rules/sigma_tmp/win_malware_trickbot_wermgr.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wermgr.exe") -and ($_.message -match "ParentImage.*.*\\rundll32.exe") -and ($_.message -match "ParentCommandLine.*.*DllRegisterServer.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_malware_wannacry.ps1 b/Rules/sigma_tmp/win_malware_wannacry.ps1 new file mode 100644 index 00000000..c2aa1188 --- /dev/null +++ b/Rules/sigma_tmp/win_malware_wannacry.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tasksche.exe" -or $_.message -match "Image.*.*\\mssecsvc.exe" -or $_.message -match "Image.*.*\\taskdl.exe" -or $_.message -match "Image.*.*\\taskhsvc.exe" -or $_.message -match "Image.*.*\\taskse.exe" -or $_.message -match "Image.*.*\\111.exe" -or $_.message -match "Image.*.*\\lhdfrgui.exe" -or $_.message -match "Image.*.*\\diskpart.exe" -or $_.message -match "Image.*.*\\linuxnew.exe" -or $_.message -match "Image.*.*\\wannacry.exe") -or $_.message -match "Image.*.*WanaDecryptor.*" -or ($_.message -match "CommandLine.*.*icacls.*" -and $_.message -match "CommandLine.*.*/grant.*" -and $_.message -match "CommandLine.*.*Everyone:F.*" -and $_.message -match "CommandLine.*.*/T.*" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/Q.*") -or ($_.message -match "CommandLine.*.*bcdedit.*" -and $_.message -match "CommandLine.*.*/set.*" -and $_.message -match "CommandLine.*.*{default}.*" -and $_.message -match "CommandLine.*.*recoveryenabled.*" -and $_.message -match "CommandLine.*.*no.*") -or ($_.message -match "CommandLine.*.*wbadmin.*" -and $_.message -match "CommandLine.*.*delete.*" -and $_.message -match "CommandLine.*.*catalog.*" -and $_.message -match "CommandLine.*.*-quiet.*") -or $_.message -match "CommandLine.*.*@Please_Read_Me@.txt.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_manage-bde_lolbas.ps1 b/Rules/sigma_tmp/win_manage-bde_lolbas.ps1 new file mode 100644 index 00000000..0ed0c1ea --- /dev/null +++ b/Rules/sigma_tmp/win_manage-bde_lolbas.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cscript.*" -and $_.message -match "CommandLine.*.*manage-bde.wsf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mavinject_proc_inj.ps1 b/Rules/sigma_tmp/win_mavinject_proc_inj.ps1 new file mode 100644 index 00000000..67bcb98d --- /dev/null +++ b/Rules/sigma_tmp/win_mavinject_proc_inj.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /INJECTRUNNING .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_meterpreter_or_cobaltstrike_getsystem_service_installation.ps1 b/Rules/sigma_tmp/win_meterpreter_or_cobaltstrike_getsystem_service_installation.ps1 new file mode 100644 index 00000000..77148ba1 --- /dev/null +++ b/Rules/sigma_tmp/win_meterpreter_or_cobaltstrike_getsystem_service_installation.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName System | where {((($_.Service File Name -eq "*cmd*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*%COMSPEC%*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*cmd.exe*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*rundll32*" -and $_.Service File Name -eq "*.dll,a*" -and $_.Service File Name -eq "*/p:*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "6") -and (($_.Service File Name -eq "*cmd*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*%COMSPEC%*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*cmd.exe*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*rundll32*" -and $_.Service File Name -eq "*.dll,a*" -and $_.Service File Name -eq "*/p:*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {((($_.Service File Name -eq "*cmd*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*%COMSPEC%*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*cmd.exe*" -and $_.Service File Name -eq "*/c*" -and $_.Service File Name -eq "*echo*" -and $_.Service File Name -eq "*\\pipe\\*") -or ($_.Service File Name -eq "*rundll32*" -and $_.Service File Name -eq "*.dll,a*" -and $_.Service File Name -eq "*/p:*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_meterpreter_or_cobaltstrike_getsystem_service_start.ps1 b/Rules/sigma_tmp/win_meterpreter_or_cobaltstrike_getsystem_service_start.ps1 new file mode 100644 index 00000000..7d4dc9f8 --- /dev/null +++ b/Rules/sigma_tmp/win_meterpreter_or_cobaltstrike_getsystem_service_start.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\services.exe" -and (($_.message -match "CommandLine.*.*cmd.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\\pipe\\.*") -or ($_.message -match "CommandLine.*.*%COMSPEC%.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\\pipe\\.*") -or ($_.message -match "CommandLine.*.*cmd.exe.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\\pipe\\.*") -or ($_.message -match "CommandLine.*.*rundll32.*" -and $_.message -match "CommandLine.*.*.dll,a.*" -and $_.message -match "CommandLine.*.*/p:.*"))) -and -not ($_.message -match "CommandLine.*.*MpCmdRun.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mimikatz_command_line.ps1 b/Rules/sigma_tmp/win_mimikatz_command_line.ps1 new file mode 100644 index 00000000..ef154217 --- /dev/null +++ b/Rules/sigma_tmp/win_mimikatz_command_line.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*DumpCreds.*" -or $_.message -match "CommandLine.*.*invoke-mimikatz.*") -or (($_.message -match "CommandLine.*.*rpc.*" -or $_.message -match "CommandLine.*.*token.*" -or $_.message -match "CommandLine.*.*crypto.*" -or $_.message -match "CommandLine.*.*dpapi.*" -or $_.message -match "CommandLine.*.*sekurlsa.*" -or $_.message -match "CommandLine.*.*kerberos.*" -or $_.message -match "CommandLine.*.*lsadump.*" -or $_.message -match "CommandLine.*.*privilege.*" -or $_.message -match "CommandLine.*.*process.*") -and ($_.message -match "CommandLine.*.*::.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mmc20_lateral_movement.ps1 b/Rules/sigma_tmp/win_mmc20_lateral_movement.ps1 new file mode 100644 index 00000000..ee07eb6d --- /dev/null +++ b/Rules/sigma_tmp/win_mmc20_lateral_movement.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\svchost.exe" -and $_.message -match "Image.*.*\\mmc.exe" -and $_.message -match "CommandLine.*.*-Embedding.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mmc_spawn_shell.ps1 b/Rules/sigma_tmp/win_mmc_spawn_shell.ps1 new file mode 100644 index 00000000..dfbd5749 --- /dev/null +++ b/Rules/sigma_tmp/win_mmc_spawn_shell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\mmc.exe" -and (($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\reg.exe" -or $_.message -match "Image.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\BITSADMIN.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_moriya_rootkit.ps1 b/Rules/sigma_tmp/win_moriya_rootkit.ps1 new file mode 100644 index 00000000..657eedf0 --- /dev/null +++ b/Rules/sigma_tmp/win_moriya_rootkit.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*ZzNetSvc") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mouse_lock.ps1 b/Rules/sigma_tmp/win_mouse_lock.ps1 new file mode 100644 index 00000000..d81e5c30 --- /dev/null +++ b/Rules/sigma_tmp/win_mouse_lock.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Product.*.*Mouse Lock.*" -or $_.message -match "Company.*.*Misc314.*" -or $_.message -match "CommandLine.*.*Mouse Lock_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mshta_javascript.ps1 b/Rules/sigma_tmp/win_mshta_javascript.ps1 new file mode 100644 index 00000000..16a687e7 --- /dev/null +++ b/Rules/sigma_tmp/win_mshta_javascript.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\mshta.exe" -and $_.message -match "CommandLine.*.*javascript.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_mshta_spawn_shell.ps1 b/Rules/sigma_tmp/win_mshta_spawn_shell.ps1 new file mode 100644 index 00000000..af638b77 --- /dev/null +++ b/Rules/sigma_tmp/win_mshta_spawn_shell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\mshta.exe" -and (($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\reg.exe" -or $_.message -match "Image.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\BITSADMIN.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_multiple_suspicious_cli.ps1 b/Rules/sigma_tmp/win_multiple_suspicious_cli.ps1 new file mode 100644 index 00000000..86a24c52 --- /dev/null +++ b/Rules/sigma_tmp/win_multiple_suspicious_cli.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*arp.exe.*" -or $_.message -match "CommandLine.*.*at.exe.*" -or $_.message -match "CommandLine.*.*attrib.exe.*" -or $_.message -match "CommandLine.*.*cscript.exe.*" -or $_.message -match "CommandLine.*.*dsquery.exe.*" -or $_.message -match "CommandLine.*.*hostname.exe.*" -or $_.message -match "CommandLine.*.*ipconfig.exe.*" -or $_.message -match "CommandLine.*.*mimikatz.exe.*" -or $_.message -match "CommandLine.*.*nbtstat.exe.*" -or $_.message -match "CommandLine.*.*net.exe.*" -or $_.message -match "CommandLine.*.*netsh.exe.*" -or $_.message -match "CommandLine.*.*nslookup.exe.*" -or $_.message -match "CommandLine.*.*ping.exe.*" -or $_.message -match "CommandLine.*.*quser.exe.*" -or $_.message -match "CommandLine.*.*qwinsta.exe.*" -or $_.message -match "CommandLine.*.*reg.exe.*" -or $_.message -match "CommandLine.*.*runas.exe.*" -or $_.message -match "CommandLine.*.*sc.exe.*" -or $_.message -match "CommandLine.*.*schtasks.exe.*" -or $_.message -match "CommandLine.*.*ssh.exe.*" -or $_.message -match "CommandLine.*.*systeminfo.exe.*" -or $_.message -match "CommandLine.*.*taskkill.exe.*" -or $_.message -match "CommandLine.*.*telnet.exe.*" -or $_.message -match "CommandLine.*.*tracert.exe.*" -or $_.message -match "CommandLine.*.*wscript.exe.*" -or $_.message -match "CommandLine.*.*xcopy.exe.*" -or $_.message -match "CommandLine.*.*pscp.exe.*" -or $_.message -match "CommandLine.*.*copy.exe.*" -or $_.message -match "CommandLine.*.*robocopy.exe.*" -or $_.message -match "CommandLine.*.*certutil.exe.*" -or $_.message -match "CommandLine.*.*vssadmin.exe.*" -or $_.message -match "CommandLine.*.*powershell.exe.*" -or $_.message -match "CommandLine.*.*wevtutil.exe.*" -or $_.message -match "CommandLine.*.*psexec.exe.*" -or $_.message -match "CommandLine.*.*bcedit.exe.*" -or $_.message -match "CommandLine.*.*wbadmin.exe.*" -or $_.message -match "CommandLine.*.*icacls.exe.*" -or $_.message -match "CommandLine.*.*diskpart.exe.*")) } | group-object MachineName | where { $_.count -gt 5 } | select name,count | sort -desc diff --git a/Rules/sigma_tmp/win_net_enum.ps1 b/Rules/sigma_tmp/win_net_enum.ps1 new file mode 100644 index 00000000..52f98baf --- /dev/null +++ b/Rules/sigma_tmp/win_net_enum.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*view.*") -and -not ($_.message -match "CommandLine.*.*\\\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_net_ntlm_downgrade.ps1 b/Rules/sigma_tmp/win_net_ntlm_downgrade.ps1 new file mode 100644 index 00000000..0f7afef4 --- /dev/null +++ b/Rules/sigma_tmp/win_net_ntlm_downgrade.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*.*SYSTEM\\.*" -and $_.message -match "TargetObject.*.*ControlSet.*" -and $_.message -match "TargetObject.*.*\\Control\\Lsa.*" -and ($_.message -match "TargetObject.*.*\\lmcompatibilitylevel" -or $_.message -match "TargetObject.*.*\\NtlmMinClientSec" -or $_.message -match "TargetObject.*.*\\RestrictSendingNTLMTraffic")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {($_.ID -eq "4657" -and $_.message -match "ObjectName.*.*\\REGISTRY\\MACHINE\\SYSTEM.*" -and $_.message -match "ObjectName.*.*ControlSet.*" -and $_.message -match "ObjectName.*.*\\Control\\Lsa.*" -and ($_.message -match "LmCompatibilityLevel" -or $_.message -match "NtlmMinClientSec" -or $_.message -match "RestrictSendingNTLMTraffic")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_net_use_admin_share.ps1 b/Rules/sigma_tmp/win_net_use_admin_share.ps1 new file mode 100644 index 00000000..13c50791 --- /dev/null +++ b/Rules/sigma_tmp/win_net_use_admin_share.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.* use .*" -and $_.message -match "CommandLine.*.*\\\.*\\.*$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_net_user_add.ps1 b/Rules/sigma_tmp/win_net_user_add.ps1 new file mode 100644 index 00000000..a8004957 --- /dev/null +++ b/Rules/sigma_tmp/win_net_user_add.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*user.*" -and $_.message -match "CommandLine.*.*add.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_netsh_allow_port_rdp.ps1 b/Rules/sigma_tmp/win_netsh_allow_port_rdp.ps1 new file mode 100644 index 00000000..311ed319 --- /dev/null +++ b/Rules/sigma_tmp/win_netsh_allow_port_rdp.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and (($_.message -match "CommandLine.*.*firewall add portopening.*" -and $_.message -match "CommandLine.*.*tcp 3389.*") -or ($_.message -match "CommandLine.*.*advfirewall firewall add rule.*" -and $_.message -match "CommandLine.*.*action=allow.*" -and $_.message -match "CommandLine.*.*protocol=TCP.*" -and $_.message -match "CommandLine.*.*localport=3389.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_netsh_fw_add.ps1 b/Rules/sigma_tmp/win_netsh_fw_add.ps1 new file mode 100644 index 00000000..b4b0ff39 --- /dev/null +++ b/Rules/sigma_tmp/win_netsh_fw_add.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*firewall.*" -and $_.message -match "CommandLine.*.*add.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_netsh_fw_add_susp_image.ps1 b/Rules/sigma_tmp/win_netsh_fw_add_susp_image.ps1 new file mode 100644 index 00000000..9b96ef0b --- /dev/null +++ b/Rules/sigma_tmp/win_netsh_fw_add_susp_image.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*firewall.*" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*allowedprogram.*" -or ($_.message -match "CommandLine.*.*advfirewall.*" -and $_.message -match "CommandLine.*.*rule.*" -and $_.message -match "CommandLine.*.*action=allow.*" -and $_.message -match "CommandLine.*.*program=.*"))) -and (($_.message -match "CommandLine.*.*%TEMP%.*" -or $_.message -match "CommandLine.*.*:\\RECYCLER\\.*" -or $_.message -match "CommandLine.*.*C:\\$Recycle.bin\\.*" -or $_.message -match "CommandLine.*.*:\\SystemVolumeInformation\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\.*" -or $_.message -match "CommandLine.*.*C:\\Temp\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Default\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Desktop\\.*" -or $_.message -match "CommandLine.*.*\\Downloads\\.*" -or $_.message -match "CommandLine.*.*\\Temporary Internet Files\\Content.Outlook\\.*" -or $_.message -match "CommandLine.*.*\\Local Settings\\Temporary Internet Files\\.*") -or ($_.message -match "CommandLine.*C:\\Windows\\Tasks\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\debug\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\fonts\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\help\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\drivers\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\addins\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\cursors\\.*" -or $_.message -match "CommandLine.*C:\\Windows\\system32\\tasks\\.*" -or $_.message -match "CommandLine.*%Public%\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_netsh_packet_capture.ps1 b/Rules/sigma_tmp/win_netsh_packet_capture.ps1 new file mode 100644 index 00000000..bbab7561 --- /dev/null +++ b/Rules/sigma_tmp/win_netsh_packet_capture.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and $_.message -match "CommandLine.*.*trace.*" -and $_.message -match "CommandLine.*.*start.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_netsh_port_fwd.ps1 b/Rules/sigma_tmp/win_netsh_port_fwd.ps1 new file mode 100644 index 00000000..2bde84eb --- /dev/null +++ b/Rules/sigma_tmp/win_netsh_port_fwd.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and (($_.message -match "CommandLine.*.*interface.*" -and $_.message -match "CommandLine.*.*portproxy.*" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.*v4tov4.*") -or ($_.message -match "CommandLine.*.*connectp.*" -and $_.message -match "CommandLine.*.*listena.*" -and $_.message -match "CommandLine.*.*c=.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_netsh_port_fwd_3389.ps1 b/Rules/sigma_tmp/win_netsh_port_fwd_3389.ps1 new file mode 100644 index 00000000..3c4f601e --- /dev/null +++ b/Rules/sigma_tmp/win_netsh_port_fwd_3389.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*i.*" -and $_.message -match "CommandLine.*.* p.*" -and $_.message -match "CommandLine.*.*=3389.*" -and $_.message -match "CommandLine.*.* c.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_netsh_wifi_credential_harvesting.ps1 b/Rules/sigma_tmp/win_netsh_wifi_credential_harvesting.ps1 new file mode 100644 index 00000000..ca188f79 --- /dev/null +++ b/Rules/sigma_tmp/win_netsh_wifi_credential_harvesting.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*wlan.*" -and $_.message -match "CommandLine.*.* s.*" -and $_.message -match "CommandLine.*.* p.*" -and $_.message -match "CommandLine.*.* k.*" -and $_.message -match "CommandLine.*.*=clear.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_network_sniffing.ps1 b/Rules/sigma_tmp/win_network_sniffing.ps1 new file mode 100644 index 00000000..e3596772 --- /dev/null +++ b/Rules/sigma_tmp/win_network_sniffing.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tshark.exe" -and $_.message -match "CommandLine.*.*-i.*") -or $_.message -match "Image.*.*\\windump.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_new_or_renamed_user_account_with_dollar_sign.ps1 b/Rules/sigma_tmp/win_new_or_renamed_user_account_with_dollar_sign.ps1 new file mode 100644 index 00000000..0af8cc91 --- /dev/null +++ b/Rules/sigma_tmp/win_new_or_renamed_user_account_with_dollar_sign.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4720" -or $_.ID -eq "4781") -and $_.message -match "SamAccountName.*.*$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_new_service_creation.ps1 b/Rules/sigma_tmp/win_new_service_creation.ps1 new file mode 100644 index 00000000..15e19812 --- /dev/null +++ b/Rules/sigma_tmp/win_new_service_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sc.exe" -and $_.message -match "CommandLine.*.*create.*" -and $_.message -match "CommandLine.*.*binpath.*") -or ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*new-service.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_nltest_query.ps1 b/Rules/sigma_tmp/win_nltest_query.ps1 new file mode 100644 index 00000000..7e40cadd --- /dev/null +++ b/Rules/sigma_tmp/win_nltest_query.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\nltest.exe" -and $_.message -match "CommandLine.*.*\\query.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_non_interactive_powershell.ps1 b/Rules/sigma_tmp/win_non_interactive_powershell.ps1 new file mode 100644 index 00000000..814f87f6 --- /dev/null +++ b/Rules/sigma_tmp/win_non_interactive_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "Image.*.*\\powershell.exe" -and -not (($_.message -match "ParentImage.*.*\\explorer.exe" -or $_.message -match "ParentImage.*.*\\CompatTelRunner.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_non_priv_reg_or_ps.ps1 b/Rules/sigma_tmp/win_non_priv_reg_or_ps.ps1 new file mode 100644 index 00000000..f85bd81c --- /dev/null +++ b/Rules/sigma_tmp/win_non_priv_reg_or_ps.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.*add.*") -or ($_.message -match "CommandLine.*.*powershell.*" -and ($_.message -match "CommandLine.*.*set-itemproperty.*" -or $_.message -match "CommandLine.*.* sp .*" -or $_.message -match "CommandLine.*.*new-itemproperty.*"))) -and $_.message -match "CommandLine.*.*ControlSet.*" -and $_.message -match "CommandLine.*.*Services.*" -and ($_.message -match "CommandLine.*.*ImagePath.*" -or $_.message -match "CommandLine.*.*FailureCommand.*" -or $_.message -match "CommandLine.*.*ServiceDLL.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_not_allowed_rdp_access.ps1 b/Rules/sigma_tmp/win_not_allowed_rdp_access.ps1 new file mode 100644 index 00000000..f7f34b5c --- /dev/null +++ b/Rules/sigma_tmp/win_not_allowed_rdp_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4825") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_ntfs_vuln_exploit.ps1 b/Rules/sigma_tmp/win_ntfs_vuln_exploit.ps1 new file mode 100644 index 00000000..1e72412b --- /dev/null +++ b/Rules/sigma_tmp/win_ntfs_vuln_exploit.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "55" -and $_.message -match "Origin.*File System Driver" -and $_.message -match "Description.*.*contains a corrupted file record.*" -and $_.message -match "Description.*.*The name of the file is \"\\\".*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_office_shell.ps1 b/Rules/sigma_tmp/win_office_shell.ps1 new file mode 100644 index 00000000..d8dc95d7 --- /dev/null +++ b/Rules/sigma_tmp/win_office_shell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WINWORD.EXE" -or $_.message -match "ParentImage.*.*\\EXCEL.EXE" -or $_.message -match "ParentImage.*.*\\POWERPNT.exe" -or $_.message -match "ParentImage.*.*\\MSPUB.exe" -or $_.message -match "ParentImage.*.*\\VISIO.exe" -or $_.message -match "ParentImage.*.*\\OUTLOOK.EXE" -or $_.message -match "ParentImage.*.*\\MSACCESS.EXE" -or $_.message -match "ParentImage.*.*\\EQNEDT32.EXE") -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\scrcons.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\hh.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\forfiles.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe" -or $_.message -match "Image.*.*\\mftrace.exe" -or $_.message -match "Image.*.*\\AppVLP.exe" -or $_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\msbuild.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_office_spawn_exe_from_users_directory.ps1 b/Rules/sigma_tmp/win_office_spawn_exe_from_users_directory.ps1 new file mode 100644 index 00000000..344ac61c --- /dev/null +++ b/Rules/sigma_tmp/win_office_spawn_exe_from_users_directory.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\WINWORD.EXE" -or $_.message -match "ParentImage.*.*\\EXCEL.EXE" -or $_.message -match "ParentImage.*.*\\POWERPNT.exe" -or $_.message -match "ParentImage.*.*\\MSPUB.exe" -or $_.message -match "ParentImage.*.*\\VISIO.exe") -and $_.message -match "Image.*C:\\users\\.*" -and $_.message -match "Image.*.*.exe") -and -not ($_.message -match "Image.*.*\\Teams.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_outlook_c2_macro_creation.ps1 b/Rules/sigma_tmp/win_outlook_c2_macro_creation.ps1 new file mode 100644 index 00000000..93adb4ce --- /dev/null +++ b/Rules/sigma_tmp/win_outlook_c2_macro_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\Microsoft\\Outlook\\VbaProject.OTM") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_outlook_c2_registry_key.ps1 b/Rules/sigma_tmp/win_outlook_c2_registry_key.ps1 new file mode 100644 index 00000000..eb8192ff --- /dev/null +++ b/Rules/sigma_tmp/win_outlook_c2_registry_key.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Security\\Level" -and $_.message -match "Details.*.*0x00000001.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_outlook_registry_todaypage.ps1 b/Rules/sigma_tmp/win_outlook_registry_todaypage.ps1 new file mode 100644 index 00000000..ef51f3d1 --- /dev/null +++ b/Rules/sigma_tmp/win_outlook_registry_todaypage.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Office\\.*" -or $_.message -match "TargetObject.*.*\\Outlook\\Today\\.*") -and (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "TargetObject.*.*Stamp") -and $_.message -match "Details.*DWORD (0x00000001)") -or ($_.message -match "TargetObject.*.*UserDefinedUrl"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_outlook_registry_webview.ps1 b/Rules/sigma_tmp/win_outlook_registry_webview.ps1 new file mode 100644 index 00000000..e2058ef6 --- /dev/null +++ b/Rules/sigma_tmp/win_outlook_registry_webview.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*Software\\Microsoft\\Office\\.*" -or $_.message -match "TargetObject.*.*Outlook\\WebView\\.*") -and $_.message -match "TargetObject.*.*URL" -and ($_.message -match "TargetObject.*.*Calendar.*" -or $_.message -match "TargetObject.*.*Inbox.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_overpass_the_hash.ps1 b/Rules/sigma_tmp/win_overpass_the_hash.ps1 new file mode 100644 index 00000000..354c4367 --- /dev/null +++ b/Rules/sigma_tmp/win_overpass_the_hash.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*9" -and $_.message -match "LogonProcessName.*seclogo" -and $_.message -match "AuthenticationPackageName.*Negotiate") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_pass_the_hash.ps1 b/Rules/sigma_tmp/win_pass_the_hash.ps1 new file mode 100644 index 00000000..2a32b17e --- /dev/null +++ b/Rules/sigma_tmp/win_pass_the_hash.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.message -match "LogonType.*3" -and $_.message -match "LogonProcessName.*NtLmSsp" -and $_.message -match "WorkstationName.*%Workstations%" -and $_.message -match "ComputerName.*%Workstations%" -and ($_.ID -eq "4624" -or $_.ID -eq "4625")) -and -not ($_.message -match "AccountName.*ANONYMOUS LOGON")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_pass_the_hash_2.ps1 b/Rules/sigma_tmp/win_pass_the_hash_2.ps1 new file mode 100644 index 00000000..0cb0750f --- /dev/null +++ b/Rules/sigma_tmp/win_pass_the_hash_2.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4624" -and (($_.message -match "SubjectUserSid.*S-1-0-0" -and $_.message -match "LogonType.*3" -and $_.message -match "LogonProcessName.*NtLmSsp" -and $_.message -match "KeyLength.*0") -or ($_.message -match "LogonType.*9" -and $_.message -match "LogonProcessName.*seclogo"))) -and -not ($_.message -match "AccountName.*ANONYMOUS LOGON")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_pcap_drivers.ps1 b/Rules/sigma_tmp/win_pcap_drivers.ps1 new file mode 100644 index 00000000..a1d0ab6c --- /dev/null +++ b/Rules/sigma_tmp/win_pcap_drivers.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4697" -and ($_.Service File Name -eq "*pcap*" -or $_.message -match "Service File Name.*.*npcap.*" -or $_.message -match "Service File Name.*.*npf.*" -or $_.message -match "Service File Name.*.*nm3.*" -or $_.message -match "Service File Name.*.*ndiscap.*" -or $_.message -match "Service File Name.*.*nmnt.*" -or $_.message -match "Service File Name.*.*windivert.*" -or $_.message -match "Service File Name.*.*USBPcap.*" -or $_.message -match "Service File Name.*.*pktmon.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_plugx_susp_exe_locations.ps1 b/Rules/sigma_tmp/win_plugx_susp_exe_locations.ps1 new file mode 100644 index 00000000..6f5e67e0 --- /dev/null +++ b/Rules/sigma_tmp/win_plugx_susp_exe_locations.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((((((((((((($_.ID -eq "1") -and $_.message -match "Image.*.*\\CamMute.exe" -and -not (($_.message -match "Image.*.*\\Lenovo\\Communication Utility\\.*" -or $_.message -match "Image.*.*\\Lenovo\\Communications Utility\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\chrome_frame_helper.exe" -and -not ($_.message -match "Image.*.*\\Google\\Chrome\\application\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\dvcemumanager.exe" -and -not ($_.message -match "Image.*.*\\Microsoft Device Emulator\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\Gadget.exe" -and -not ($_.message -match "Image.*.*\\Windows Media Player\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\hcc.exe" -and -not ($_.message -match "Image.*.*\\HTML Help Workshop\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\hkcmd.exe" -and -not (($_.message -match "Image.*.*\\System32\\.*" -or $_.message -match "Image.*.*\\SysNative\\.*" -or $_.message -match "Image.*.*\\SysWowo64\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\Mc.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\MsMpEng.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Security Client\\.*" -or $_.message -match "Image.*.*\\Windows Defender\\.*" -or $_.message -match "Image.*.*\\AntiMalware\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\msseces.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Security Center\\.*" -or $_.message -match "Image.*.*\\Microsoft Security Client\\.*" -or $_.message -match "Image.*.*\\Microsoft Security Essentials\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\OInfoP11.exe" -and -not ($_.message -match "Image.*.*\\Common Files\\Microsoft Shared\\.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\OleView.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*" -or $_.message -match "Image.*.*\\Windows Resource Kit\\.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\rc.exe" -and -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*" -or $_.message -match "Image.*.*\\Windows Resource Kit\\.*" -or $_.message -match "Image.*.*\\Microsoft.NET\\.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_portproxy_registry_key.ps1 b/Rules/sigma_tmp/win_portproxy_registry_key.ps1 new file mode 100644 index 00000000..2c31c857 --- /dev/null +++ b/Rules/sigma_tmp/win_portproxy_registry_key.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and $_.message -match "TargetObject.*HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_possible_applocker_bypass.ps1 b/Rules/sigma_tmp/win_possible_applocker_bypass.ps1 new file mode 100644 index 00000000..fca7311f --- /dev/null +++ b/Rules/sigma_tmp/win_possible_applocker_bypass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\msdt.exe.*" -or $_.message -match "CommandLine.*.*\\installutil.exe.*" -or $_.message -match "CommandLine.*.*\\regsvcs.exe.*" -or $_.message -match "CommandLine.*.*\\regasm.exe.*" -or $_.message -match "CommandLine.*.*\\msbuild.exe.*" -or $_.message -match "CommandLine.*.*\\ieexec.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_possible_dc_shadow.ps1 b/Rules/sigma_tmp/win_possible_dc_shadow.ps1 new file mode 100644 index 00000000..39ce1e55 --- /dev/null +++ b/Rules/sigma_tmp/win_possible_dc_shadow.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {((($_.ID -eq "4742" -and $_.message -match "ServicePrincipalNames.*.*GC/.*") -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName" -and $_.message -match "AttributeValue.*GC/.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_possible_zerologon_exploitation_using_wellknown_tools.ps1 b/Rules/sigma_tmp/win_possible_zerologon_exploitation_using_wellknown_tools.ps1 new file mode 100644 index 00000000..cd248663 --- /dev/null +++ b/Rules/sigma_tmp/win_possible_zerologon_exploitation_using_wellknown_tools.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {(($_.message -match ".*kali.*" -or $_.message -match ".*mimikatz.*") -and ($_.ID -eq "5805" -or $_.ID -eq "5723")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_amsi_bypass.ps1 b/Rules/sigma_tmp/win_powershell_amsi_bypass.ps1 new file mode 100644 index 00000000..3e64891d --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_amsi_bypass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*System.Management.Automation.AmsiUtils.*") -and ($_.message -match "CommandLine.*.*amsiInitFailed.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_audio_capture.ps1 b/Rules/sigma_tmp/win_powershell_audio_capture.ps1 new file mode 100644 index 00000000..ba91f3ba --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_audio_capture.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*WindowsAudioDevice-Powershell-Cmdlet.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_b64_shellcode.ps1 b/Rules/sigma_tmp/win_powershell_b64_shellcode.ps1 new file mode 100644 index 00000000..d0cee4d2 --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_b64_shellcode.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*AAAAYInlM.*" -and ($_.message -match "CommandLine.*.*OiCAAAAYInlM.*" -or $_.message -match "CommandLine.*.*OiJAAAAYInlM.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_bitsjob.ps1 b/Rules/sigma_tmp/win_powershell_bitsjob.ps1 new file mode 100644 index 00000000..cfdef2ee --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_bitsjob.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Start-BitsTransfer.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_defender_exclusion.ps1 b/Rules/sigma_tmp/win_powershell_defender_exclusion.ps1 new file mode 100644 index 00000000..b0c7b081 --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_defender_exclusion.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Add-MpPreference .*" -and ($_.message -match "CommandLine.*.* -ExclusionPath .*" -or $_.message -match "CommandLine.*.* -ExclusionExtension .*" -or $_.message -match "CommandLine.*.* -ExclusionProcess .*")) -or ($_.message -match "CommandLine.*.*QWRkLU1wUHJlZmVyZW5jZ.*" -or $_.message -match "CommandLine.*.*FkZC1NcFByZWZlcmVuY2.*" -or $_.message -match "CommandLine.*.*BZGQtTXBQcmVmZXJlbmNl.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_disable_windef_av.ps1 b/Rules/sigma_tmp/win_powershell_disable_windef_av.ps1 new file mode 100644 index 00000000..dd1fb84b --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_disable_windef_av.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*-DisableBehaviorMonitoring $true.*" -or $_.message -match "CommandLine.*.*-DisableRuntimeMonitoring $true.*")) -or ($_.message -match "CommandLine.*.*sc.*" -and $_.message -match "CommandLine.*.*stop.*" -and $_.message -match "CommandLine.*.*WinDefend.*") -or ($_.message -match "CommandLine.*.*sc.*" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*WinDefend.*" -and $_.message -match "CommandLine.*.*start=disabled.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_dll_execution.ps1 b/Rules/sigma_tmp/win_powershell_dll_execution.ps1 new file mode 100644 index 00000000..344bdc38 --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_dll_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe") -or ($_.message -match "Description.*.*Windows-Hostprozess (Rundll32).*")) -and ($_.message -match "CommandLine.*.*Default.GetString.*" -or $_.message -match "CommandLine.*.*FromBase64String.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_downgrade_attack.ps1 b/Rules/sigma_tmp/win_powershell_downgrade_attack.ps1 new file mode 100644 index 00000000..3497e479 --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_downgrade_attack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -version 2 .*" -or $_.message -match "CommandLine.*.* -versio 2 .*" -or $_.message -match "CommandLine.*.* -versi 2 .*" -or $_.message -match "CommandLine.*.* -vers 2 .*" -or $_.message -match "CommandLine.*.* -ver 2 .*" -or $_.message -match "CommandLine.*.* -ve 2 .*") -and $_.message -match "Image.*.*\\powershell.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_download.ps1 b/Rules/sigma_tmp/win_powershell_download.ps1 new file mode 100644 index 00000000..cea45d35 --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_download.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*new-object.*" -and $_.message -match "CommandLine.*.*net.webclient)..*" -and $_.message -match "CommandLine.*.*download.*" -and ($_.message -match "CommandLine.*.*string(.*" -or $_.message -match "CommandLine.*.*file(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_frombase64string.ps1 b/Rules/sigma_tmp/win_powershell_frombase64string.ps1 new file mode 100644 index 00000000..27d51451 --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_frombase64string.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*::FromBase64String(.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_reverse_shell_connection.ps1 b/Rules/sigma_tmp/win_powershell_reverse_shell_connection.ps1 new file mode 100644 index 00000000..0dc1d20f --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_reverse_shell_connection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*new-object system.net.sockets.tcpclient.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_script_installed_as_service.ps1 b/Rules/sigma_tmp/win_powershell_script_installed_as_service.ps1 new file mode 100644 index 00000000..67fbd21b --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_script_installed_as_service.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.Service File Name -eq "*powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "6" -and ($_.Service File Name -eq "*powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {($_.ID -eq "4697" -and ($_.Service File Name -eq "*powershell*" -or $_.message -match "Service File Name.*.*pwsh.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_suspicious_parameter_variation.ps1 b/Rules/sigma_tmp/win_powershell_suspicious_parameter_variation.ps1 new file mode 100644 index 00000000..ca80fe15 --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_suspicious_parameter_variation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\Powershell.exe") -and ($_.message -match "CommandLine.*.* -windowstyle h .*" -or $_.message -match "CommandLine.*.* -windowstyl h.*" -or $_.message -match "CommandLine.*.* -windowsty h.*" -or $_.message -match "CommandLine.*.* -windowst h.*" -or $_.message -match "CommandLine.*.* -windows h.*" -or $_.message -match "CommandLine.*.* -windo h.*" -or $_.message -match "CommandLine.*.* -wind h.*" -or $_.message -match "CommandLine.*.* -win h.*" -or $_.message -match "CommandLine.*.* -wi h.*" -or $_.message -match "CommandLine.*.* -win h .*" -or $_.message -match "CommandLine.*.* -win hi .*" -or $_.message -match "CommandLine.*.* -win hid .*" -or $_.message -match "CommandLine.*.* -win hidd .*" -or $_.message -match "CommandLine.*.* -win hidde .*" -or $_.message -match "CommandLine.*.* -NoPr .*" -or $_.message -match "CommandLine.*.* -NoPro .*" -or $_.message -match "CommandLine.*.* -NoProf .*" -or $_.message -match "CommandLine.*.* -NoProfi .*" -or $_.message -match "CommandLine.*.* -NoProfil .*" -or $_.message -match "CommandLine.*.* -nonin .*" -or $_.message -match "CommandLine.*.* -nonint .*" -or $_.message -match "CommandLine.*.* -noninte .*" -or $_.message -match "CommandLine.*.* -noninter .*" -or $_.message -match "CommandLine.*.* -nonintera .*" -or $_.message -match "CommandLine.*.* -noninterac .*" -or $_.message -match "CommandLine.*.* -noninteract .*" -or $_.message -match "CommandLine.*.* -noninteracti .*" -or $_.message -match "CommandLine.*.* -noninteractiv .*" -or $_.message -match "CommandLine.*.* -ec .*" -or $_.message -match "CommandLine.*.* -encodedComman .*" -or $_.message -match "CommandLine.*.* -encodedComma .*" -or $_.message -match "CommandLine.*.* -encodedComm .*" -or $_.message -match "CommandLine.*.* -encodedCom .*" -or $_.message -match "CommandLine.*.* -encodedCo .*" -or $_.message -match "CommandLine.*.* -encodedC .*" -or $_.message -match "CommandLine.*.* -encoded .*" -or $_.message -match "CommandLine.*.* -encode .*" -or $_.message -match "CommandLine.*.* -encod .*" -or $_.message -match "CommandLine.*.* -enco .*" -or $_.message -match "CommandLine.*.* -en .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_web_request.ps1 b/Rules/sigma_tmp/win_powershell_web_request.ps1 new file mode 100644 index 00000000..641668ee --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_web_request.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Invoke-WebRequest.*" -or $_.message -match "CommandLine.*.*iwr .*" -or $_.message -match "CommandLine.*.*wget .*" -or $_.message -match "CommandLine.*.*curl .*" -or $_.message -match "CommandLine.*.*Net.WebClient.*" -or $_.message -match "CommandLine.*.*Start-BitsTransfer.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Invoke-WebRequest.*" -or $_.message -match "ScriptBlockText.*.*iwr .*" -or $_.message -match "ScriptBlockText.*.*wget .*" -or $_.message -match "ScriptBlockText.*.*curl .*" -or $_.message -match "ScriptBlockText.*.*Net.WebClient.*" -or $_.message -match "ScriptBlockText.*.*Start-BitsTransfer.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powershell_xor_commandline.ps1 b/Rules/sigma_tmp/win_powershell_xor_commandline.ps1 new file mode 100644 index 00000000..7583ab1b --- /dev/null +++ b/Rules/sigma_tmp/win_powershell_xor_commandline.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Description.*Windows PowerShell" -or $_.message -match "Product.*PowerShell Core 6") -and ($_.message -match "CommandLine.*.*bxor.*" -or $_.message -match "CommandLine.*.*join.*" -or $_.message -match "CommandLine.*.*char.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_powersploit_empire_schtasks.ps1 b/Rules/sigma_tmp/win_powersploit_empire_schtasks.ps1 new file mode 100644 index 00000000..a2b534ad --- /dev/null +++ b/Rules/sigma_tmp/win_powersploit_empire_schtasks.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.*/Create.*" -and $_.message -match "CommandLine.*.*/SC.*" -and ($_.message -match "CommandLine.*.*ONLOGON.*" -or $_.message -match "CommandLine.*.*DAILY.*" -or $_.message -match "CommandLine.*.*ONIDLE.*" -or $_.message -match "CommandLine.*.*Updater.*") -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*Updater.*" -and $_.message -match "CommandLine.*.*/TR.*" -and $_.message -match "CommandLine.*.*powershell.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_privesc_cve_2020_1472.ps1 b/Rules/sigma_tmp/win_privesc_cve_2020_1472.ps1 new file mode 100644 index 00000000..33f3bb9c --- /dev/null +++ b/Rules/sigma_tmp/win_privesc_cve_2020_1472.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4742" -and $_.message -match "SubjectUserName.*ANONYMOUS LOGON" -and $_.message -match "TargetUserName.*%DC-MACHINE-NAME%") -and -not ($_.message -match "PasswordLastSet.*-")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_proc_wrong_parent.ps1 b/Rules/sigma_tmp/win_proc_wrong_parent.ps1 new file mode 100644 index 00000000..26caa721 --- /dev/null +++ b/Rules/sigma_tmp/win_proc_wrong_parent.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\lsm.exe" -or $_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\services.exe" -or $_.message -match "Image.*.*\\lsaiso.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\winlogon.exe") -and -not ($_.message -match "ParentImage.*.*\\SavService.exe" -or ($_.message -match "ParentImage.*.*\\System32\\.*" -or $_.message -match "ParentImage.*.*\\SysWOW64\\.*"))) -and -not (($_.message -match "ParentImage.*.*\\Windows Defender\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft Security Client\\.*") -and $_.message -match "ParentImage.*.*\\MsMpEng.exe")) -and -not (-not ParentImage="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_process_creation_bitsadmin_download.ps1 b/Rules/sigma_tmp/win_process_creation_bitsadmin_download.ps1 new file mode 100644 index 00000000..2b6b37e3 --- /dev/null +++ b/Rules/sigma_tmp/win_process_creation_bitsadmin_download.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "Image.*.*\\bitsadmin.exe") -and ((($_.message -match "CommandLine.*.* /create .*" -or $_.message -match "CommandLine.*.* /addfile .*") -and ($_.message -match "CommandLine.*.*http.*")) -or ($_.message -match "CommandLine.*.* /transfer .*"))) -or ($_.message -match "CommandLine.*.*copy bitsadmin.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_process_dump_rundll32_comsvcs.ps1 b/Rules/sigma_tmp/win_process_dump_rundll32_comsvcs.ps1 new file mode 100644 index 00000000..ee22ab00 --- /dev/null +++ b/Rules/sigma_tmp/win_process_dump_rundll32_comsvcs.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*comsvcs.dll,#24.*" -or $_.message -match "CommandLine.*.*comsvcs.dll,MiniDump.*" -or $_.message -match "CommandLine.*.*comsvcs.dll MiniDump.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_protected_storage_service_access.ps1 b/Rules/sigma_tmp/win_protected_storage_service_access.ps1 new file mode 100644 index 00000000..d730753c --- /dev/null +++ b/Rules/sigma_tmp/win_protected_storage_service_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*.*IPC.*" -and $_.message -match "RelativeTargetName.*protected_storage") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_psexesvc_start.ps1 b/Rules/sigma_tmp/win_psexesvc_start.ps1 new file mode 100644 index 00000000..9c34069d --- /dev/null +++ b/Rules/sigma_tmp/win_psexesvc_start.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*C:\\Windows\\PSEXESVC.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_purplesharp_indicators.ps1 b/Rules/sigma_tmp/win_purplesharp_indicators.ps1 new file mode 100644 index 00000000..119732d2 --- /dev/null +++ b/Rules/sigma_tmp/win_purplesharp_indicators.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*xyz123456.exe.*" -or $_.message -match "CommandLine.*.*PurpleSharp.*") -or ($_.message -match "PurpleSharp.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_quarkspwdump_clearing_hive_access_history.ps1 b/Rules/sigma_tmp/win_quarkspwdump_clearing_hive_access_history.ps1 new file mode 100644 index 00000000..c1b86075 --- /dev/null +++ b/Rules/sigma_tmp/win_quarkspwdump_clearing_hive_access_history.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "16" -and $_.message -match "HiveName.*.*\\AppData\\Local\\Temp\\SAM.*" -and $_.message -match "HiveName.*.*.dmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_query_registry.ps1 b/Rules/sigma_tmp/win_query_registry.ps1 new file mode 100644 index 00000000..c9e489d0 --- /dev/null +++ b/Rules/sigma_tmp/win_query_registry.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and ($_.message -match "CommandLine.*.*query.*" -or $_.message -match "CommandLine.*.*save.*" -or $_.message -match "CommandLine.*.*export.*") -and ($_.message -match "CommandLine.*.*currentVersion\\windows.*" -or $_.message -match "CommandLine.*.*currentVersion\\runServicesOnce.*" -or $_.message -match "CommandLine.*.*currentVersion\\runServices.*" -or $_.message -match "CommandLine.*.*winlogon\\.*" -or $_.message -match "CommandLine.*.*currentVersion\\shellServiceObjectDelayLoad.*" -or $_.message -match "CommandLine.*.*currentVersion\\runOnce.*" -or $_.message -match "CommandLine.*.*currentVersion\\runOnceEx.*" -or $_.message -match "CommandLine.*.*currentVersion\\run.*" -or $_.message -match "CommandLine.*.*currentVersion\\policies\\explorer\\run.*" -or $_.message -match "CommandLine.*.*currentcontrolset\\services.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_rare_schtask_creation.ps1 b/Rules/sigma_tmp/win_rare_schtask_creation.ps1 new file mode 100644 index 00000000..1425de8d --- /dev/null +++ b/Rules/sigma_tmp/win_rare_schtask_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | where {($_.ID -eq "106") } | group-object TaskName | where { $_.count -lt 5 } | select name,count | sort -desc diff --git a/Rules/sigma_tmp/win_rare_schtasks_creations.ps1 b/Rules/sigma_tmp/win_rare_schtasks_creations.ps1 new file mode 100644 index 00000000..909161d3 --- /dev/null +++ b/Rules/sigma_tmp/win_rare_schtasks_creations.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4698") } | group-object TaskName | where { $_.count -lt 5 } | select name,count | sort -desc diff --git a/Rules/sigma_tmp/win_rare_service_installs.ps1 b/Rules/sigma_tmp/win_rare_service_installs.ps1 new file mode 100644 index 00000000..942e28a0 --- /dev/null +++ b/Rules/sigma_tmp/win_rare_service_installs.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045") } | group-object ServiceFileName | where { $_.count -lt 5 } | select name,count | sort -desc diff --git a/Rules/sigma_tmp/win_rasautou_dll_execution.ps1 b/Rules/sigma_tmp/win_rasautou_dll_execution.ps1 new file mode 100644 index 00000000..9efa217b --- /dev/null +++ b/Rules/sigma_tmp/win_rasautou_dll_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rasautou.exe" -or $_.message -match "OriginalFileName.*rasdlui.exe") -and ($_.message -match "CommandLine.*.*-d.*" -and $_.message -match "CommandLine.*.*-p.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_rclone_exec_file.ps1 b/Rules/sigma_tmp/win_rclone_exec_file.ps1 new file mode 100644 index 00000000..a2b25b40 --- /dev/null +++ b/Rules/sigma_tmp/win_rclone_exec_file.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*:\\Users\\.*" -and $_.message -match "TargetFilename.*.*\\.config\\rclone\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_rdp_bluekeep_poc_scanner.ps1 b/Rules/sigma_tmp/win_rdp_bluekeep_poc_scanner.ps1 new file mode 100644 index 00000000..28f3c3af --- /dev/null +++ b/Rules/sigma_tmp/win_rdp_bluekeep_poc_scanner.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4625" -and $_.message -match "AccountName.*AAAAAAA") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_rdp_hijack_shadowing.ps1 b/Rules/sigma_tmp/win_rdp_hijack_shadowing.ps1 new file mode 100644 index 00000000..aea196ec --- /dev/null +++ b/Rules/sigma_tmp/win_rdp_hijack_shadowing.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*noconsentprompt.*" -and $_.message -match "CommandLine.*.*shadow:.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_rdp_localhost_login.ps1 b/Rules/sigma_tmp/win_rdp_localhost_login.ps1 new file mode 100644 index 00000000..38dab4db --- /dev/null +++ b/Rules/sigma_tmp/win_rdp_localhost_login.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and ($_.message -match "::1" -or $_.message -match "127.0.0.1")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_rdp_potential_cve-2019-0708.ps1 b/Rules/sigma_tmp/win_rdp_potential_cve-2019-0708.ps1 new file mode 100644 index 00000000..d7a2db61 --- /dev/null +++ b/Rules/sigma_tmp/win_rdp_potential_cve-2019-0708.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {(($_.ID -eq "56" -or $_.ID -eq "50") -and $_.message -match "Source.*TermDD") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_rdp_reverse_tunnel.ps1 b/Rules/sigma_tmp/win_rdp_reverse_tunnel.ps1 new file mode 100644 index 00000000..b8ea9723 --- /dev/null +++ b/Rules/sigma_tmp/win_rdp_reverse_tunnel.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5156" -and (($_.message -match "SourcePort.*3389" -and ($_.message -match "DestAddress.*127..*" -or $_.message -match "::1")) -or ($_.message -match "DestPort.*3389" -and ($_.message -match "SourceAddress.*127..*" -or $_.message -match "::1")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_redmimicry_winnti_proc.ps1 b/Rules/sigma_tmp/win_redmimicry_winnti_proc.ps1 new file mode 100644 index 00000000..ff204b41 --- /dev/null +++ b/Rules/sigma_tmp/win_redmimicry_winnti_proc.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*rundll32.exe.*" -or $_.message -match "Image.*.*cmd.exe.*") -and ($_.message -match "CommandLine.*.*gthread-3.6.dll.*" -or $_.message -match "CommandLine.*.*\\Windows\\Temp\\tmp.bat.*" -or $_.message -match "CommandLine.*.*sigcmm-2.4.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_reg_add_run_key.ps1 b/Rules/sigma_tmp/win_reg_add_run_key.ps1 new file mode 100644 index 00000000..f61d442f --- /dev/null +++ b/Rules/sigma_tmp/win_reg_add_run_key.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.* ADD .*" -and $_.message -match "CommandLine.*.*Software\\Microsoft\\Windows\\CurrentVersion\\Run.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_regedit_export_critical_keys.ps1 b/Rules/sigma_tmp/win_regedit_export_critical_keys.ps1 new file mode 100644 index 00000000..0e42104b --- /dev/null +++ b/Rules/sigma_tmp/win_regedit_export_critical_keys.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\regedit.exe" -and $_.message -match "CommandLine.*.* /E .*" -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_regedit_export_keys.ps1 b/Rules/sigma_tmp/win_regedit_export_keys.ps1 new file mode 100644 index 00000000..abf181fc --- /dev/null +++ b/Rules/sigma_tmp/win_regedit_export_keys.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\regedit.exe" -and $_.message -match "CommandLine.*.* /E .*") -and -not (($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_register_new_logon_process_by_rubeus.ps1 b/Rules/sigma_tmp/win_register_new_logon_process_by_rubeus.ps1 new file mode 100644 index 00000000..6c28c1f6 --- /dev/null +++ b/Rules/sigma_tmp/win_register_new_logon_process_by_rubeus.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4611" -and $_.message -match "LogonProcessName.*User32LogonProcesss") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_registry_mimikatz_printernightmare.ps1 b/Rules/sigma_tmp/win_registry_mimikatz_printernightmare.ps1 new file mode 100644 index 00000000..08d5d573 --- /dev/null +++ b/Rules/sigma_tmp/win_registry_mimikatz_printernightmare.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14")) -and ((($_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\.*" -or $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz.*") -or ($_.message -match "TargetObject.*.*legitprinter.*" -and $_.message -match "TargetObject.*.*\\Control\\Print\\Environments\\Windows.*")) -or (($_.ID -eq "12" -or $_.ID -eq "13" -or $_.ID -eq "14") -and ($_.message -match "TargetObject.*.*\\Control\\Print\\Environments.*" -or $_.message -match "TargetObject.*.*\\CurrentVersion\\Print\\Printers.*") -and ($_.message -match "TargetObject.*.*Gentil Kiwi.*" -or $_.message -match "TargetObject.*.*mimikatz printer.*" -or $_.message -match "TargetObject.*.*Kiwi Legit Printer.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_remote_powershell_session.ps1 b/Rules/sigma_tmp/win_remote_powershell_session.ps1 new file mode 100644 index 00000000..9c0efaf6 --- /dev/null +++ b/Rules/sigma_tmp/win_remote_powershell_session.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5156" -and ($_.message -match "5985" -or $_.message -match "5986") -and $_.message -match "LayerRTID.*44") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_remote_powershell_session_process.ps1 b/Rules/sigma_tmp/win_remote_powershell_session_process.ps1 new file mode 100644 index 00000000..eef152a1 --- /dev/null +++ b/Rules/sigma_tmp/win_remote_powershell_session_process.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\wsmprovhost.exe" -or $_.message -match "ParentImage.*.*\\wsmprovhost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_remote_registry_management_using_reg_utility.ps1 b/Rules/sigma_tmp/win_remote_registry_management_using_reg_utility.ps1 new file mode 100644 index 00000000..27f07936 --- /dev/null +++ b/Rules/sigma_tmp/win_remote_registry_management_using_reg_utility.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\\winreg.*") -and -not ($_.message -match "IpAddress.*%Admins_Workstations%")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_remote_time_discovery.ps1 b/Rules/sigma_tmp/win_remote_time_discovery.ps1 new file mode 100644 index 00000000..de3d4cc0 --- /dev/null +++ b/Rules/sigma_tmp/win_remote_time_discovery.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*time.*") -or ($_.message -match "Image.*.*\\w32tm.exe" -and $_.message -match "CommandLine.*.*tz.*") -or ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Get-Date.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_renamed_binary.ps1 b/Rules/sigma_tmp/win_renamed_binary.ps1 new file mode 100644 index 00000000..de8628b1 --- /dev/null +++ b/Rules/sigma_tmp/win_renamed_binary.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "cmd.exe" -or $_.message -match "powershell.exe" -or $_.message -match "powershell_ise.exe" -or $_.message -match "psexec.exe" -or $_.message -match "psexec.c" -or $_.message -match "cscript.exe" -or $_.message -match "wscript.exe" -or $_.message -match "mshta.exe" -or $_.message -match "regsvr32.exe" -or $_.message -match "wmic.exe" -or $_.message -match "certutil.exe" -or $_.message -match "rundll32.exe" -or $_.message -match "cmstp.exe" -or $_.message -match "msiexec.exe" -or $_.message -match "7z.exe" -or $_.message -match "winrar.exe" -or $_.message -match "wevtutil.exe" -or $_.message -match "net.exe" -or $_.message -match "net1.exe" -or $_.message -match "netsh.exe") -and -not (($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\psexec.exe" -or $_.message -match "Image.*.*\\psexec64.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\cmstp.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\7z.exe" -or $_.message -match "Image.*.*\\winrar.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe" -or $_.message -match "Image.*.*\\netsh.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_renamed_binary_highly_relevant.ps1 b/Rules/sigma_tmp/win_renamed_binary_highly_relevant.ps1 new file mode 100644 index 00000000..00fd6300 --- /dev/null +++ b/Rules/sigma_tmp/win_renamed_binary_highly_relevant.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "powershell.exe" -or $_.message -match "powershell_ise.exe" -or $_.message -match "psexec.exe" -or $_.message -match "psexec.c" -or $_.message -match "cscript.exe" -or $_.message -match "wscript.exe" -or $_.message -match "mshta.exe" -or $_.message -match "regsvr32.exe" -or $_.message -match "wmic.exe" -or $_.message -match "certutil.exe" -or $_.message -match "rundll32.exe" -or $_.message -match "cmstp.exe" -or $_.message -match "msiexec.exe") -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\psexec.exe" -or $_.message -match "Image.*.*\\psexec64.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\cmstp.exe" -or $_.message -match "Image.*.*\\msiexec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_renamed_jusched.ps1 b/Rules/sigma_tmp/win_renamed_jusched.ps1 new file mode 100644 index 00000000..dd6dfdc7 --- /dev/null +++ b/Rules/sigma_tmp/win_renamed_jusched.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and ($_.message -match "Description.*Java Update Scheduler" -or $_.message -match "Description.*Java(TM) Update Scheduler")) -and -not (($_.message -match "Image.*.*\\jusched.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_renamed_megasync.ps1 b/Rules/sigma_tmp/win_renamed_megasync.ps1 new file mode 100644 index 00000000..81dc3955 --- /dev/null +++ b/Rules/sigma_tmp/win_renamed_megasync.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\explorer.exe" -and $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\meg.exe.*") -or (($_.ID -eq "1") -and $_.message -match "OriginalFileName.*meg.exe" -and -not ($_.message -match "Image.*.*\\meg.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_renamed_paexec.ps1 b/Rules/sigma_tmp/win_renamed_paexec.ps1 new file mode 100644 index 00000000..da9bda73 --- /dev/null +++ b/Rules/sigma_tmp/win_renamed_paexec.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.ID -eq "1" -and ($_.message -match "Product.*.*PAExec.*") -and ($_.message -match "11D40A7B7876288F919AB819CC2D9802" -or $_.message -match "6444f8a34e99b8f7d9647de66aabe516" -or $_.message -match "dfd6aa3f7b2b1035b76b718f1ddc689f" -or $_.message -match "1a6cca4d5460b1710a12dea39e4a592c")) -and -not ($_.message -match "Image.*.*paexec.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_renamed_powershell.ps1 b/Rules/sigma_tmp/win_renamed_powershell.ps1 new file mode 100644 index 00000000..41043ed0 --- /dev/null +++ b/Rules/sigma_tmp/win_renamed_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Description.*Windows PowerShell.*" -or $_.message -match "Description.*pwsh.*") -and $_.message -match "Company.*Microsoft Corporation") -and -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\pwsh.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_renamed_procdump.ps1 b/Rules/sigma_tmp/win_renamed_procdump.ps1 new file mode 100644 index 00000000..73bf50f0 --- /dev/null +++ b/Rules/sigma_tmp/win_renamed_procdump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "OriginalFileName.*procdump" -and -not (($_.message -match "Image.*.*\\procdump.exe" -or $_.message -match "Image.*.*\\procdump64.exe"))) -or (($_.ID -eq "1") -and ($_.message -match "CommandLine.*.* -ma .*" -and $_.message -match "CommandLine.*.* -accepteula .*") -and -not (($_.message -match "CommandLine.*.*\\procdump.exe.*" -or $_.message -match "CommandLine.*.*\\procdump64.exe.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_renamed_psexec.ps1 b/Rules/sigma_tmp/win_renamed_psexec.ps1 new file mode 100644 index 00000000..2bdd972a --- /dev/null +++ b/Rules/sigma_tmp/win_renamed_psexec.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Description.*Execute processes remotely" -and $_.message -match "Product.*Sysinternals PsExec") -and -not (($_.message -match "Image.*.*\\PsExec.exe" -or $_.message -match "Image.*.*\\PsExec64.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_root_certificate_installed.ps1 b/Rules/sigma_tmp/win_root_certificate_installed.ps1 new file mode 100644 index 00000000..5af5eb9a --- /dev/null +++ b/Rules/sigma_tmp/win_root_certificate_installed.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Cert:\\LocalMachine\\Root.*" -and ($_.message -match "ScriptBlockText.*.*Move-Item.*" -or $_.message -match "ScriptBlockText.*.*Import-Certificate.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*root.*" -and (($_.message -match "Image.*.*\\certutil.exe" -and $_.message -match "CommandLine.*.*-addstore.*") -or ($_.message -match "Image.*.*\\CertMgr.exe" -and $_.message -match "CommandLine.*.*/add.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_run_powershell_script_from_ads.ps1 b/Rules/sigma_tmp/win_run_powershell_script_from_ads.ps1 new file mode 100644 index 00000000..494b0e25 --- /dev/null +++ b/Rules/sigma_tmp/win_run_powershell_script_from_ads.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Get-Content.*" -and $_.message -match "CommandLine.*.*-Stream.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_run_virtualbox.ps1 b/Rules/sigma_tmp/win_run_virtualbox.ps1 new file mode 100644 index 00000000..fcddbee1 --- /dev/null +++ b/Rules/sigma_tmp/win_run_virtualbox.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*VBoxRT.dll,RTR3Init.*" -or $_.message -match "CommandLine.*.*VBoxC.dll.*" -or $_.message -match "CommandLine.*.*VBoxDrv.sys.*") -or ($_.message -match "CommandLine.*.*startvm.*" -or $_.message -match "CommandLine.*.*controlvm.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_rundll32_without_parameters.ps1 b/Rules/sigma_tmp/win_rundll32_without_parameters.ps1 new file mode 100644 index 00000000..cc8222d9 --- /dev/null +++ b/Rules/sigma_tmp/win_rundll32_without_parameters.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*rundll32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_sam_registry_hive_handle_request.ps1 b/Rules/sigma_tmp/win_sam_registry_hive_handle_request.ps1 new file mode 100644 index 00000000..7505c667 --- /dev/null +++ b/Rules/sigma_tmp/win_sam_registry_hive_handle_request.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4656" -and $_.message -match "ObjectType.*Key" -and $_.message -match "ObjectName.*.*\\SAM") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_scheduled_task_deletion.ps1 b/Rules/sigma_tmp/win_scheduled_task_deletion.ps1 new file mode 100644 index 00000000..6d76db03 --- /dev/null +++ b/Rules/sigma_tmp/win_scheduled_task_deletion.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4699") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_scm_database_handle_failure.ps1 b/Rules/sigma_tmp/win_scm_database_handle_failure.ps1 new file mode 100644 index 00000000..87724320 --- /dev/null +++ b/Rules/sigma_tmp/win_scm_database_handle_failure.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -and $_.message -match "ObjectType.*SC_MANAGER OBJECT" -and $_.message -match "ObjectName.*servicesactive" -and $_.message -match "Keywords.*Audit Failure") -and -not ($_.message -match "SubjectLogonId.*0x3e4")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_scm_database_privileged_operation.ps1 b/Rules/sigma_tmp/win_scm_database_privileged_operation.ps1 new file mode 100644 index 00000000..63c7757e --- /dev/null +++ b/Rules/sigma_tmp/win_scm_database_privileged_operation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4674" -and $_.message -match "ObjectType.*SC_MANAGER OBJECT" -and $_.message -match "ObjectName.*servicesactive" -and $_.message -match "PrivilegeList.*SeTakeOwnershipPrivilege") -and -not ($_.message -match "SubjectLogonId.*0x3e4")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_scrcons_remote_wmi_scripteventconsumer.ps1 b/Rules/sigma_tmp/win_scrcons_remote_wmi_scripteventconsumer.ps1 new file mode 100644 index 00000000..9aef4d60 --- /dev/null +++ b/Rules/sigma_tmp/win_scrcons_remote_wmi_scripteventconsumer.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4624" -and $_.message -match "LogonType.*3" -and $_.message -match "ProcessName.*.*scrcons.exe") -and -not ($_.message -match "TargetLogonId.*0x3e7")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_script_event_consumer_spawn.ps1 b/Rules/sigma_tmp/win_script_event_consumer_spawn.ps1 new file mode 100644 index 00000000..725478f3 --- /dev/null +++ b/Rules/sigma_tmp/win_script_event_consumer_spawn.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\scrcons.exe") -and ($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\msbuild.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_sdbinst_shim_persistence.ps1 b/Rules/sigma_tmp/win_sdbinst_shim_persistence.ps1 new file mode 100644 index 00000000..a49500e1 --- /dev/null +++ b/Rules/sigma_tmp/win_sdbinst_shim_persistence.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sdbinst.exe") -and ($_.message -match "CommandLine.*.*.sdb.*")) -and -not (($_.message -match "CommandLine.*.*iisexpressshim.sdb.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_service_execution.ps1 b/Rules/sigma_tmp/win_service_execution.ps1 new file mode 100644 index 00000000..195820b6 --- /dev/null +++ b/Rules/sigma_tmp/win_service_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.* start .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_service_stop.ps1 b/Rules/sigma_tmp/win_service_stop.ps1 new file mode 100644 index 00000000..06e5b07e --- /dev/null +++ b/Rules/sigma_tmp/win_service_stop.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*stop.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_set_oabvirtualdirectory_externalurl.ps1 b/Rules/sigma_tmp/win_set_oabvirtualdirectory_externalurl.ps1 new file mode 100644 index 00000000..6365bc0d --- /dev/null +++ b/Rules/sigma_tmp/win_set_oabvirtualdirectory_externalurl.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName MSExchange Management | where {($_.message -match ".*Set-OabVirtualDirectory.*" -and $_.message -match ".*ExternalUrl.*" -and $_.message -match ".*Page_Load.*" -and $_.message -match ".*script.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_shadow_copies_access_symlink.ps1 b/Rules/sigma_tmp/win_shadow_copies_access_symlink.ps1 new file mode 100644 index 00000000..2cd1a649 --- /dev/null +++ b/Rules/sigma_tmp/win_shadow_copies_access_symlink.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*mklink.*" -and $_.message -match "CommandLine.*.*HarddiskVolumeShadowCopy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_shadow_copies_creation.ps1 b/Rules/sigma_tmp/win_shadow_copies_creation.ps1 new file mode 100644 index 00000000..67ec46b4 --- /dev/null +++ b/Rules/sigma_tmp/win_shadow_copies_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\vssadmin.exe") -and $_.message -match "CommandLine.*.*shadow.*" -and $_.message -match "CommandLine.*.*create.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_shadow_copies_deletion.ps1 b/Rules/sigma_tmp/win_shadow_copies_deletion.ps1 new file mode 100644 index 00000000..8a5ca6ed --- /dev/null +++ b/Rules/sigma_tmp/win_shadow_copies_deletion.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*delete.*" -and ((($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\vssadmin.exe" -or $_.message -match "Image.*.*\\diskshadow.exe") -and $_.message -match "CommandLine.*.*shadow.*") -or (($_.message -match "Image.*.*\\wbadmin.exe") -and $_.message -match "CommandLine.*.*catalog.*" -and $_.message -match "CommandLine.*.*quiet.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_shell_spawn_mshta.ps1 b/Rules/sigma_tmp/win_shell_spawn_mshta.ps1 new file mode 100644 index 00000000..642fdc51 --- /dev/null +++ b/Rules/sigma_tmp/win_shell_spawn_mshta.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\mshta.exe" -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\WScript.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_shell_spawn_susp_program.ps1 b/Rules/sigma_tmp/win_shell_spawn_susp_program.ps1 new file mode 100644 index 00000000..52cbbd9a --- /dev/null +++ b/Rules/sigma_tmp/win_shell_spawn_susp_program.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\mshta.exe" -or $_.message -match "ParentImage.*.*\\powershell.exe" -or $_.message -match "ParentImage.*.*\\rundll32.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe" -or $_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\wmiprvse.exe") -and ($_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\nslookup.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe" -or $_.message -match "Image.*.*\\mshta.exe")) -and -not ($_.message -match "CurrentDirectory.*.*\\ccmcache\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_silenttrinity_stage_use.ps1 b/Rules/sigma_tmp/win_silenttrinity_stage_use.ps1 new file mode 100644 index 00000000..18e42e37 --- /dev/null +++ b/Rules/sigma_tmp/win_silenttrinity_stage_use.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Description.*.*st2stager.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Description.*.*st2stager.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_smb_file_creation_admin_shares.ps1 b/Rules/sigma_tmp/win_smb_file_creation_admin_shares.ps1 new file mode 100644 index 00000000..6f27ddbe --- /dev/null +++ b/Rules/sigma_tmp/win_smb_file_creation_admin_shares.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "ShareName.*.*C$" -and $_.message -match "AccessMask.*0x2") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_software_discovery.ps1 b/Rules/sigma_tmp/win_software_discovery.ps1 new file mode 100644 index 00000000..ce345edc --- /dev/null +++ b/Rules/sigma_tmp/win_software_discovery.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*get-itemProperty.*" -and $_.message -match "ScriptBlockText.*.*\\software\\.*" -and $_.message -match "ScriptBlockText.*.*select-object.*" -and $_.message -match "ScriptBlockText.*.*format-table.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*query.*" -and $_.message -match "CommandLine.*.*\\software\\.*" -and $_.message -match "CommandLine.*.*/v.*" -and $_.message -match "CommandLine.*.*svcversion.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_soundrec_audio_capture.ps1 b/Rules/sigma_tmp/win_soundrec_audio_capture.ps1 new file mode 100644 index 00000000..737a2d57 --- /dev/null +++ b/Rules/sigma_tmp/win_soundrec_audio_capture.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\SoundRecorder.exe" -and $_.message -match "CommandLine.*.*/FILE.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_spn_enum.ps1 b/Rules/sigma_tmp/win_spn_enum.ps1 new file mode 100644 index 00000000..cadb911a --- /dev/null +++ b/Rules/sigma_tmp/win_spn_enum.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\setspn.exe" -or ($_.message -match "Description.*.*Query or reset the computer.*" -and $_.message -match "Description.*.*SPN attribute.*")) -and $_.message -match "CommandLine.*.*-q.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_sticky_keys_unauthenticated_privileged_console_access.ps1 b/Rules/sigma_tmp/win_sticky_keys_unauthenticated_privileged_console_access.ps1 new file mode 100644 index 00000000..6487723a --- /dev/null +++ b/Rules/sigma_tmp/win_sticky_keys_unauthenticated_privileged_console_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_sus_auditpol_usage.ps1 b/Rules/sigma_tmp/win_sus_auditpol_usage.ps1 new file mode 100644 index 00000000..64a7cea0 --- /dev/null +++ b/Rules/sigma_tmp/win_sus_auditpol_usage.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\auditpol.exe" -and ($_.message -match "CommandLine.*.*disable.*" -or $_.message -match "CommandLine.*.*clear.*" -or $_.message -match "CommandLine.*.*remove.*" -or $_.message -match "CommandLine.*.*restore.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_add_domain_trust.ps1 b/Rules/sigma_tmp/win_susp_add_domain_trust.ps1 new file mode 100644 index 00000000..a8de5324 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_add_domain_trust.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4706") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_add_sid_history.ps1 b/Rules/sigma_tmp/win_susp_add_sid_history.ps1 new file mode 100644 index 00000000..1eb4ddcd --- /dev/null +++ b/Rules/sigma_tmp/win_susp_add_sid_history.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {((($_.ID -eq "4765" -or $_.ID -eq "4766") -or (($_.ID -eq "4738" -and -not (($_.message -match "-" -or $_.message -match "%%1793"))) -and -not (-not SidHistory="*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_adfind.ps1 b/Rules/sigma_tmp/win_susp_adfind.ps1 new file mode 100644 index 00000000..a9a1743d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_adfind.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*objectcategory.*" -or $_.message -match "CommandLine.*.*trustdmp.*" -or $_.message -match "CommandLine.*.*dcmodes.*" -or $_.message -match "CommandLine.*.*dclist.*" -or $_.message -match "CommandLine.*.*computers_pwdnotreqd.*") -and $_.message -match "Image.*.*\\adfind.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_atbroker.ps1 b/Rules/sigma_tmp/win_susp_atbroker.ps1 new file mode 100644 index 00000000..9a358805 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_atbroker.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*AtBroker.exe" -and $_.message -match "CommandLine.*.*start.*") -and -not (($_.message -match "CommandLine.*.*animations.*" -or $_.message -match "CommandLine.*.*audiodescription.*" -or $_.message -match "CommandLine.*.*caretbrowsing.*" -or $_.message -match "CommandLine.*.*caretwidth.*" -or $_.message -match "CommandLine.*.*colorfiltering.*" -or $_.message -match "CommandLine.*.*cursorscheme.*" -or $_.message -match "CommandLine.*.*filterkeys.*" -or $_.message -match "CommandLine.*.*focusborderheight.*" -or $_.message -match "CommandLine.*.*focusborderwidth.*" -or $_.message -match "CommandLine.*.*highcontrast.*" -or $_.message -match "CommandLine.*.*keyboardcues.*" -or $_.message -match "CommandLine.*.*keyboardpref.*" -or $_.message -match "CommandLine.*.*magnifierpane.*" -or $_.message -match "CommandLine.*.*messageduration.*" -or $_.message -match "CommandLine.*.*minimumhitradius.*" -or $_.message -match "CommandLine.*.*mousekeys.*" -or $_.message -match "CommandLine.*.*Narrator.*" -or $_.message -match "CommandLine.*.*osk.*" -or $_.message -match "CommandLine.*.*overlappedcontent.*" -or $_.message -match "CommandLine.*.*showsounds.*" -or $_.message -match "CommandLine.*.*soundsentry.*" -or $_.message -match "CommandLine.*.*stickykeys.*" -or $_.message -match "CommandLine.*.*togglekeys.*" -or $_.message -match "CommandLine.*.*windowarranging.*" -or $_.message -match "CommandLine.*.*windowtracking.*" -or $_.message -match "CommandLine.*.*windowtrackingtimeout.*" -or $_.message -match "CommandLine.*.*windowtrackingzorder.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_athremotefxvgpudisablementcommand.ps1 b/Rules/sigma_tmp/win_susp_athremotefxvgpudisablementcommand.ps1 new file mode 100644 index 00000000..37028dbe --- /dev/null +++ b/Rules/sigma_tmp/win_susp_athremotefxvgpudisablementcommand.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "CommandLine.*.*-ModuleName .*" -or $_.message -match "CommandLine.*.*-ModulePath .*" -or $_.message -match "CommandLine.*.*-ScriptBlock .*" -or $_.message -match "CommandLine.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Windows PowerShell | where {($_.message -match "HostApplication.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "HostApplication.*.*-ModuleName .*" -or $_.message -match "HostApplication.*.*-ModulePath .*" -or $_.message -match "HostApplication.*.*-ScriptBlock .*" -or $_.message -match "HostApplication.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match "ContextInfo.*.*Invoke-ATHRemoteFXvGPUDisablementCommand .*" -and ($_.message -match "ContextInfo.*.*-ModuleName .*" -or $_.message -match "ContextInfo.*.*-ModulePath .*" -or $_.message -match "ContextInfo.*.*-ScriptBlock .*" -or $_.message -match "ContextInfo.*.*-RemoteFXvGPUDisablementFilePath.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_backup_delete.ps1 b/Rules/sigma_tmp/win_susp_backup_delete.ps1 new file mode 100644 index 00000000..2ed67a02 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_backup_delete.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Application | where {($_.ID -eq "524" -and $_.message -match "Source.*Microsoft-Windows-Backup") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_bcdedit.ps1 b/Rules/sigma_tmp/win_susp_bcdedit.ps1 new file mode 100644 index 00000000..3313b2ed --- /dev/null +++ b/Rules/sigma_tmp/win_susp_bcdedit.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\bcdedit.exe" -and ($_.message -match "CommandLine.*.*delete.*" -or $_.message -match "CommandLine.*.*deletevalue.*" -or $_.message -match "CommandLine.*.*import.*" -or $_.message -match "CommandLine.*.*safeboot.*" -or $_.message -match "CommandLine.*.*network.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_bginfo.ps1 b/Rules/sigma_tmp/win_susp_bginfo.ps1 new file mode 100644 index 00000000..79e13c1f --- /dev/null +++ b/Rules/sigma_tmp/win_susp_bginfo.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\bginfo.exe" -and $_.message -match "CommandLine.*.*/popup.*" -and $_.message -match "CommandLine.*.*/nolicprompt.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_calc.ps1 b/Rules/sigma_tmp/win_susp_calc.ps1 new file mode 100644 index 00000000..95000929 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_calc.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\calc.exe .*" -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\calc.exe" -and -not ($_.message -match "Image.*.*\\Windows\\Sys.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_cdb.ps1 b/Rules/sigma_tmp/win_susp_cdb.ps1 new file mode 100644 index 00000000..78e38c8a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_cdb.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cdb.exe" -and $_.message -match "CommandLine.*.*-cf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_certutil_command.ps1 b/Rules/sigma_tmp/win_susp_certutil_command.ps1 new file mode 100644 index 00000000..0e432c7a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_certutil_command.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* -decode .*" -or $_.message -match "CommandLine.*.* -decodehex .*" -or $_.message -match "CommandLine.*.* -urlcache .*" -or $_.message -match "CommandLine.*.* -verifyctl .*" -or $_.message -match "CommandLine.*.* -encode .*" -or $_.message -match "CommandLine.*.* /decode .*" -or $_.message -match "CommandLine.*.* /decodehex .*" -or $_.message -match "CommandLine.*.* /urlcache .*" -or $_.message -match "CommandLine.*.* /verifyctl .*" -or $_.message -match "CommandLine.*.* /encode .*") -or ($_.message -match "Image.*.*\\certutil.exe" -and ($_.message -match "CommandLine.*.*URL.*" -or $_.message -match "CommandLine.*.*ping.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_certutil_encode.ps1 b/Rules/sigma_tmp/win_susp_certutil_encode.ps1 new file mode 100644 index 00000000..8e55f248 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_certutil_encode.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\certutil.exe" -and $_.message -match "CommandLine.*.*-f.*" -and $_.message -match "CommandLine.*.*-encode.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_cli_escape.ps1 b/Rules/sigma_tmp/win_susp_cli_escape.ps1 new file mode 100644 index 00000000..12870694 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_cli_escape.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*h^t^t^p.*" -or $_.message -match "CommandLine.*.*h\"t\"t\"p.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_cmd_http_appdata.ps1 b/Rules/sigma_tmp/win_susp_cmd_http_appdata.ps1 new file mode 100644 index 00000000..e683ef94 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_cmd_http_appdata.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*http.*" -and $_.message -match "CommandLine.*.*://.*" -and $_.message -match "CommandLine.*.*%AppData%.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_codeintegrity_check_failure.ps1 b/Rules/sigma_tmp/win_susp_codeintegrity_check_failure.ps1 new file mode 100644 index 00000000..1a0c9ac5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_codeintegrity_check_failure.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5038" -or $_.ID -eq "6281")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_codepage_switch.ps1 b/Rules/sigma_tmp/win_susp_codepage_switch.ps1 new file mode 100644 index 00000000..3d17a22f --- /dev/null +++ b/Rules/sigma_tmp/win_susp_codepage_switch.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\chcp.com" -and ($_.message -match "CommandLine.*.* 936" -or $_.message -match "CommandLine.*.* 1258")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_commands_recon_activity.ps1 b/Rules/sigma_tmp/win_susp_commands_recon_activity.ps1 new file mode 100644 index 00000000..855859f5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_commands_recon_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "tasklist" -or $_.message -match "net time" -or $_.message -match "systeminfo" -or $_.message -match "whoami" -or $_.message -match "nbtstat" -or $_.message -match "net start" -or $_.message -match "qprocess" -or $_.message -match "nslookup" -or $_.message -match "hostname.exe" -or $_.message -match "netstat -an") -or ($_.message -match "CommandLine.*.*\\net1 start" -or $_.message -match "CommandLine.*.*\\net1 user /domain" -or $_.message -match "CommandLine.*.*\\net1 group /domain" -or $_.message -match "CommandLine.*.*\\net1 group \"domain admins\" /domain" -or $_.message -match "CommandLine.*.*\\net1 group \"Exchange Trusted Subsystem\" /domain" -or $_.message -match "CommandLine.*.*\\net1 accounts /domain" -or $_.message -match "CommandLine.*.*\\net1 user net localgroup administrators"))) } | group-object CommandLine | where { $_.count -gt 4 } | select name,count | sort -desc diff --git a/Rules/sigma_tmp/win_susp_compression_params.ps1 b/Rules/sigma_tmp/win_susp_compression_params.ps1 new file mode 100644 index 00000000..aec88acd --- /dev/null +++ b/Rules/sigma_tmp/win_susp_compression_params.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "OriginalFileName.*7z.*.exe" -or $_.message -match "OriginalFileName.*.*rar.exe" -or $_.message -match "OriginalFileName.*.*Command.*Line.*RAR.*") -and ($_.message -match "CommandLine.*.* -p.*" -or $_.message -match "CommandLine.*.* -ta.*" -or $_.message -match "CommandLine.*.* -tb.*" -or $_.message -match "CommandLine.*.* -sdel.*" -or $_.message -match "CommandLine.*.* -dw.*" -or $_.message -match "CommandLine.*.* -hp.*")) -and -not ($_.message -match "ParentImage.*C:\\Program.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_comsvcs_procdump.ps1 b/Rules/sigma_tmp/win_susp_comsvcs_procdump.ps1 new file mode 100644 index 00000000..ad94b3cd --- /dev/null +++ b/Rules/sigma_tmp/win_susp_comsvcs_procdump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "OriginalFileName.*RUNDLL32.EXE") -and ($_.message -match "CommandLine.*.*comsvcs.*" -and $_.message -match "CommandLine.*.*MiniDump.*" -and $_.message -match "CommandLine.*.*full.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_conhost.ps1 b/Rules/sigma_tmp/win_susp_conhost.ps1 new file mode 100644 index 00000000..46aa2cb2 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_conhost.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\conhost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_control_dll_load.ps1 b/Rules/sigma_tmp/win_susp_control_dll_load.ps1 new file mode 100644 index 00000000..078a8b34 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_control_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\System32\\control.exe" -and $_.message -match "Image.*.*\\rundll32.exe ") -and -not ($_.message -match "CommandLine.*.*Shell32.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_copy_lateral_movement.ps1 b/Rules/sigma_tmp/win_susp_copy_lateral_movement.ps1 new file mode 100644 index 00000000..2e41d94a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_copy_lateral_movement.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\robocopy.exe" -or $_.message -match "Image.*.*\\xcopy.exe") -or ($_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*copy.*")) -or ($_.message -match "Image.*.*\\powershell.*" -and ($_.message -match "CommandLine.*.*copy-item.*" -or $_.message -match "CommandLine.*.*copy.*" -or $_.message -match "CommandLine.*.*cpi .*" -or $_.message -match "CommandLine.*.* cp .*"))) -and ($_.message -match "CommandLine.*.*\\\\\.*" -and $_.message -match "CommandLine.*.*$.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_copy_system32.ps1 b/Rules/sigma_tmp/win_susp_copy_system32.ps1 new file mode 100644 index 00000000..48eaa7dc --- /dev/null +++ b/Rules/sigma_tmp/win_susp_copy_system32.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* /c copy.*" -or $_.message -match "CommandLine.*.*xcopy.*") -and $_.message -match "CommandLine.*.*\\System32\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_covenant.ps1 b/Rules/sigma_tmp/win_susp_covenant.ps1 new file mode 100644 index 00000000..e4a0ccbd --- /dev/null +++ b/Rules/sigma_tmp/win_susp_covenant.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*-Sta.*" -and $_.message -match "CommandLine.*.*-Nop.*" -and $_.message -match "CommandLine.*.*-Window.*" -and $_.message -match "CommandLine.*.*Hidden.*" -and ($_.message -match "CommandLine.*.*-Command.*" -or $_.message -match "CommandLine.*.*-EncodedCommand.*")) -or ($_.message -match "CommandLine.*.*sv o (New-Object IO.MemorySteam);sv d .*" -or $_.message -match "CommandLine.*.*mshta file.hta.*" -or $_.message -match "CommandLine.*.*GruntHTTP.*" -or $_.message -match "CommandLine.*.*-EncodedCommand cwB2ACAAbwAgA.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_crackmapexec_execution.ps1 b/Rules/sigma_tmp/win_susp_crackmapexec_execution.ps1 new file mode 100644 index 00000000..219fcc3c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_crackmapexec_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*cmd.exe /Q /c .* 1> \\\\.*\\.*\\.* 2>&1" -or $_.message -match "CommandLine.*.*cmd.exe /C .* > \\\\.*\\.*\\.* 2>&1" -or $_.message -match "CommandLine.*.*cmd.exe /C .* > .*\\Temp\\.* 2>&1") -and ($_.message -match "CommandLine.*.*powershell.exe -exec bypass -noni -nop -w 1 -C \".*" -or $_.message -match "CommandLine.*.*powershell.exe -noni -nop -w 1 -enc .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_crackmapexec_powershell_obfuscation.ps1 b/Rules/sigma_tmp/win_susp_crackmapexec_powershell_obfuscation.ps1 new file mode 100644 index 00000000..4365af5b --- /dev/null +++ b/Rules/sigma_tmp/win_susp_crackmapexec_powershell_obfuscation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*powershell.exe.*" -and ($_.message -match "CommandLine.*.*join.*split.*" -or $_.message -match "CommandLine.*.*( $ShellId[1]\+$ShellId[13]\+'x').*" -or $_.message -match "CommandLine.*.*( $PSHome[.*]\+$PSHOME[.*]\+.*" -or $_.message -match "CommandLine.*.*( $env:Public[13]\+$env:Public[5]\+'x').*" -or $_.message -match "CommandLine.*.*( $env:ComSpec[4,.*,25]-Join'').*" -or $_.message -match "CommandLine.*.*[1,3]\+'x'-Join'').*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_csc.ps1 b/Rules/sigma_tmp/win_susp_csc.ps1 new file mode 100644 index 00000000..7fe08daf --- /dev/null +++ b/Rules/sigma_tmp/win_susp_csc.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\csc.exe" -and ($_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe" -or $_.message -match "ParentImage.*.*\\mshta.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_csc_folder.ps1 b/Rules/sigma_tmp/win_susp_csc_folder.ps1 new file mode 100644 index 00000000..09c239bd --- /dev/null +++ b/Rules/sigma_tmp/win_susp_csc_folder.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\csc.exe" -and ($_.message -match "CommandLine.*.*\\AppData\\.*" -or $_.message -match "CommandLine.*.*\\Windows\\Temp\\.*")) -and -not ($_.message -match "ParentImage.*C:\\Program Files.*" -or ($_.message -match "ParentImage.*.*\\sdiagnhost.exe" -or $_.message -match "ParentImage.*.*\\w3wp.exe") -or ($_.message -match "ParentCommandLine.*.*\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_csi.ps1 b/Rules/sigma_tmp/win_susp_csi.ps1 new file mode 100644 index 00000000..a3c12d11 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_csi.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\csi.exe" -or $_.message -match "Image.*.*\\rcsi.exe" -or $_.message -match "OriginalFileName.*csi.exe" -or $_.message -match "OriginalFileName.*rcsi.exe") -and $_.message -match "Company.*Microsoft Corporation") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_curl_download.ps1 b/Rules/sigma_tmp/win_susp_curl_download.ps1 new file mode 100644 index 00000000..49593c24 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_curl_download.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\curl.exe" -or $_.message -match "Product.*The curl executable") -and $_.message -match "CommandLine.*.* -O .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_curl_fileupload.ps1 b/Rules/sigma_tmp/win_susp_curl_fileupload.ps1 new file mode 100644 index 00000000..ce5cfbf3 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_curl_fileupload.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\curl.exe" -and $_.message -match "CommandLine.*.* -F .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_curl_start_combo.ps1 b/Rules/sigma_tmp/win_susp_curl_start_combo.ps1 new file mode 100644 index 00000000..702898e5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_curl_start_combo.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*curl.*" -and $_.message -match "CommandLine.*.* start .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_dctask64_proc_inject.ps1 b/Rules/sigma_tmp/win_susp_dctask64_proc_inject.ps1 new file mode 100644 index 00000000..1e62d321 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_dctask64_proc_inject.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\dctask64.exe") -and -not (($_.message -match "CommandLine.*.*DesktopCentral_Agent\\agent.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_desktopimgdownldr.ps1 b/Rules/sigma_tmp/win_susp_desktopimgdownldr.ps1 new file mode 100644 index 00000000..860a8e4e --- /dev/null +++ b/Rules/sigma_tmp/win_susp_desktopimgdownldr.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.ID -eq "1") -and $_.message -match "CommandLine.*.* /lockscreenurl:.*" -and -not (($_.message -match "CommandLine.*.*.jpg.*" -or $_.message -match "CommandLine.*.*.jpeg.*" -or $_.message -match "CommandLine.*.*.png.*"))) -or ($_.message -match "CommandLine.*.*reg delete.*" -and $_.message -match "CommandLine.*.*\\PersonalizationCSP.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_desktopimgdownldr_file.ps1 b/Rules/sigma_tmp/win_susp_desktopimgdownldr_file.ps1 new file mode 100644 index 00000000..382e60c6 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_desktopimgdownldr_file.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and (($_.message -match "Image.*.*svchost.exe" -and $_.message -match "TargetFilename.*.*\\Personalization\\LockScreenImage\\.*") -and -not ($_.message -match "TargetFilename.*.*C:\\Windows\\.*")) -and -not (($_.message -match "TargetFilename.*.*.jpg.*" -or $_.message -match "TargetFilename.*.*.jpeg.*" -or $_.message -match "TargetFilename.*.*.png.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_devtoolslauncher.ps1 b/Rules/sigma_tmp/win_susp_devtoolslauncher.ps1 new file mode 100644 index 00000000..976ebba1 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_devtoolslauncher.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\devtoolslauncher.exe" -and $_.message -match "CommandLine.*.*LaunchForDeploy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_dhcp_config.ps1 b/Rules/sigma_tmp/win_susp_dhcp_config.ps1 new file mode 100644 index 00000000..450d8fe1 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_dhcp_config.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "1033" -and $_.message -match "Source.*Microsoft-Windows-DHCP-Server") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_dhcp_config_failed.ps1 b/Rules/sigma_tmp/win_susp_dhcp_config_failed.ps1 new file mode 100644 index 00000000..5ad2f565 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_dhcp_config_failed.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {(($_.ID -eq "1031" -or $_.ID -eq "1032" -or $_.ID -eq "1034") -and $_.message -match "Source.*Microsoft-Windows-DHCP-Server") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_direct_asep_reg_keys_modification.ps1 b/Rules/sigma_tmp/win_susp_direct_asep_reg_keys_modification.ps1 new file mode 100644 index 00000000..04b85c53 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_direct_asep_reg_keys_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\Run.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders.*" -or $_.message -match "CommandLine.*.*\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_disable_eventlog.ps1 b/Rules/sigma_tmp/win_susp_disable_eventlog.ps1 new file mode 100644 index 00000000..045c7a02 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_disable_eventlog.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*logman .*") -and ($_.message -match "CommandLine.*.*stop .*" -or $_.message -match "CommandLine.*.*delete .*") -and ($_.message -match "CommandLine.*.*EventLog-System.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_disable_ie_features.ps1 b/Rules/sigma_tmp/win_susp_disable_ie_features.ps1 new file mode 100644 index 00000000..1273492c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_disable_ie_features.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* -name IEHarden .*" -and $_.message -match "CommandLine.*.* -value 0 .*") -or ($_.message -match "CommandLine.*.* -name DEPOff .*" -and $_.message -match "CommandLine.*.* -value 1 .*") -or ($_.message -match "CommandLine.*.* -name DisableFirstRunCustomize .*" -and $_.message -match "CommandLine.*.* -value 2 .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_disable_raccine.ps1 b/Rules/sigma_tmp/win_susp_disable_raccine.ps1 new file mode 100644 index 00000000..ee4242d5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_disable_raccine.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*taskkill .*" -and $_.message -match "CommandLine.*.*RaccineSettings.exe.*") -or ($_.message -match "CommandLine.*.*reg.exe.*" -and $_.message -match "CommandLine.*.*delete.*" -and $_.message -match "CommandLine.*.*Raccine Tray.*") -or ($_.message -match "CommandLine.*.*schtasks.*" -and $_.message -match "CommandLine.*.*/DELETE.*" -and $_.message -match "CommandLine.*.*Raccine Rules Updater.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_diskshadow.ps1 b/Rules/sigma_tmp/win_susp_diskshadow.ps1 new file mode 100644 index 00000000..a57fccaa --- /dev/null +++ b/Rules/sigma_tmp/win_susp_diskshadow.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\diskshadow.exe" -and ($_.message -match "CommandLine.*.*/s.*" -or $_.message -match "CommandLine.*.*-s.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ditsnap.ps1 b/Rules/sigma_tmp/win_susp_ditsnap.ps1 new file mode 100644 index 00000000..a70aa301 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ditsnap.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\ditsnap.exe") -or ($_.message -match "CommandLine.*.*ditsnap.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_dns_config.ps1 b/Rules/sigma_tmp/win_susp_dns_config.ps1 new file mode 100644 index 00000000..a53c8a10 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_dns_config.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {($_.ID -eq "150" -or $_.ID -eq "770") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_dnx.ps1 b/Rules/sigma_tmp/win_susp_dnx.ps1 new file mode 100644 index 00000000..737fd396 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_dnx.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\dnx.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_double_extension.ps1 b/Rules/sigma_tmp/win_susp_double_extension.ps1 new file mode 100644 index 00000000..c91b9fd2 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_double_extension.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*.doc.exe" -or $_.message -match "Image.*.*.docx.exe" -or $_.message -match "Image.*.*.xls.exe" -or $_.message -match "Image.*.*.xlsx.exe" -or $_.message -match "Image.*.*.ppt.exe" -or $_.message -match "Image.*.*.pptx.exe" -or $_.message -match "Image.*.*.rtf.exe" -or $_.message -match "Image.*.*.pdf.exe" -or $_.message -match "Image.*.*.txt.exe" -or $_.message -match "Image.*.* .exe" -or $_.message -match "Image.*.*______.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_dsrm_password_change.ps1 b/Rules/sigma_tmp/win_susp_dsrm_password_change.ps1 new file mode 100644 index 00000000..a28c60f1 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_dsrm_password_change.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4794") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_dxcap.ps1 b/Rules/sigma_tmp/win_susp_dxcap.ps1 new file mode 100644 index 00000000..74f52f1d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_dxcap.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\dxcap.exe" -and $_.message -match "CommandLine.*.*-c.*" -and $_.message -match "CommandLine.*.*.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_emotet_rudll32_execution.ps1 b/Rules/sigma_tmp/win_susp_emotet_rudll32_execution.ps1 new file mode 100644 index 00000000..eb7dc908 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_emotet_rudll32_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe") -and ($_.message -match "CommandLine.*.*,RunDLL")) -and -not (($_.message -match "ParentImage.*.*\\tracker.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_esentutl_activity.ps1 b/Rules/sigma_tmp/win_susp_esentutl_activity.ps1 new file mode 100644 index 00000000..22a589b9 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_esentutl_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /vss .*" -and $_.message -match "CommandLine.*.* /y .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_eventlog_clear.ps1 b/Rules/sigma_tmp/win_susp_eventlog_clear.ps1 new file mode 100644 index 00000000..bced8995 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_eventlog_clear.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*Clear-EventLog.*" -or $_.message -match "CommandLine.*.*Remove-EventLog.*" -or $_.message -match "CommandLine.*.*Limit-EventLog.*")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.* ClearEventLog .*")) -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\wevtutil.exe" -and ($_.message -match "CommandLine.*.*clear-log.*" -or $_.message -match "CommandLine.*.* cl .*" -or $_.message -match "CommandLine.*.*set-log.*" -or $_.message -match "CommandLine.*.* sl .*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_eventlog_cleared.ps1 b/Rules/sigma_tmp/win_susp_eventlog_cleared.ps1 new file mode 100644 index 00000000..3a079f2c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_eventlog_cleared.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "517" -or $_.ID -eq "1102")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName System | where {($_.ID -eq "104" -and $_.message -match "Source.*Microsoft-Windows-Eventlog") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_execution_path.ps1 b/Rules/sigma_tmp/win_susp_execution_path.ps1 new file mode 100644 index 00000000..58880847 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_execution_path.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\$Recycle.bin\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Intel\\Logs\\.*" -or $_.message -match "Image.*.*\\RSA\\MachineKeys\\.*" -or $_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\NetworkService\\.*" -or $_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*" -or $_.message -match "Image.*.*\\Windows\\debug\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\Help\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\Media\\.*" -or $_.message -match "Image.*.*\\Windows\\repair\\.*" -or $_.message -match "Image.*.*\\Windows\\security\\.*" -or $_.message -match "Image.*.*\\Windows\\system32\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\System32\\Tasks\\.*" -or $_.message -match "Image.*.*\\Windows\\Tasks\\.*") -or $_.message -match "Image.*C:\\Perflogs\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_execution_path_webserver.ps1 b/Rules/sigma_tmp/win_susp_execution_path_webserver.ps1 new file mode 100644 index 00000000..2357267d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_execution_path_webserver.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\wwwroot\\.*" -or $_.message -match "Image.*.*\\wmpub\\.*" -or $_.message -match "Image.*.*\\htdocs\\.*") -and -not (($_.message -match "Image.*.*bin\\.*" -or $_.message -match "Image.*.*\\Tools\\.*" -or $_.message -match "Image.*.*\\SMSComponent\\.*") -and ($_.message -match "ParentImage.*.*\\services.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_explorer.ps1 b/Rules/sigma_tmp/win_susp_explorer.ps1 new file mode 100644 index 00000000..bcac6853 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_explorer.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\explorer.exe") -and ($_.message -match "ParentImage.*.*\\cmd.exe") -and ($_.message -match "CommandLine.*.*explorer.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_explorer_break_proctree.ps1 b/Rules/sigma_tmp/win_susp_explorer_break_proctree.ps1 new file mode 100644 index 00000000..8f651b08 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_explorer_break_proctree.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*explorer.exe.*" -and $_.message -match "CommandLine.*.* /root,.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_failed_guest_logon.ps1 b/Rules/sigma_tmp/win_susp_failed_guest_logon.ps1 new file mode 100644 index 00000000..a2739a73 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_guest_logon.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-SmbClient/Security | where {($_.ID -eq "31017" -and $_.message -match "Description.*.*Rejected an insecure guest logon.*" -and $_.message -match "UserName.*" -and $_.message -match "ServerName.*\\1.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_failed_logon_reasons.ps1 b/Rules/sigma_tmp/win_susp_failed_logon_reasons.ps1 new file mode 100644 index 00000000..35ae5ae5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logon_reasons.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4625" -or $_.ID -eq "4776") -and ($_.message -match "0xC0000072" -or $_.message -match "0xC000006F" -or $_.message -match "0xC0000070" -or $_.message -match "0xC0000413" -or $_.message -match "0xC000018C" -or $_.message -match "0xC000015B")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_failed_logon_source.ps1 b/Rules/sigma_tmp/win_susp_failed_logon_source.ps1 new file mode 100644 index 00000000..b15345cf --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logon_source.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4625" -and -not ((($_.message -match "IpAddress.*.*-.*" -or ($_.message -match "IpAddress.*10..*" -or $_.message -match "IpAddress.*192.168..*" -or $_.message -match "IpAddress.*172.16..*" -or $_.message -match "IpAddress.*172.17..*" -or $_.message -match "IpAddress.*172.18..*" -or $_.message -match "IpAddress.*172.19..*" -or $_.message -match "IpAddress.*172.20..*" -or $_.message -match "IpAddress.*172.21..*" -or $_.message -match "IpAddress.*172.22..*" -or $_.message -match "IpAddress.*172.23..*" -or $_.message -match "IpAddress.*172.24..*" -or $_.message -match "IpAddress.*172.25..*" -or $_.message -match "IpAddress.*172.26..*" -or $_.message -match "IpAddress.*172.27..*" -or $_.message -match "IpAddress.*172.28..*" -or $_.message -match "IpAddress.*172.29..*" -or $_.message -match "IpAddress.*172.30..*" -or $_.message -match "IpAddress.*172.31..*" -or $_.message -match "IpAddress.*127..*" -or $_.message -match "IpAddress.*169.254..*") -or $_.message -match "IpAddress.*::1" -or ($_.message -match "IpAddress.*fe80::.*" -or $_.message -match "IpAddress.*fc00::.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_failed_logons_explicit_credentials.ps1 b/Rules/sigma_tmp/win_susp_failed_logons_explicit_credentials.ps1 new file mode 100644 index 00000000..0321fa98 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logons_explicit_credentials.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4648") } | select ComputerName, Account_Name | group ComputerName | foreach { [PSCustomObject]@{'ComputerName'=$_.name;'Count'=($_.group.Account_Name | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } diff --git a/Rules/sigma_tmp/win_susp_failed_logons_single_process.ps1 b/Rules/sigma_tmp/win_susp_failed_logons_single_process.ps1 new file mode 100644 index 00000000..4c919a2a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logons_single_process.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4625" -and $_.message -match "LogonType.*2") -and -not ($_.message -match "ProcessName.*-")) } | select ProcessName, TargetUserName | group ProcessName | foreach { [PSCustomObject]@{'ProcessName'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } diff --git a/Rules/sigma_tmp/win_susp_failed_logons_single_source.ps1 b/Rules/sigma_tmp/win_susp_failed_logons_single_source.ps1 new file mode 100644 index 00000000..d20f8555 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logons_single_source.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "529" -or $_.ID -eq "4625") -and $_.message -match "TargetUserName.*.*" -and $_.message -match "WorkstationName.*.*") } | select WorkstationName, TargetUserName | group WorkstationName | foreach { [PSCustomObject]@{'WorkstationName'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 3 } diff --git a/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos.ps1 b/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos.ps1 new file mode 100644 index 00000000..14bdd92d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4771" -and $_.message -match "Status.*0x18") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } diff --git a/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos2.ps1 b/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos2.ps1 new file mode 100644 index 00000000..45a9b157 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos2.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4768" -and $_.message -match "Status.*0x12") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } diff --git a/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos3.ps1 b/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos3.ps1 new file mode 100644 index 00000000..b427247a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logons_single_source_kerberos3.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4768" -and $_.message -match "Status.*0x6") -and -not ($_.message -match "TargetUserName.*.*$")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } diff --git a/Rules/sigma_tmp/win_susp_failed_logons_single_source_ntlm2.ps1 b/Rules/sigma_tmp/win_susp_failed_logons_single_source_ntlm2.ps1 new file mode 100644 index 00000000..361ae89f --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_logons_single_source_ntlm2.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4776" -and $_.message -match "Status.*.*0xC0000064") -and -not ($_.message -match "TargetUserName.*.*$")) } | select Workstation, TargetUserName | group Workstation | foreach { [PSCustomObject]@{'Workstation'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } diff --git a/Rules/sigma_tmp/win_susp_failed_remote_logons_single_source.ps1 b/Rules/sigma_tmp/win_susp_failed_remote_logons_single_source.ps1 new file mode 100644 index 00000000..8cb37d2c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_failed_remote_logons_single_source.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4625" -and $_.message -match "LogonType.*3") -and -not ($_.message -match "IpAddress.*-")) } | select IpAddress, TargetUserName | group IpAddress | foreach { [PSCustomObject]@{'IpAddress'=$_.name;'Count'=($_.group.TargetUserName | sort -u).count} } | sort count -desc | where { $_.count -gt 10 } diff --git a/Rules/sigma_tmp/win_susp_file_characteristics.ps1 b/Rules/sigma_tmp/win_susp_file_characteristics.ps1 new file mode 100644 index 00000000..78aed666 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_file_characteristics.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Description.*\?" -and ($_.message -match "FileVersion.*\?" -or $_.message -match "Product.*\?" -or $_.message -match "Company.*\?") -and $_.message -match "Image.*.*\\Downloads\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_file_download_via_gfxdownloadwrapper.ps1 b/Rules/sigma_tmp/win_susp_file_download_via_gfxdownloadwrapper.ps1 new file mode 100644 index 00000000..aa102e96 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_file_download_via_gfxdownloadwrapper.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\GfxDownloadWrapper.exe" -and -not ($_.message -match "CommandLine.*.*gameplayapi.intel.com.*")) -and -not ($_.message -match "ParentImage.*.*\\GfxDownloadWrapper.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_findstr.ps1 b/Rules/sigma_tmp/win_susp_findstr.ps1 new file mode 100644 index 00000000..409ae5c3 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_findstr.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*findstr.*") -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*/V.*" -and $_.message -match "CommandLine.*.*/L.*") -or ($_.message -match "CommandLine.*.*/S.*" -and $_.message -match "CommandLine.*.*/I.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_findstr_lnk.ps1 b/Rules/sigma_tmp/win_susp_findstr_lnk.ps1 new file mode 100644 index 00000000..07bc724a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_findstr_lnk.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\findstr.exe" -and $_.message -match "CommandLine.*.*.lnk") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_finger_usage.ps1 b/Rules/sigma_tmp/win_susp_finger_usage.ps1 new file mode 100644 index 00000000..8dd5812c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_finger_usage.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\finger.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_firewall_disable.ps1 b/Rules/sigma_tmp/win_susp_firewall_disable.ps1 new file mode 100644 index 00000000..cbc3879d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_firewall_disable.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "netsh firewall set opmode mode=disable" -or $_.message -match "CommandLine.*netsh advfirewall set .* state off")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_fsutil_usage.ps1 b/Rules/sigma_tmp/win_susp_fsutil_usage.ps1 new file mode 100644 index 00000000..20a1d313 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_fsutil_usage.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\fsutil.exe" -or $_.message -match "OriginalFileName.*fsutil.exe") -and ($_.message -match "CommandLine.*.*deletejournal.*" -or $_.message -match "CommandLine.*.*createjournal.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ftp.ps1 b/Rules/sigma_tmp/win_susp_ftp.ps1 new file mode 100644 index 00000000..5a0e5cf4 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ftp.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-s:.*" -and ($_.message -match "Image.*.*ftp.exe" -or $_.message -match "OriginalFileName.*.*ftp.exe.*")) -or (($_.ID -eq "1") -and $_.message -match "OriginalFileName.*.*ftp.exe.*" -and -not ($_.message -match "Image.*.*ftp.exe")) -or $_.message -match "ParentImage.*.*ftp.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_gup.ps1 b/Rules/sigma_tmp/win_susp_gup.ps1 new file mode 100644 index 00000000..62fc8c79 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_gup.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "Image.*.*\\GUP.exe" -and -not (($_.message -match "Image.*.*\\Users\\.*\\AppData\\Local\\Notepad\+\+\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Users\\.*\\AppData\\Roaming\\Notepad\+\+\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Program Files\\Notepad\+\+\\updater\\GUP.exe" -or $_.message -match "Image.*.*\\Program Files (x86)\\Notepad\+\+\\updater\\GUP.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_interactive_logons.ps1 b/Rules/sigma_tmp/win_susp_interactive_logons.ps1 new file mode 100644 index 00000000..555e7365 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_interactive_logons.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {((($_.ID -eq "528" -or $_.ID -eq "529" -or $_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "LogonType.*2" -and ($_.message -match "%ServerSystems%" -or $_.message -match "%DomainControllers%")) -and -not ($_.message -match "LogonProcessName.*Advapi" -and $_.message -match "ComputerName.*%Workstations%")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_iss_module_install.ps1 b/Rules/sigma_tmp/win_susp_iss_module_install.ps1 new file mode 100644 index 00000000..5d23fbc7 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_iss_module_install.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\appcmd.exe" -and $_.message -match "CommandLine.*.*install.*" -and $_.message -match "CommandLine.*.*module.*" -and $_.message -match "CommandLine.*.*/name:.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_kerberos_manipulation.ps1 b/Rules/sigma_tmp/win_susp_kerberos_manipulation.ps1 new file mode 100644 index 00000000..13093582 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_kerberos_manipulation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "675" -or $_.ID -eq "4768" -or $_.ID -eq "4769" -or $_.ID -eq "4771") -and ($_.message -match "0x9" -or $_.message -match "0xA" -or $_.message -match "0xB" -or $_.message -match "0xF" -or $_.message -match "0x10" -or $_.message -match "0x11" -or $_.message -match "0x13" -or $_.message -match "0x14" -or $_.message -match "0x1A" -or $_.message -match "0x1F" -or $_.message -match "0x21" -or $_.message -match "0x22" -or $_.message -match "0x23" -or $_.message -match "0x24" -or $_.message -match "0x26" -or $_.message -match "0x27" -or $_.message -match "0x28" -or $_.message -match "0x29" -or $_.message -match "0x2C" -or $_.message -match "0x2D" -or $_.message -match "0x2E" -or $_.message -match "0x2F" -or $_.message -match "0x31" -or $_.message -match "0x32" -or $_.message -match "0x3E" -or $_.message -match "0x3F" -or $_.message -match "0x40" -or $_.message -match "0x41" -or $_.message -match "0x43" -or $_.message -match "0x44")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ldap_dataexchange.ps1 b/Rules/sigma_tmp/win_susp_ldap_dataexchange.ps1 new file mode 100644 index 00000000..62726d7a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ldap_dataexchange.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5136" -and $_.message -match "AttributeValue.*.*" -and ($_.message -match "primaryInternationalISDNNumber" -or $_.message -match "otherFacsimileTelephoneNumber" -or $_.message -match "primaryTelexNumber")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_local_anon_logon_created.ps1 b/Rules/sigma_tmp/win_susp_local_anon_logon_created.ps1 new file mode 100644 index 00000000..5cdc0f3a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_local_anon_logon_created.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4720" -and $_.message -match "SamAccountName.*.*ANONYMOUS.*" -and $_.message -match "SamAccountName.*.*LOGON.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_logon_explicit_credentials.ps1 b/Rules/sigma_tmp/win_susp_logon_explicit_credentials.ps1 new file mode 100644 index 00000000..73eee075 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_logon_explicit_credentials.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4648" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\pwsh.exe" -or $_.message -match "Image.*.*\\winrs.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe" -or $_.message -match "Image.*.*\\reg.exe")) -and -not ($_.message -match "TargetServerName.*localhost")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_lsass_dump.ps1 b/Rules/sigma_tmp/win_susp_lsass_dump.ps1 new file mode 100644 index 00000000..eca58804 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_lsass_dump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4656" -and $_.message -match "ProcessName.*.*\\lsass.exe" -and $_.message -match "AccessMask.*0x705" -and $_.message -match "ObjectType.*SAM_DOMAIN") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_lsass_dump_generic.ps1 b/Rules/sigma_tmp/win_susp_lsass_dump_generic.ps1 new file mode 100644 index 00000000..a8626e7b --- /dev/null +++ b/Rules/sigma_tmp/win_susp_lsass_dump_generic.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {((($_.ID -eq "4656" -and $_.message -match "ObjectName.*.*\\lsass.exe" -and ($_.message -match "AccessMask.*.*0x40.*" -or $_.message -match "AccessMask.*.*0x1400.*" -or $_.message -match "AccessMask.*.*0x1000.*" -or $_.message -match "AccessMask.*.*0x100000.*" -or $_.message -match "AccessMask.*.*0x1410.*" -or $_.message -match "AccessMask.*.*0x1010.*" -or $_.message -match "AccessMask.*.*0x1438.*" -or $_.message -match "AccessMask.*.*0x143a.*" -or $_.message -match "AccessMask.*.*0x1418.*" -or $_.message -match "AccessMask.*.*0x1f0fff.*" -or $_.message -match "AccessMask.*.*0x1f1fff.*" -or $_.message -match "AccessMask.*.*0x1f2fff.*" -or $_.message -match "AccessMask.*.*0x1f3fff.*")) -or ((($_.ID -eq "4663" -and $_.message -match "ObjectName.*.*\\lsass.exe" -and ($_.message -match "AccessList.*.*4484.*" -or $_.message -match "AccessList.*.*4416.*")) -and -not (($_.message -match "ProcessName.*.*\\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\\taskmgr.exe" -or $_.message -match "ProcessName.*.*\\procexp64.exe" -or $_.message -match "ProcessName.*.*\\procexp.exe" -or $_.message -match "ProcessName.*.*\\lsm.exe" -or $_.message -match "ProcessName.*.*\\csrss.exe" -or $_.message -match "ProcessName.*.*\\wininit.exe" -or $_.message -match "ProcessName.*.*\\vmtoolsd.exe" -or $_.message -match "ProcessName.*.*\\minionhost.exe" -or $_.message -match "ProcessName.*.*\\VsTskMgr.exe" -or $_.message -match "ProcessName.*.*\\thor64.exe") -and ($_.message -match "ProcessName.*C:\\Windows\\System32\\.*" -or $_.message -match "ProcessName.*C:\\Windows\\SysWow64\\.*" -or $_.message -match "ProcessName.*C:\\Windows\\SysNative\\.*" -or $_.message -match "ProcessName.*C:\\Program Files\\.*" -or $_.message -match "ProcessName.*C:\\Windows\\Temp\\asgard2-agent\\.*"))) -and -not (($_.message -match "ProcessName.*C:\\Program Files.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_mounted_share_deletion.ps1 b/Rules/sigma_tmp/win_susp_mounted_share_deletion.ps1 new file mode 100644 index 00000000..011b6e75 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_mounted_share_deletion.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\net.exe" -and $_.message -match "Image.*.*\\net1.exe" -and $_.message -match "CommandLine.*.*share.*" -and $_.message -match "CommandLine.*.*/delete.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_mpcmdrun_download.ps1 b/Rules/sigma_tmp/win_susp_mpcmdrun_download.ps1 new file mode 100644 index 00000000..55b8ae31 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_mpcmdrun_download.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*MpCmdRun.exe.*" -or $_.message -match "Description.*Microsoft Malware Protection Command Line Utility") -and ($_.message -match "CommandLine.*.*DownloadFile.*" -and $_.message -match "CommandLine.*.*url.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_mshta_execution.ps1 b/Rules/sigma_tmp/win_susp_mshta_execution.ps1 new file mode 100644 index 00000000..6251a115 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_mshta_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\mshta.exe" -and ($_.message -match "CommandLine.*.*vbscript.*" -or $_.message -match "CommandLine.*.*.jpg.*" -or $_.message -match "CommandLine.*.*.png.*" -or $_.message -match "CommandLine.*.*.lnk.*" -or $_.message -match "CommandLine.*.*.xls.*" -or $_.message -match "CommandLine.*.*.doc.*" -or $_.message -match "CommandLine.*.*.zip.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_mshta_pattern.ps1 b/Rules/sigma_tmp/win_susp_mshta_pattern.ps1 new file mode 100644 index 00000000..d4f78154 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_mshta_pattern.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\mhsta.exe" -and (((($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\cmd.exe" -or $_.message -match "ParentImage.*.*\\powershell.exe") -or ($_.message -match "CommandLine.*.*\\AppData\\Local.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public.*"))) -or (($_.ID -eq "1") -and -not (($_.message -match "Image.*.*C:\\Windows\\System32.*" -or $_.message -match "Image.*.*C:\\Windows\\SysWOW64.*")))) -or (($_.ID -eq "1") -and -not (($_.message -match "CommandLine.*.*.htm.*" -or $_.message -match "CommandLine.*.*.hta.*") -and ($_.message -match "CommandLine.*.*mshta.exe" -or $_.message -match "CommandLine.*.*mshta"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_msiexec_cwd.ps1 b/Rules/sigma_tmp/win_susp_msiexec_cwd.ps1 new file mode 100644 index 00000000..e9d740d4 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_msiexec_cwd.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "Image.*.*\\msiexec.exe" -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_msiexec_web_install.ps1 b/Rules/sigma_tmp/win_susp_msiexec_web_install.ps1 new file mode 100644 index 00000000..c1ca24d8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_msiexec_web_install.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* msiexec.*" -and $_.message -match "CommandLine.*.*://.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_msmpeng_crash.ps1 b/Rules/sigma_tmp/win_susp_msmpeng_crash.ps1 new file mode 100644 index 00000000..b9790937 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_msmpeng_crash.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Application | where {((($_.message -match "Source.*Application Error" -and $_.ID -eq "1000") -or ($_.message -match "Source.*Windows Error Reporting" -and $_.ID -eq "1001")) -and ($_.message -match ".*MsMpEng.exe.*" -or $_.message -match ".*mpengine.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_msoffice.ps1 b/Rules/sigma_tmp/win_susp_msoffice.ps1 new file mode 100644 index 00000000..fa85deea --- /dev/null +++ b/Rules/sigma_tmp/win_susp_msoffice.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\excel.exe") -and $_.message -match "CommandLine.*.*http.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_multiple_files_renamed_or_deleted.ps1 b/Rules/sigma_tmp/win_susp_multiple_files_renamed_or_deleted.ps1 new file mode 100644 index 00000000..a9f255bb --- /dev/null +++ b/Rules/sigma_tmp/win_susp_multiple_files_renamed_or_deleted.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4663" -and $_.message -match "ObjectType.*File" -and $_.message -match "AccessList.*%%1537" -and $_.message -match "Keywords.*0x8020000000000000") } | group-object SubjectLogonId | where { $_.count -gt 10 } | select name,count | sort -desc diff --git a/Rules/sigma_tmp/win_susp_net_execution.ps1 b/Rules/sigma_tmp/win_susp_net_execution.ps1 new file mode 100644 index 00000000..365163ef --- /dev/null +++ b/Rules/sigma_tmp/win_susp_net_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and ($_.message -match "CommandLine.*.* group.*" -or $_.message -match "CommandLine.*.* localgroup.*" -or $_.message -match "CommandLine.*.* user.*" -or $_.message -match "CommandLine.*.* view.*" -or $_.message -match "CommandLine.*.* share.*" -or $_.message -match "CommandLine.*.* accounts.*" -or $_.message -match "CommandLine.*.* stop .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_net_recon_activity.ps1 b/Rules/sigma_tmp/win_susp_net_recon_activity.ps1 new file mode 100644 index 00000000..f8167f4a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_net_recon_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP") -and $_.message -match "ObjectName.*S-1-5-21-.*" -and $_.message -match "AccessMask.*0x2d" -and ($_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-512")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_netsh_dll_persistence.ps1 b/Rules/sigma_tmp/win_susp_netsh_dll_persistence.ps1 new file mode 100644 index 00000000..31dee676 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_netsh_dll_persistence.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.*helper.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ngrok_pua.ps1 b/Rules/sigma_tmp/win_susp_ngrok_pua.ps1 new file mode 100644 index 00000000..0dd335d9 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ngrok_pua.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* tcp 139.*" -or $_.message -match "CommandLine.*.* tcp 445.*" -or $_.message -match "CommandLine.*.* tcp 3389.*" -or $_.message -match "CommandLine.*.* tcp 5985.*" -or $_.message -match "CommandLine.*.* tcp 5986.*") -or ($_.message -match "CommandLine.*.* start .*" -and $_.message -match "CommandLine.*.*--all.*" -and $_.message -match "CommandLine.*.*--config.*" -and $_.message -match "CommandLine.*.*.yml.*") -or (($_.message -match "Image.*.*ngrok.exe") -and ($_.message -match "CommandLine.*.* tcp .*" -or $_.message -match "CommandLine.*.* http .*" -or $_.message -match "CommandLine.*.* authtoken .*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ntdsutil.ps1 b/Rules/sigma_tmp/win_susp_ntdsutil.ps1 new file mode 100644 index 00000000..435a2312 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ntdsutil.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\ntdsutil.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ntlm_auth.ps1 b/Rules/sigma_tmp/win_susp_ntlm_auth.ps1 new file mode 100644 index 00000000..b9e0e0fe --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ntlm_auth.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-NTLM/Operational | where {($_.ID -eq "8002" -and $_.message -match "CallingProcessName.*.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ntlm_rdp.ps1 b/Rules/sigma_tmp/win_susp_ntlm_rdp.ps1 new file mode 100644 index 00000000..03cff7f5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ntlm_rdp.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-NTLM/Operational | where {($_.ID -eq "8001" -and $_.message -match "TargetName.*TERMSRV.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_odbcconf.ps1 b/Rules/sigma_tmp/win_susp_odbcconf.ps1 new file mode 100644 index 00000000..9c481e32 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_odbcconf.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\odbcconf.exe" -and ($_.message -match "CommandLine.*.*-f.*" -or $_.message -match "CommandLine.*.*regsvr.*")) -or ($_.message -match "ParentImage.*.*\\odbcconf.exe" -and $_.message -match "Image.*.*\\rundll32.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_openwith.ps1 b/Rules/sigma_tmp/win_susp_openwith.ps1 new file mode 100644 index 00000000..4feeaacf --- /dev/null +++ b/Rules/sigma_tmp/win_susp_openwith.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\OpenWith.exe" -and $_.message -match "CommandLine.*.*/c.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_outlook.ps1 b/Rules/sigma_tmp/win_susp_outlook.ps1 new file mode 100644 index 00000000..610f1d0e --- /dev/null +++ b/Rules/sigma_tmp/win_susp_outlook.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*EnableUnsafeClientMailRules.*" -or ($_.message -match "ParentImage.*.*\\outlook.exe" -and $_.message -match "CommandLine.*.*\\\\\.*" -and $_.message -match "CommandLine.*.*\\\.*" -and $_.message -match "CommandLine.*.*.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_outlook_temp.ps1 b/Rules/sigma_tmp/win_susp_outlook_temp.ps1 new file mode 100644 index 00000000..33e76747 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_outlook_temp.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Temporary Internet Files\\Content.Outlook\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_pcwutl.ps1 b/Rules/sigma_tmp/win_susp_pcwutl.ps1 new file mode 100644 index 00000000..3d24a00d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_pcwutl.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*pcwutl.*" -and $_.message -match "CommandLine.*.*LaunchApplication.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_pester.ps1 b/Rules/sigma_tmp/win_susp_pester.ps1 new file mode 100644 index 00000000..c5879d52 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_pester.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Pester.*" -and $_.message -match "CommandLine.*.*Get-Help.*") -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*pester.*" -and $_.message -match "CommandLine.*.*;.*" -and ($_.message -match "CommandLine.*.*help.*" -or $_.message -match "CommandLine.*.*?.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ping_hex_ip.ps1 b/Rules/sigma_tmp/win_susp_ping_hex_ip.ps1 new file mode 100644 index 00000000..e81f4048 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ping_hex_ip.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\ping.exe" -and $_.message -match "CommandLine.*.*0x.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_empire_launch.ps1 b/Rules/sigma_tmp/win_susp_powershell_empire_launch.ps1 new file mode 100644 index 00000000..9a547d5a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_empire_launch.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -NoP -sta -NonI -W Hidden -Enc .*" -or $_.message -match "CommandLine.*.* -noP -sta -w 1 -enc .*" -or $_.message -match "CommandLine.*.* -NoP -NonI -W Hidden -enc .*" -or $_.message -match "CommandLine.*.* -noP -sta -w 1 -enc.*" -or $_.message -match "CommandLine.*.* -enc SQB.*" -or $_.message -match "CommandLine.*.* -nop -exec bypass -EncodedCommand .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_empire_uac_bypass.ps1 b/Rules/sigma_tmp/win_susp_powershell_empire_uac_bypass.ps1 new file mode 100644 index 00000000..671b5e7d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_empire_uac_bypass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update).*" -or $_.message -match "CommandLine.*.* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_enc_cmd.ps1 b/Rules/sigma_tmp/win_susp_powershell_enc_cmd.ps1 new file mode 100644 index 00000000..61e7c27e --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_enc_cmd.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -e.*" -and $_.message -match "CommandLine.*.* JAB.*" -and $_.message -match "CommandLine.*.* -w.*" -and $_.message -match "CommandLine.*.* hidden .*") -or ($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -e.*" -and ($_.message -match "CommandLine.*.* BA^J.*" -or $_.message -match "CommandLine.*.* SUVYI.*" -or $_.message -match "CommandLine.*.* SQBFAFgA.*" -or $_.message -match "CommandLine.*.* aQBlAHgA.*" -or $_.message -match "CommandLine.*.* aWV4I.*" -or $_.message -match "CommandLine.*.* IAA.*" -or $_.message -match "CommandLine.*.* IAB.*" -or $_.message -match "CommandLine.*.* UwB.*" -or $_.message -match "CommandLine.*.* cwB.*")) -or ($_.message -match "CommandLine.*.*.exe -ENCOD .*"))) -and -not ($_.message -match "CommandLine.*.* -ExecutionPolicy.*" -and $_.message -match "CommandLine.*.*remotesigned .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_encoded_param.ps1 b/Rules/sigma_tmp/win_susp_powershell_encoded_param.ps1 new file mode 100644 index 00000000..f6bff583 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_encoded_param.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*(WCHAR)0x.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_getprocess_lsass.ps1 b/Rules/sigma_tmp/win_susp_powershell_getprocess_lsass.ps1 new file mode 100644 index 00000000..e12c7076 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_getprocess_lsass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Get-Process lsass.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_hidden_b64_cmd.ps1 b/Rules/sigma_tmp/win_susp_powershell_hidden_b64_cmd.ps1 new file mode 100644 index 00000000..a4cd04f4 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_hidden_b64_cmd.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.* hidden .*" -and ($_.message -match "CommandLine.*.*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA.*" -or $_.message -match "CommandLine.*.*aXRzYWRtaW4gL3RyYW5zZmVy.*" -or $_.message -match "CommandLine.*.*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA.*" -or $_.message -match "CommandLine.*.*JpdHNhZG1pbiAvdHJhbnNmZX.*" -or $_.message -match "CommandLine.*.*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg.*" -or $_.message -match "CommandLine.*.*Yml0c2FkbWluIC90cmFuc2Zlc.*" -or $_.message -match "CommandLine.*.*AGMAaAB1AG4AawBfAHMAaQB6AGUA.*" -or $_.message -match "CommandLine.*.*JABjAGgAdQBuAGsAXwBzAGkAegBlA.*" -or $_.message -match "CommandLine.*.*JGNodW5rX3Npem.*" -or $_.message -match "CommandLine.*.*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ.*" -or $_.message -match "CommandLine.*.*RjaHVua19zaXpl.*" -or $_.message -match "CommandLine.*.*Y2h1bmtfc2l6Z.*" -or $_.message -match "CommandLine.*.*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A.*" -or $_.message -match "CommandLine.*.*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg.*" -or $_.message -match "CommandLine.*.*lPLkNvbXByZXNzaW9u.*" -or $_.message -match "CommandLine.*.*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA.*" -or $_.message -match "CommandLine.*.*SU8uQ29tcHJlc3Npb2.*" -or $_.message -match "CommandLine.*.*Ty5Db21wcmVzc2lvb.*" -or $_.message -match "CommandLine.*.*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ.*" -or $_.message -match "CommandLine.*.*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA.*" -or $_.message -match "CommandLine.*.*lPLk1lbW9yeVN0cmVhb.*" -or $_.message -match "CommandLine.*.*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A.*" -or $_.message -match "CommandLine.*.*SU8uTWVtb3J5U3RyZWFt.*" -or $_.message -match "CommandLine.*.*Ty5NZW1vcnlTdHJlYW.*" -or $_.message -match "CommandLine.*.*4ARwBlAHQAQwBoAHUAbgBrA.*" -or $_.message -match "CommandLine.*.*5HZXRDaHVua.*" -or $_.message -match "CommandLine.*.*AEcAZQB0AEMAaAB1AG4Aaw.*" -or $_.message -match "CommandLine.*.*LgBHAGUAdABDAGgAdQBuAGsA.*" -or $_.message -match "CommandLine.*.*LkdldENodW5r.*" -or $_.message -match "CommandLine.*.*R2V0Q2h1bm.*" -or $_.message -match "CommandLine.*.*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A.*" -or $_.message -match "CommandLine.*.*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA.*" -or $_.message -match "CommandLine.*.*RIUkVBRF9JTkZPNj.*" -or $_.message -match "CommandLine.*.*SFJFQURfSU5GTzY0.*" -or $_.message -match "CommandLine.*.*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA.*" -or $_.message -match "CommandLine.*.*VEhSRUFEX0lORk82N.*" -or $_.message -match "CommandLine.*.*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA.*" -or $_.message -match "CommandLine.*.*cmVhdGVSZW1vdGVUaHJlYW.*" -or $_.message -match "CommandLine.*.*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA.*" -or $_.message -match "CommandLine.*.*NyZWF0ZVJlbW90ZVRocmVhZ.*" -or $_.message -match "CommandLine.*.*Q3JlYXRlUmVtb3RlVGhyZWFk.*" -or $_.message -match "CommandLine.*.*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA.*" -or $_.message -match "CommandLine.*.*0AZQBtAG0AbwB2AGUA.*" -or $_.message -match "CommandLine.*.*1lbW1vdm.*" -or $_.message -match "CommandLine.*.*AGUAbQBtAG8AdgBlA.*" -or $_.message -match "CommandLine.*.*bQBlAG0AbQBvAHYAZQ.*" -or $_.message -match "CommandLine.*.*bWVtbW92Z.*" -or $_.message -match "CommandLine.*.*ZW1tb3Zl.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_parent_combo.ps1 b/Rules/sigma_tmp/win_susp_powershell_parent_combo.ps1 new file mode 100644 index 00000000..5645020f --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_parent_combo.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe") -and $_.message -match "Image.*.*\\powershell.exe") -and -not ($_.message -match "CurrentDirectory.*.*\\Health Service State\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_parent_process.ps1 b/Rules/sigma_tmp/win_susp_powershell_parent_process.ps1 new file mode 100644 index 00000000..5379d8e5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_parent_process.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\mshta.exe" -or $_.message -match "ParentImage.*.*\\rundll32.exe" -or $_.message -match "ParentImage.*.*\\regsvr32.exe" -or $_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\winword.exe" -or $_.message -match "ParentImage.*.*\\wmiprvse.exe" -or $_.message -match "ParentImage.*.*\\powerpnt.exe" -or $_.message -match "ParentImage.*.*\\excel.exe" -or $_.message -match "ParentImage.*.*\\msaccess.exe" -or $_.message -match "ParentImage.*.*\\mspub.exe" -or $_.message -match "ParentImage.*.*\\visio.exe" -or $_.message -match "ParentImage.*.*\\outlook.exe" -or $_.message -match "ParentImage.*.*\\amigo.exe" -or $_.message -match "ParentImage.*.*\\chrome.exe" -or $_.message -match "ParentImage.*.*\\firefox.exe" -or $_.message -match "ParentImage.*.*\\iexplore.exe" -or $_.message -match "ParentImage.*.*\\microsoftedgecp.exe" -or $_.message -match "ParentImage.*.*\\microsoftedge.exe" -or $_.message -match "ParentImage.*.*\\browser.exe" -or $_.message -match "ParentImage.*.*\\vivaldi.exe" -or $_.message -match "ParentImage.*.*\\safari.exe" -or $_.message -match "ParentImage.*.*\\sqlagent.exe" -or $_.message -match "ParentImage.*.*\\sqlserver.exe" -or $_.message -match "ParentImage.*.*\\sqlservr.exe" -or $_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\jbosssvc.exe" -or $_.message -match "ParentImage.*.*MicrosoftEdgeSH.exe") -or $_.message -match "ParentImage.*.*tomcat.*") -and (($_.message -match "CommandLine.*.*powershell.*" -or $_.message -match "CommandLine.*.*pwsh.*") -or $_.message -match "Description.*Windows PowerShell" -or $_.message -match "Product.*PowerShell Core 6")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_powershell_sam_access.ps1 b/Rules/sigma_tmp/win_susp_powershell_sam_access.ps1 new file mode 100644 index 00000000..befb3a13 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_powershell_sam_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\HarddiskVolumeShadowCopy.*" -and $_.message -match "CommandLine.*.*ystem32\\config\\sam.*" -and ($_.message -match "CommandLine.*.*Copy-Item.*" -or $_.message -match "CommandLine.*.*cp $_..*" -or $_.message -match "CommandLine.*.*cpi $_..*" -or $_.message -match "CommandLine.*.*copy $_..*" -or $_.message -match "CommandLine.*.*.File]::Copy(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_print.ps1 b/Rules/sigma_tmp/win_susp_print.ps1 new file mode 100644 index 00000000..4764e500 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_print.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\print.exe") -and ($_.message -match "CommandLine.*print.*") -and ($_.message -match "CommandLine.*.*/D.*") -and ($_.message -match "CommandLine.*.*.exe.*")) -and -not (($_.message -match "CommandLine.*.*print.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_procdump.ps1 b/Rules/sigma_tmp/win_susp_procdump.ps1 new file mode 100644 index 00000000..1f9245f8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_procdump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -ma .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_procdump_lsass.ps1 b/Rules/sigma_tmp/win_susp_procdump_lsass.ps1 new file mode 100644 index 00000000..4c5be40a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_procdump_lsass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -ma .*" -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.* lsass.*") -or $_.message -match "CommandLine.*.* ls.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_proceshacker.ps1 b/Rules/sigma_tmp/win_susp_proceshacker.ps1 new file mode 100644 index 00000000..2ccddb70 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_proceshacker.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*ProcessHacker.*" -and $_.message -match "AccountName.*LocalSystem") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_procs_req_dlls.ps1 b/Rules/sigma_tmp/win_susp_procs_req_dlls.ps1 new file mode 100644 index 00000000..c45863ea --- /dev/null +++ b/Rules/sigma_tmp/win_susp_procs_req_dlls.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe" -or $_.message -match "CommandLine.*.*\\regsvcs.exe" -or $_.message -match "CommandLine.*.*\\regasm.exe" -or $_.message -match "CommandLine.*.*\\regsvr32.exe") -and -not (($_.message -match "ParentImage.*.*\\AppData\\Local\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft\\Edge\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ps_appdata.ps1 b/Rules/sigma_tmp/win_susp_ps_appdata.ps1 new file mode 100644 index 00000000..950bd738 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ps_appdata.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*powershell.*" -and $_.message -match "CommandLine.*.*\\AppData\\.*" -and ($_.message -match "CommandLine.*.*Local\\.*" -or $_.message -match "CommandLine.*.*Roaming\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_ps_downloadfile.ps1 b/Rules/sigma_tmp/win_susp_ps_downloadfile.ps1 new file mode 100644 index 00000000..5444f03c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_ps_downloadfile.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*powershell.*" -and $_.message -match "CommandLine.*.*.DownloadFile.*" -and $_.message -match "CommandLine.*.*System.Net.WebClient.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_psexec.ps1 b/Rules/sigma_tmp/win_susp_psexec.ps1 new file mode 100644 index 00000000..177ca728 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_psexec.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and ($_.message -match "RelativeTargetName.*.*-stdin" -or $_.message -match "RelativeTargetName.*.*-stdout" -or $_.message -match "RelativeTargetName.*.*-stderr")) -and -not ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*PSEXESVC.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_psexec_eula.ps1 b/Rules/sigma_tmp/win_susp_psexec_eula.ps1 new file mode 100644 index 00000000..92344074 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_psexec_eula.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\psexec.exe" -and $_.message -match "CommandLine.*.*accepteula.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_psexex_paexec_flags.ps1 b/Rules/sigma_tmp/win_susp_psexex_paexec_flags.ps1 new file mode 100644 index 00000000..a08b4d69 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_psexex_paexec_flags.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\127.0.0.1.*" -and $_.message -match "CommandLine.*.* -s .*" -and $_.message -match "CommandLine.*.*cmd.exe.*") -or ($_.message -match "CommandLine.*.* /accepteula .*" -and $_.message -match "CommandLine.*.*cmd /c .*" -and $_.message -match "CommandLine.*.* -u .*" -and $_.message -match "CommandLine.*.* -p .*"))) -and -not (($_.message -match "CommandLine.*.*paexec.*" -or $_.message -match "CommandLine.*.*PsExec.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_psr_capture_screenshots.ps1 b/Rules/sigma_tmp/win_susp_psr_capture_screenshots.ps1 new file mode 100644 index 00000000..5ecb240b --- /dev/null +++ b/Rules/sigma_tmp/win_susp_psr_capture_screenshots.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Psr.exe" -and $_.message -match "CommandLine.*.*/start.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_raccess_sensitive_fext.ps1 b/Rules/sigma_tmp/win_susp_raccess_sensitive_fext.ps1 new file mode 100644 index 00000000..7aefdd99 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_raccess_sensitive_fext.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5145") -and ($_.message -match "RelativeTargetName.*.*.pst" -or $_.message -match "RelativeTargetName.*.*.ost" -or $_.message -match "RelativeTargetName.*.*.msg" -or $_.message -match "RelativeTargetName.*.*.nst" -or $_.message -match "RelativeTargetName.*.*.oab" -or $_.message -match "RelativeTargetName.*.*.edb" -or $_.message -match "RelativeTargetName.*.*.nsf" -or $_.message -match "RelativeTargetName.*.*.bak" -or $_.message -match "RelativeTargetName.*.*.dmp" -or $_.message -match "RelativeTargetName.*.*.kirbi" -or $_.message -match "RelativeTargetName.*.*\\groups.xml" -or $_.message -match "RelativeTargetName.*.*.rdp")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rar_flags.ps1 b/Rules/sigma_tmp/win_susp_rar_flags.ps1 new file mode 100644 index 00000000..0a217b02 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rar_flags.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -hp.*") -and ($_.message -match "CommandLine.*.* -m.*" -or $_.message -match "CommandLine.*.* a .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rasdial_activity.ps1 b/Rules/sigma_tmp/win_susp_rasdial_activity.ps1 new file mode 100644 index 00000000..dad9a93b --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rasdial_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*rasdial.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rc4_kerberos.ps1 b/Rules/sigma_tmp/win_susp_rc4_kerberos.ps1 new file mode 100644 index 00000000..ede4ab5f --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rc4_kerberos.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4769" -and $_.message -match "TicketOptions.*0x40810000" -and $_.message -match "TicketEncryptionType.*0x17") -and -not ($_.message -match "ServiceName.*$.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rclone_exec.ps1 b/Rules/sigma_tmp/win_susp_rclone_exec.ps1 new file mode 100644 index 00000000..9c6fd4d4 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rclone_exec.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* pass .*" -or $_.message -match "CommandLine.*.* user .*" -or $_.message -match "CommandLine.*.* copy .*" -or $_.message -match "CommandLine.*.* mega .*" -or $_.message -match "CommandLine.*.* sync .*" -or $_.message -match "CommandLine.*.* config .*" -or $_.message -match "CommandLine.*.* lsd .*" -or $_.message -match "CommandLine.*.* remote .*" -or $_.message -match "CommandLine.*.* ls .*") -and ($_.ID -eq "1") -and ($_.message -match "Description.*Rsync for cloud storage" -or ($_.message -match "Image.*.*\\rclone.exe" -and ($_.message -match "ParentImage.*.*\\PowerShell.exe" -or $_.message -match "ParentImage.*.*\\cmd.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_recon_activity.ps1 b/Rules/sigma_tmp/win_susp_recon_activity.ps1 new file mode 100644 index 00000000..e75168bc --- /dev/null +++ b/Rules/sigma_tmp/win_susp_recon_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "net group \"domain admins\" /domain" -or $_.message -match "net localgroup administrators" -or $_.message -match "net group \"enterprise admins\" /domain")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_reg_disable_sec_services.ps1 b/Rules/sigma_tmp/win_susp_reg_disable_sec_services.ps1 new file mode 100644 index 00000000..bc907af8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_reg_disable_sec_services.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.* /d 4.*" -and $_.message -match "CommandLine.*.* /v Start.*" -and ($_.message -match "CommandLine.*.*\\Sense .*" -or $_.message -match "CommandLine.*.*\\WinDefend.*" -or $_.message -match "CommandLine.*.*\\MsMpSvc.*" -or $_.message -match "CommandLine.*.*\\NisSrv.*" -or $_.message -match "CommandLine.*.*\\WdBoot .*" -or $_.message -match "CommandLine.*.*\\WdNisDrv.*" -or $_.message -match "CommandLine.*.*\\WdNisSvc.*" -or $_.message -match "CommandLine.*.*\\wscsvc .*" -or $_.message -match "CommandLine.*.*\\SecurityHealthService.*" -or $_.message -match "CommandLine.*.*\\wuauserv.*" -or $_.message -match "CommandLine.*.*\\UsoSvc .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_regedit_trustedinstaller.ps1 b/Rules/sigma_tmp/win_susp_regedit_trustedinstaller.ps1 new file mode 100644 index 00000000..1b473309 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_regedit_trustedinstaller.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\regedit.exe" -and ($_.message -match "ParentImage.*.*\\TrustedInstaller.exe" -or $_.message -match "ParentImage.*.*\\ProcessHacker.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_register_cimprovider.ps1 b/Rules/sigma_tmp/win_susp_register_cimprovider.ps1 new file mode 100644 index 00000000..967494e9 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_register_cimprovider.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\register-cimprovider.exe" -and $_.message -match "CommandLine.*.*-path.*" -and $_.message -match "CommandLine.*.*dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_regsvr32_anomalies.ps1 b/Rules/sigma_tmp/win_susp_regsvr32_anomalies.ps1 new file mode 100644 index 00000000..bc1dfb24 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_regsvr32_anomalies.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.*\\Temp\\.*") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "ParentImage.*.*\\powershell.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "ParentImage.*.*\\cmd.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.*/i:.*" -and ($_.message -match "CommandLine.*.*http.*" -or $_.message -match "CommandLine.*.*ftp.*") -and $_.message -match "CommandLine.*.*scrobj.dll") -or ($_.message -match "Image.*.*\\wscript.exe" -and $_.message -match "ParentImage.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\EXCEL.EXE" -and $_.message -match "CommandLine.*.*..\\..\\..\\Windows\\System32\\regsvr32.exe .*") -or ($_.message -match "ParentImage.*.*\\mshta.exe" -and $_.message -match "Image.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and ($_.message -match "CommandLine.*.*\\AppData\\Local.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_regsvr32_flags_anomaly.ps1 b/Rules/sigma_tmp/win_susp_regsvr32_flags_anomaly.ps1 new file mode 100644 index 00000000..6f5d7ee8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_regsvr32_flags_anomaly.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.* /i:.*") -and -not ($_.message -match "CommandLine.*.* /n .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_regsvr32_no_dll.ps1 b/Rules/sigma_tmp/win_susp_regsvr32_no_dll.ps1 new file mode 100644 index 00000000..895c1245 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_regsvr32_no_dll.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\regsvr32.exe" -and -not (($_.message -match "CommandLine.*.*.dll.*" -or $_.message -match "CommandLine.*.*.ocx.*" -or $_.message -match "CommandLine.*.*.cpl.*" -or $_.message -match "CommandLine.*.*.ax.*" -or $_.message -match "CommandLine.*.*.bav.*" -or $_.message -match "CommandLine.*.*.ppl.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_renamed_dctask64.ps1 b/Rules/sigma_tmp/win_susp_renamed_dctask64.ps1 new file mode 100644 index 00000000..346005d7 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_renamed_dctask64.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "Imphash.*6834B1B94E49701D77CCB3C0895E1AFD" -and -not ($_.message -match "Image.*.*\\dctask64.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_renamed_debugview.ps1 b/Rules/sigma_tmp/win_susp_renamed_debugview.ps1 new file mode 100644 index 00000000..738b6584 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_renamed_debugview.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Sysinternals DebugView" -or $_.message -match "Sysinternals Debugview") -and -not ($_.message -match "OriginalFileName.*Dbgview.exe" -and $_.message -match "Image.*.*\\Dbgview.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_renamed_paexec.ps1 b/Rules/sigma_tmp/win_susp_renamed_paexec.ps1 new file mode 100644 index 00000000..aff71dd4 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_renamed_paexec.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1") -and ($_.message -match "Description.*PAExec Application" -or $_.message -match "OriginalFileName.*PAExec.exe")) -and -not (($_.message -match "Image.*.*\\PAexec.exe" -or $_.message -match "Image.*.*\\paexec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rottenpotato.ps1 b/Rules/sigma_tmp/win_susp_rottenpotato.ps1 new file mode 100644 index 00000000..8e3094fa --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rottenpotato.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*3" -and $_.message -match "TargetUserName.*ANONYMOUS_LOGON" -and $_.message -match "WorkstationName.*-" -and $_.message -match "IpAddress.*127.0.0.1") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rpcping.ps1 b/Rules/sigma_tmp/win_susp_rpcping.ps1 new file mode 100644 index 00000000..0c4bb090 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rpcping.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rpcping.exe" -and ($_.message -match "CommandLine.*.*-s.*" -or $_.message -match "CommandLine.*.*/s.*")) -and (($_.message -match "CommandLine.*.*-u.*" -and $_.message -match "CommandLine.*.*NTLM.*") -or ($_.message -match "CommandLine.*.*/u.*" -and $_.message -match "CommandLine.*.*NTLM.*") -or ($_.message -match "CommandLine.*.*-t.*" -and $_.message -match "CommandLine.*.*ncacn_np.*") -or ($_.message -match "CommandLine.*.*/t.*" -and $_.message -match "CommandLine.*.*ncacn_np.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_run_locations.ps1 b/Rules/sigma_tmp/win_susp_run_locations.ps1 new file mode 100644 index 00000000..4eec4acd --- /dev/null +++ b/Rules/sigma_tmp/win_susp_run_locations.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*:\\RECYCLER\\.*" -or $_.message -match "Image.*.*:\\SystemVolumeInformation\\.*") -or ($_.message -match "Image.*C:\\Windows\\Tasks\\.*" -or $_.message -match "Image.*C:\\Windows\\debug\\.*" -or $_.message -match "Image.*C:\\Windows\\fonts\\.*" -or $_.message -match "Image.*C:\\Windows\\help\\.*" -or $_.message -match "Image.*C:\\Windows\\drivers\\.*" -or $_.message -match "Image.*C:\\Windows\\addins\\.*" -or $_.message -match "Image.*C:\\Windows\\cursors\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\tasks\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rundll32_activity.ps1 b/Rules/sigma_tmp/win_susp_rundll32_activity.ps1 new file mode 100644 index 00000000..e9272958 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rundll32_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*javascript:.*" -or $_.message -match "CommandLine.*.*.RegisterXLL.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*OpenURLA.*") -or ($_.message -match "CommandLine.*.*url.dll.*" -and $_.message -match "CommandLine.*.*FileProtocolHandler.*") -or ($_.message -match "CommandLine.*.*zipfldr.dll.*" -and $_.message -match "CommandLine.*.*RouteTheCall.*") -or ($_.message -match "CommandLine.*.*shell32.dll.*" -and $_.message -match "CommandLine.*.*Control_RunDLL.*") -or ($_.message -match "CommandLine.*.*shell32.dll.*" -and $_.message -match "CommandLine.*.*ShellExec_RunDLL.*") -or ($_.message -match "CommandLine.*.*mshtml.dll.*" -and $_.message -match "CommandLine.*.*PrintHTML.*") -or ($_.message -match "CommandLine.*.*advpack.dll.*" -and $_.message -match "CommandLine.*.*LaunchINFSection.*") -or ($_.message -match "CommandLine.*.*advpack.dll.*" -and $_.message -match "CommandLine.*.*RegisterOCX.*") -or ($_.message -match "CommandLine.*.*ieadvpack.dll.*" -and $_.message -match "CommandLine.*.*LaunchINFSection.*") -or ($_.message -match "CommandLine.*.*ieadvpack.dll.*" -and $_.message -match "CommandLine.*.*RegisterOCX.*") -or ($_.message -match "CommandLine.*.*ieframe.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*shdocvw.dll.*" -and $_.message -match "CommandLine.*.*OpenURL.*") -or ($_.message -match "CommandLine.*.*syssetup.dll.*" -and $_.message -match "CommandLine.*.*SetupInfObjectInstallAction'.*") -or ($_.message -match "CommandLine.*.*setupapi.dll.*" -and $_.message -match "CommandLine.*.*InstallHinfSection.*") -or ($_.message -match "CommandLine.*.*pcwutl.dll.*" -and $_.message -match "CommandLine.*.*LaunchApplication.*") -or ($_.message -match "CommandLine.*.*dfshim.dll.*" -and $_.message -match "CommandLine.*.*ShOpenVerbApplication.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rundll32_by_ordinal.ps1 b/Rules/sigma_tmp/win_susp_rundll32_by_ordinal.ps1 new file mode 100644 index 00000000..43967aa8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rundll32_by_ordinal.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe.*" -and $_.message -match "CommandLine.*.*,#.*") -and -not ($_.message -match "CommandLine.*.*EDGEHTML.dll.*" -and $_.message -match "CommandLine.*.*#141.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rundll32_inline_vbs.ps1 b/Rules/sigma_tmp/win_susp_rundll32_inline_vbs.ps1 new file mode 100644 index 00000000..6009f9a8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rundll32_inline_vbs.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and $_.message -match "CommandLine.*.*Execute.*" -and $_.message -match "CommandLine.*.*RegRead.*" -and $_.message -match "CommandLine.*.*window.close.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rundll32_no_params.ps1 b/Rules/sigma_tmp/win_susp_rundll32_no_params.ps1 new file mode 100644 index 00000000..5f84ed35 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rundll32_no_params.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\rundll32.exe" -and -not ($_.message -match "ParentImage.*.*\\svchost.exe")) -and -not (($_.message -match "ParentImage.*.*\\AppData\\Local\\.*" -or $_.message -match "ParentImage.*.*\\Microsoft\\Edge\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rundll32_setupapi_installhinfsection.ps1 b/Rules/sigma_tmp/win_susp_rundll32_setupapi_installhinfsection.ps1 new file mode 100644 index 00000000..cfca28a5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rundll32_setupapi_installhinfsection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\runonce.exe" -and $_.message -match "ParentImage.*.*\\rundll32.exe" -and $_.message -match "ParentCommandLine.*.*setupapi.dll.*" -and $_.message -match "ParentCommandLine.*.*InstallHinfSection.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_rundll32_sys.ps1 b/Rules/sigma_tmp/win_susp_rundll32_sys.ps1 new file mode 100644 index 00000000..3612e9b1 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_rundll32_sys.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.exe.*" -and ($_.message -match "CommandLine.*.*.sys,.*" -or $_.message -match "CommandLine.*.*.sys .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_runonce_execution.ps1 b/Rules/sigma_tmp/win_susp_runonce_execution.ps1 new file mode 100644 index 00000000..d42cd912 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_runonce_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\runonce.exe") -or ($_.message -match "Run Once Wrapper")) -and ($_.message -match "CommandLine.*.* /AlternateShellStartup.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_runscripthelper.ps1 b/Rules/sigma_tmp/win_susp_runscripthelper.ps1 new file mode 100644 index 00000000..ad0a24f3 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_runscripthelper.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Runscripthelper.exe" -and $_.message -match "CommandLine.*.*surfacecheck.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_sam_dump.ps1 b/Rules/sigma_tmp/win_susp_sam_dump.ps1 new file mode 100644 index 00000000..049d7fc8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_sam_dump.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "16" -and $_.message -match ".*\\AppData\\Local\\Temp\\SAM-.*" -and $_.message -match ".*.dmp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_schtask_creation.ps1 b/Rules/sigma_tmp/win_susp_schtask_creation.ps1 new file mode 100644 index 00000000..7f848000 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_schtask_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.* /create .*") -and -not ($_.message -match "User.*NT AUTHORITY\\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_schtask_creation_temp_folder.ps1 b/Rules/sigma_tmp/win_susp_schtask_creation_temp_folder.ps1 new file mode 100644 index 00000000..68b84bef --- /dev/null +++ b/Rules/sigma_tmp/win_susp_schtask_creation_temp_folder.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.* /create .*" -and $_.message -match "CommandLine.*.* /sc once .*" -and $_.message -match "CommandLine.*.*\\Temp\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_screenconnect_access.ps1 b/Rules/sigma_tmp/win_susp_screenconnect_access.ps1 new file mode 100644 index 00000000..982b2a1f --- /dev/null +++ b/Rules/sigma_tmp/win_susp_screenconnect_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*e=Access&.*" -and $_.message -match "CommandLine.*.*y=Guest&.*" -and $_.message -match "CommandLine.*.*&p=.*" -and $_.message -match "CommandLine.*.*&c=.*" -and $_.message -match "CommandLine.*.*&k=.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_script_exec_from_temp.ps1 b/Rules/sigma_tmp/win_susp_script_exec_from_temp.ps1 new file mode 100644 index 00000000..e7c97943 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_script_exec_from_temp.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*\\Windows\\Temp.*" -or $_.message -match "CommandLine.*.*\\Temporary Internet.*" -or $_.message -match "CommandLine.*.*\\AppData\\Local\\Temp.*" -or $_.message -match "CommandLine.*.*\\AppData\\Roaming\\Temp.*" -or $_.message -match "CommandLine.*.*%TEMP%.*" -or $_.message -match "CommandLine.*.*%TMP%.*" -or $_.message -match "CommandLine.*.*%LocalAppData%\\Temp.*")) -and -not ($_.message -match "CommandLine.*.* >.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_script_execution.ps1 b/Rules/sigma_tmp/win_susp_script_execution.ps1 new file mode 100644 index 00000000..95cca39c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_script_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*.jse.*" -or $_.message -match "CommandLine.*.*.vbe.*" -or $_.message -match "CommandLine.*.*.js.*" -or $_.message -match "CommandLine.*.*.vba.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_sdelete.ps1 b/Rules/sigma_tmp/win_susp_sdelete.ps1 new file mode 100644 index 00000000..0ab1353c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_sdelete.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4663" -or $_.ID -eq "4658") -and ($_.message -match "ObjectName.*.*.AAA" -or $_.message -match "ObjectName.*.*.ZZZ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_service_dacl_modification.ps1 b/Rules/sigma_tmp/win_susp_service_dacl_modification.ps1 new file mode 100644 index 00000000..4270da71 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_service_dacl_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sc.exe") -and $_.message -match "CommandLine.*.*sdset.*" -and $_.message -match "CommandLine.*.*D;;.*" -and ($_.message -match "CommandLine.*.*;;;IU.*" -or $_.message -match "CommandLine.*.*;;;SU.*" -or $_.message -match "CommandLine.*.*;;;BA.*" -or $_.message -match "CommandLine.*.*;;;SY.*" -or $_.message -match "CommandLine.*.*;;;WD.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_service_dir.ps1 b/Rules/sigma_tmp/win_susp_service_dir.ps1 new file mode 100644 index 00000000..e03d226c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_service_dir.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*.*\\$Recycle.bin.*" -or $_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\Contacts\\.*" -or $_.message -match "Image.*.*\\Users\\Searches\\.*" -or $_.message -match "Image.*.*C:\\Perflogs\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*") -and ($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_service_path_modification.ps1 b/Rules/sigma_tmp/win_susp_service_path_modification.ps1 new file mode 100644 index 00000000..4d0faae8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_service_path_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\sc.exe" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*binpath.*" -and ($_.message -match "CommandLine.*.*powershell.*" -or $_.message -match "CommandLine.*.*cmd.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_servu_exploitation_cve_2021_35211.ps1 b/Rules/sigma_tmp/win_susp_servu_exploitation_cve_2021_35211.ps1 new file mode 100644 index 00000000..804d37cc --- /dev/null +++ b/Rules/sigma_tmp/win_susp_servu_exploitation_cve_2021_35211.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*whoami.*" -and ($_.message -match "CommandLine.*.*./Client/Common/.*" -or $_.message -match "CommandLine.*.*.\\Client\\Common\\.*")) -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\Serv-U.bat.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_servu_process_pattern.ps1 b/Rules/sigma_tmp/win_susp_servu_process_pattern.ps1 new file mode 100644 index 00000000..5d414589 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_servu_process_pattern.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\Serv-U.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\forfiles.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_shell_spawn_from_mssql.ps1 b/Rules/sigma_tmp/win_susp_shell_spawn_from_mssql.ps1 new file mode 100644 index 00000000..71787201 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_shell_spawn_from_mssql.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\sqlservr.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_shell_spawn_from_winrm.ps1 b/Rules/sigma_tmp/win_susp_shell_spawn_from_winrm.ps1 new file mode 100644 index 00000000..fdcfb59e --- /dev/null +++ b/Rules/sigma_tmp/win_susp_shell_spawn_from_winrm.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\wsmprovhost.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_shimcache_flush.ps1 b/Rules/sigma_tmp/win_susp_shimcache_flush.ps1 new file mode 100644 index 00000000..af79165d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_shimcache_flush.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*rundll32.*" -and (($_.message -match "CommandLine.*.*apphelp.dll.*" -and ($_.message -match "CommandLine.*.*ShimFlushCache.*" -or $_.message -match "CommandLine.*.*#250.*")) -or ($_.message -match "CommandLine.*.*kernel32.dll.*" -and ($_.message -match "CommandLine.*.*BaseFlushAppcompatCache.*" -or $_.message -match "CommandLine.*.*#46.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_spoolsv_child_processes.ps1 b/Rules/sigma_tmp/win_susp_spoolsv_child_processes.ps1 new file mode 100644 index 00000000..368131c1 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_spoolsv_child_processes.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\spoolsv.exe" -and $_.message -match "IntegrityLevel.*System" -and ($_.ID -eq "1") -and (((((($_.message -match "Image.*.*\\gpupdate.exe" -or $_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "Image.*.*\\nltest.exe" -or $_.message -match "Image.*.*\\taskkill.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\taskmgr.exe" -or $_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\findstr.exe" -or $_.message -match "Image.*.*\\curl.exe" -or $_.message -match "Image.*.*\\wget.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe" -or $_.message -match "Image.*.*\\accesschk.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\bcdedit.exe" -or $_.message -match "Image.*.*\\fsutil.exe" -or $_.message -match "Image.*.*\\cipher.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\write.exe" -or $_.message -match "Image.*.*\\wuauclt.exe") -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\net.exe" -and -not ($_.message -match "CommandLine.*.*start.*"))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\cmd.exe" -and -not (($_.message -match "CommandLine.*.*.spl.*" -or $_.message -match "CommandLine.*.*route add.*" -or $_.message -match "CommandLine.*.*program files.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\netsh.exe" -and -not (($_.message -match "CommandLine.*.*add portopening.*" -or $_.message -match "CommandLine.*.*rule name.*")))) -or (($_.ID -eq "1") -and $_.message -match "Image.*.*\\powershell.exe" -and -not ($_.message -match "CommandLine.*.*.spl.*"))) -or ($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*rundll32.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_sqldumper_activity.ps1 b/Rules/sigma_tmp/win_susp_sqldumper_activity.ps1 new file mode 100644 index 00000000..9d65978d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_sqldumper_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\sqldumper.exe" -and ($_.message -match "CommandLine.*.*0x0110.*" -or $_.message -match "CommandLine.*.*0x01100:40.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_squirrel_lolbin.ps1 b/Rules/sigma_tmp/win_susp_squirrel_lolbin.ps1 new file mode 100644 index 00000000..02c95a6d --- /dev/null +++ b/Rules/sigma_tmp/win_susp_squirrel_lolbin.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\update.exe" -and ($_.message -match "CommandLine.*.*--processStart.*" -or $_.message -match "CommandLine.*.*--processStartAndWait.*" -or $_.message -match "CommandLine.*.*--createShortcut.*") -and $_.message -match "CommandLine.*.*.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_svchost.ps1 b/Rules/sigma_tmp/win_susp_svchost.ps1 new file mode 100644 index 00000000..97e2e34a --- /dev/null +++ b/Rules/sigma_tmp/win_susp_svchost.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\svchost.exe" -and -not (($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\MsMpEng.exe" -or $_.message -match "ParentImage.*.*\\Mrt.exe" -or $_.message -match "ParentImage.*.*\\rpcnet.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe"))) -and -not (-not ParentImage="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_svchost_no_cli.ps1 b/Rules/sigma_tmp/win_susp_svchost_no_cli.ps1 new file mode 100644 index 00000000..f41af0ab --- /dev/null +++ b/Rules/sigma_tmp/win_susp_svchost_no_cli.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.ID -eq "1" -and $_.message -match "CommandLine.*.*svchost.exe" -and $_.message -match "Image.*.*\\svchost.exe") -and -not (($_.message -match "ParentImage.*.*\\rpcnet.exe" -or $_.message -match "ParentImage.*.*\\rpcnetp.exe") -or -not CommandLine="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_sysprep_appdata.ps1 b/Rules/sigma_tmp/win_susp_sysprep_appdata.ps1 new file mode 100644 index 00000000..1950b1ef --- /dev/null +++ b/Rules/sigma_tmp/win_susp_sysprep_appdata.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sysprep.exe") -and ($_.message -match "CommandLine.*.*\\AppData\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_sysvol_access.ps1 b/Rules/sigma_tmp/win_susp_sysvol_access.ps1 new file mode 100644 index 00000000..ab3e0f8b --- /dev/null +++ b/Rules/sigma_tmp/win_susp_sysvol_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\SYSVOL\\.*" -and $_.message -match "CommandLine.*.*\\policies\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_taskmgr_localsystem.ps1 b/Rules/sigma_tmp/win_susp_taskmgr_localsystem.ps1 new file mode 100644 index 00000000..b5af5708 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_taskmgr_localsystem.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\taskmgr.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_taskmgr_parent.ps1 b/Rules/sigma_tmp/win_susp_taskmgr_parent.ps1 new file mode 100644 index 00000000..43458fb9 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_taskmgr_parent.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\taskmgr.exe" -and -not (($_.message -match "Image.*.*\\resmon.exe" -or $_.message -match "Image.*.*\\mmc.exe" -or $_.message -match "Image.*.*\\taskmgr.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_time_modification.ps1 b/Rules/sigma_tmp/win_susp_time_modification.ps1 new file mode 100644 index 00000000..0c82d672 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_time_modification.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4616" -and -not (((($_.message -match "ProcessName.*C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" -or $_.message -match "ProcessName.*C:\\Windows\\System32\\VBoxService.exe") -or ($_.message -match "ProcessName.*C:\\Windows\\System32\\svchost.exe" -and $_.message -match "SubjectUserSid.*S-1-5-19"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_tracker_execution.ps1 b/Rules/sigma_tmp/win_susp_tracker_execution.ps1 new file mode 100644 index 00000000..2ff06b9f --- /dev/null +++ b/Rules/sigma_tmp/win_susp_tracker_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tracker.exe") -or ($_.message -match "Tracker")) -and ($_.message -match "CommandLine.*.* /d .*") -and ($_.message -match "CommandLine.*.* /c .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_tscon_localsystem.ps1 b/Rules/sigma_tmp/win_susp_tscon_localsystem.ps1 new file mode 100644 index 00000000..55d8ec9b --- /dev/null +++ b/Rules/sigma_tmp/win_susp_tscon_localsystem.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\tscon.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_tscon_rdp_redirect.ps1 b/Rules/sigma_tmp/win_susp_tscon_rdp_redirect.ps1 new file mode 100644 index 00000000..2ab49dbb --- /dev/null +++ b/Rules/sigma_tmp/win_susp_tscon_rdp_redirect.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /dest:rdp-tcp:.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_use_of_csharp_console.ps1 b/Rules/sigma_tmp/win_susp_use_of_csharp_console.ps1 new file mode 100644 index 00000000..8c668063 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_use_of_csharp_console.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\csi.exe" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "OriginalFileName.*csi.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_use_of_sqlps_bin.ps1 b/Rules/sigma_tmp/win_susp_use_of_sqlps_bin.ps1 new file mode 100644 index 00000000..d931599c --- /dev/null +++ b/Rules/sigma_tmp/win_susp_use_of_sqlps_bin.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sqlps.exe" -or $_.message -match "ParentImage.*.*\\sqlps.exe") -or ($_.message -match "OriginalFileName.*\\sqlps.exe" -and -not ($_.message -match "ParentImage.*.*\\sqlagent.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_use_of_sqltoolsps_bin.ps1 b/Rules/sigma_tmp/win_susp_use_of_sqltoolsps_bin.ps1 new file mode 100644 index 00000000..95c8c656 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_use_of_sqltoolsps_bin.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sqltoolsps.exe" -or $_.message -match "ParentImage.*.*\\sqltoolsps.exe") -or ($_.message -match "OriginalFileName.*\\sqltoolsps.exe" -and -not ($_.message -match "ParentImage.*.*\\smss.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_use_of_te_bin.ps1 b/Rules/sigma_tmp/win_susp_use_of_te_bin.ps1 new file mode 100644 index 00000000..afdf33aa --- /dev/null +++ b/Rules/sigma_tmp/win_susp_use_of_te_bin.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\te.exe" -or $_.message -match "ParentImage.*.*\\te.exe" -or $_.message -match "OriginalFileName.*\\te.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_use_of_vsjitdebugger_bin.ps1 b/Rules/sigma_tmp/win_susp_use_of_vsjitdebugger_bin.ps1 new file mode 100644 index 00000000..453b6c88 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_use_of_vsjitdebugger_bin.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\vsjitdebugger.exe" -and -not ((($_.ID -eq "1") -and ($_.message -match "Image.*.*\\vsimmersiveactivatehelper.*.exe" -or $_.message -match "Image.*.*\\devenv.exe")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_userinit_child.ps1 b/Rules/sigma_tmp/win_susp_userinit_child.ps1 new file mode 100644 index 00000000..23e76ac0 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_userinit_child.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentImage.*.*\\userinit.exe" -and -not ($_.message -match "CommandLine.*.*\\netlogon\\.*")) -and -not ($_.message -match "Image.*.*\\explorer.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_vboxdrvInst.ps1 b/Rules/sigma_tmp/win_susp_vboxdrvInst.ps1 new file mode 100644 index 00000000..1cab9e5f --- /dev/null +++ b/Rules/sigma_tmp/win_susp_vboxdrvInst.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\VBoxDrvInst.exe" -and $_.message -match "CommandLine.*.*driver.*" -and $_.message -match "CommandLine.*.*executeinf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_vbscript_unc2452.ps1 b/Rules/sigma_tmp/win_susp_vbscript_unc2452.ps1 new file mode 100644 index 00000000..7c0e07b7 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_vbscript_unc2452.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*Execute.*" -and $_.message -match "CommandLine.*.*CreateObject.*" -and $_.message -match "CommandLine.*.*RegRead.*" -and $_.message -match "CommandLine.*.*window.close.*" -and $_.message -match "CommandLine.*.*\\Microsoft\\Windows\\CurrentVersion.*") -and -not (($_.message -match "CommandLine.*.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_volsnap_disable.ps1 b/Rules/sigma_tmp/win_susp_volsnap_disable.ps1 new file mode 100644 index 00000000..a6003bea --- /dev/null +++ b/Rules/sigma_tmp/win_susp_volsnap_disable.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*reg.*" -and $_.message -match "CommandLine.*.* add .*" -and $_.message -match "CommandLine.*.*\\Services\\VSS\\Diag.*" -and $_.message -match "CommandLine.*.*/d Disabled.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_vssadmin_ntds_activity.ps1 b/Rules/sigma_tmp/win_susp_vssadmin_ntds_activity.ps1 new file mode 100644 index 00000000..6adc3f40 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_vssadmin_ntds_activity.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "vssadmin.exe Delete Shadows" -or $_.message -match "vssadmin create shadow /for=C:" -or $_.message -match "CommandLine.*copy \\?\\GLOBALROOT\\Device\\.*\\windows\\ntds\\ntds.dit" -or $_.message -match "CommandLine.*copy \\?\\GLOBALROOT\\Device\\.*\\config\\SAM" -or $_.message -match "vssadmin delete shadows /for=C:" -or $_.message -match "reg SAVE HKLM\\SYSTEM " -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\\ntds.dit.*" -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\\SAM" -or $_.message -match "CommandLine.*esentutl.exe /y /vss .*\\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_whoami.ps1 b/Rules/sigma_tmp/win_susp_whoami.ps1 new file mode 100644 index 00000000..6818f0ba --- /dev/null +++ b/Rules/sigma_tmp/win_susp_whoami.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "OriginalFileName.*whoami.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_winrm_AWL_bypass.ps1 b/Rules/sigma_tmp/win_susp_winrm_AWL_bypass.ps1 new file mode 100644 index 00000000..1b5b9edc --- /dev/null +++ b/Rules/sigma_tmp/win_susp_winrm_AWL_bypass.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*winrm.*" -and ($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*format:pretty.*" -or $_.message -match "CommandLine.*.*format:\"pretty\".*" -or $_.message -match "CommandLine.*.*format:\"text\".*" -or $_.message -match "CommandLine.*.*format:text.*") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "11") -and ($_.message -match "TargetFilename.*.*WsmPty.xsl" -or $_.message -match "TargetFilename.*.*WsmTxt.xsl") -and -not (($_.message -match "TargetFilename.*C:\\Windows\\System32\\.*" -or $_.message -match "TargetFilename.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_winrm_execution.ps1 b/Rules/sigma_tmp/win_susp_winrm_execution.ps1 new file mode 100644 index 00000000..e9747ac2 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_winrm_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cscript.exe" -and $_.message -match "CommandLine.*.*winrm.*" -and $_.message -match "CommandLine.*.*invoke Create wmicimv2/Win32_.*" -and $_.message -match "CommandLine.*.*-r:http.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_wmi_execution.ps1 b/Rules/sigma_tmp/win_susp_wmi_execution.ps1 new file mode 100644 index 00000000..c7e98a70 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_wmi_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\wmic.exe" -and (($_.message -match "CommandLine.*.*process.*" -and $_.message -match "CommandLine.*.*call.*" -and $_.message -match "CommandLine.*.*create .*") -or ($_.message -match "CommandLine.*.* path .*" -and ($_.message -match "CommandLine.*.*AntiVirus.*" -or $_.message -match "CommandLine.*.*Firewall.*") -and $_.message -match "CommandLine.*.*Product.*" -and $_.message -match "CommandLine.*.* get .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_wmi_login.ps1 b/Rules/sigma_tmp/win_susp_wmi_login.ps1 new file mode 100644 index 00000000..68895ac1 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_wmi_login.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "ProcessName.*.*\\WmiPrvSE.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_wmic_eventconsumer_create.ps1 b/Rules/sigma_tmp/win_susp_wmic_eventconsumer_create.ps1 new file mode 100644 index 00000000..63ee35f8 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_wmic_eventconsumer_create.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*ActiveScriptEventConsumer.*" -and $_.message -match "CommandLine.*.* CREATE .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_wmic_proc_create_rundll32.ps1 b/Rules/sigma_tmp/win_susp_wmic_proc_create_rundll32.ps1 new file mode 100644 index 00000000..4f33c7ab --- /dev/null +++ b/Rules/sigma_tmp/win_susp_wmic_proc_create_rundll32.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*process call create.*" -and $_.message -match "CommandLine.*.*rundll32.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_wmic_security_product_uninstall.ps1 b/Rules/sigma_tmp/win_susp_wmic_security_product_uninstall.ps1 new file mode 100644 index 00000000..d4169ff9 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_wmic_security_product_uninstall.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*wmic.*" -and $_.message -match "CommandLine.*.*product where name=.*" -and $_.message -match "CommandLine.*.*call uninstall.*" -and $_.message -match "CommandLine.*.*/nointeractive.*" -and ($_.message -match "CommandLine.*.*Antivirus.*" -or $_.message -match "CommandLine.*.*Endpoint Security.*" -or $_.message -match "CommandLine.*.*Endpoint Detection.*" -or $_.message -match "CommandLine.*.*Crowdstrike Sensor.*" -or $_.message -match "CommandLine.*.*Windows Defender.*" -or $_.message -match "CommandLine.*.*VirusScan.*" -or $_.message -match "CommandLine.*.*Threat Protection.*" -or $_.message -match "CommandLine.*.*Endpoint Sensor.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_wsl_lolbin.ps1 b/Rules/sigma_tmp/win_susp_wsl_lolbin.ps1 new file mode 100644 index 00000000..6c26d739 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_wsl_lolbin.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wsl.exe") -and ($_.message -match "CommandLine.*.* -e .*" -or $_.message -match "CommandLine.*.* --exec .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_wuauclt.ps1 b/Rules/sigma_tmp/win_susp_wuauclt.ps1 new file mode 100644 index 00000000..03d91b0b --- /dev/null +++ b/Rules/sigma_tmp/win_susp_wuauclt.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ProcessCommandLine.*.*/UpdateDeploymentProvider.*" -and $_.message -match "ProcessCommandLine.*.*/RunHandlerComServer.*" -and ($_.message -match "Image.*.*\\wuauclt.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_susp_zip_compress.ps1 b/Rules/sigma_tmp/win_susp_zip_compress.ps1 new file mode 100644 index 00000000..1f72f8b5 --- /dev/null +++ b/Rules/sigma_tmp/win_susp_zip_compress.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Compress-Archive .*" -and $_.message -match "CommandLine.*.* -Path .*" -and $_.message -match "CommandLine.*.* -DestinationPath .*" -and $_.message -match "CommandLine.*.*$env:TEMP\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Windows PowerShell | where {($_.message -match "HostApplication.*.*Compress-Archive .*" -and $_.message -match "HostApplication.*.* -Path .*" -and $_.message -match "HostApplication.*.* -DestinationPath .*" -and $_.message -match "HostApplication.*.*$env:TEMP\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match "ContextInfo.*.*Compress-Archive .*" -and $_.message -match "ContextInfo.*.* -Path .*" -and $_.message -match "ContextInfo.*.* -DestinationPath .*" -and $_.message -match "ContextInfo.*.*$env:TEMP\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_suspicious_outbound_kerberos_connection.ps1 b/Rules/sigma_tmp/win_suspicious_outbound_kerberos_connection.ps1 new file mode 100644 index 00000000..e818612f --- /dev/null +++ b/Rules/sigma_tmp/win_suspicious_outbound_kerberos_connection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5156" -and $_.message -match "DestinationPort.*88") -and -not (($_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\opera.exe" -or $_.message -match "Image.*.*\\chrome.exe" -or $_.message -match "Image.*.*\\firefox.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_suspicious_vss_ps_load.ps1 b/Rules/sigma_tmp/win_suspicious_vss_ps_load.ps1 new file mode 100644 index 00000000..00f4048f --- /dev/null +++ b/Rules/sigma_tmp/win_suspicious_vss_ps_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "7") -and ($_.message -match "ImageLoaded.*.*\\vss_ps.dll") -and -not (($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\vssvc.exe" -or $_.message -match "Image.*.*\\srtasks.exe" -or $_.message -match "Image.*.*\\tiworker.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\searchindexer.exe" -or $_.message -match "Image.*.*dismhost.exe" -or $_.message -match "Image.*.*taskhostw.exe" -or $_.message -match "Image.*.*\\clussvc.exe") -and $_.message -match "Image.*.*c:\\windows\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_suspicious_werfault_connection_outbound.ps1 b/Rules/sigma_tmp/win_suspicious_werfault_connection_outbound.ps1 new file mode 100644 index 00000000..3210e4bd --- /dev/null +++ b/Rules/sigma_tmp/win_suspicious_werfault_connection_outbound.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "3") -and $_.message -match "Image.*werfault.exe" -and -not (($_.ID -eq "3" -and $_.message -match "ParentImage.*svchost.exe" -and ($_.message -match "104.42.151.234" -or $_.message -match "104.43.193.48" -or $_.message -match "52.255.188.83" -or $_.message -match "13.64.90.137" -or $_.message -match "168.61.161.212" -or $_.message -match "13.88.21.125" -or $_.message -match "40.88.32.150" -or $_.message -match "52.147.198.201" -or $_.message -match "52.239.207.100" -or $_.message -match "52.176.224.96" -or $_.message -match "2607:7700:0:24:0:1:287e:1894" -or $_.message -match "DestinationIp.*10..*" -or $_.message -match "DestinationIp.*192.168..*" -or $_.message -match "DestinationIp.*127..*") -and ($_.message -match "DestinationHostname.*.*.windowsupdate.com.*" -or $_.message -match "DestinationHostname.*.*.microsoft.com.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_svcctl_remote_service.ps1 b/Rules/sigma_tmp/win_svcctl_remote_service.ps1 new file mode 100644 index 00000000..4868593d --- /dev/null +++ b/Rules/sigma_tmp/win_svcctl_remote_service.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*svcctl" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_syncappvpublishingserver_exe.ps1 b/Rules/sigma_tmp/win_syncappvpublishingserver_exe.ps1 new file mode 100644 index 00000000..70391d28 --- /dev/null +++ b/Rules/sigma_tmp/win_syncappvpublishingserver_exe.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\SyncAppvPublishingServer.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match ".*SyncAppvPublishingServer.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_syskey_registry_access.ps1 b/Rules/sigma_tmp/win_syskey_registry_access.ps1 new file mode 100644 index 00000000..aeaa8a3c --- /dev/null +++ b/Rules/sigma_tmp/win_syskey_registry_access.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4663") -and $_.message -match "ObjectType.*key" -and ($_.message -match "ObjectName.*.*lsa\\JD" -or $_.message -match "ObjectName.*.*lsa\\GBG" -or $_.message -match "ObjectName.*.*lsa\\Skew1" -or $_.message -match "ObjectName.*.*lsa\\Data")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_sysmon_channel_reference_deletion.ps1 b/Rules/sigma_tmp/win_sysmon_channel_reference_deletion.ps1 new file mode 100644 index 00000000..87813c44 --- /dev/null +++ b/Rules/sigma_tmp/win_sysmon_channel_reference_deletion.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.message -match "ObjectName.*.*WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}.*" -or $_.message -match "ObjectName.*.*WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational.*") -and (($_.ID -eq "4657" -and $_.message -match "ObjectValueName.*Enabled" -and $_.message -match "NewValue.*0") -or ($_.ID -eq "4663" -and $_.message -match "AccessMask.*65536"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_sysmon_driver_unload.ps1 b/Rules/sigma_tmp/win_sysmon_driver_unload.ps1 new file mode 100644 index 00000000..2140180e --- /dev/null +++ b/Rules/sigma_tmp/win_sysmon_driver_unload.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\fltmc.exe" -and $_.message -match "CommandLine.*.*unload.*" -and $_.message -match "CommandLine.*.*sys.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_system_exe_anomaly.ps1 b/Rules/sigma_tmp/win_system_exe_anomaly.ps1 new file mode 100644 index 00000000..f5c4c9da --- /dev/null +++ b/Rules/sigma_tmp/win_system_exe_anomaly.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\services.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\spoolsv.exe" -or $_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\smss.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\conhost.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\lsm.exe" -or $_.message -match "Image.*.*\\winlogon.exe" -or $_.message -match "Image.*.*\\explorer.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\Taskmgr.exe" -or $_.message -match "Image.*.*\\sihost.exe" -or $_.message -match "Image.*.*\\RuntimeBroker.exe" -or $_.message -match "Image.*.*\\smartscreen.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\audiodg.exe" -or $_.message -match "Image.*.*\\wlanext.exe") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWow64\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\winsxs\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "Image.*C:\\avast! sandbox.*") -or $_.message -match "Image.*.*\\SystemRoot\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\explorer.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_tap_driver_installation.ps1 b/Rules/sigma_tmp/win_tap_driver_installation.ps1 new file mode 100644 index 00000000..258f1409 --- /dev/null +++ b/Rules/sigma_tmp/win_tap_driver_installation.ps1 @@ -0,0 +1,3 @@ +Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "6" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {($_.ID -eq "4697" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_tap_installer_execution.ps1 b/Rules/sigma_tmp/win_tap_installer_execution.ps1 new file mode 100644 index 00000000..0886acb6 --- /dev/null +++ b/Rules/sigma_tmp/win_tap_installer_execution.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\tapinstall.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_task_folder_evasion.ps1 b/Rules/sigma_tmp/win_task_folder_evasion.ps1 new file mode 100644 index 00000000..44a3b6b3 --- /dev/null +++ b/Rules/sigma_tmp/win_task_folder_evasion.ps1 @@ -0,0 +1 @@ +Get-WinEvent | where {(($_.message -match "CommandLine.*.*echo .*" -or $_.message -match "CommandLine.*.*copy .*" -or $_.message -match "CommandLine.*.*type .*" -or $_.message -match "CommandLine.*.*file createnew.*") -and ($_.message -match "CommandLine.*.* C:\\Windows\\System32\\Tasks\\.*" -or $_.message -match "CommandLine.*.* C:\\Windows\\SysWow64\\Tasks\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_termserv_proc_spawn.ps1 b/Rules/sigma_tmp/win_termserv_proc_spawn.ps1 new file mode 100644 index 00000000..d3c7c0cb --- /dev/null +++ b/Rules/sigma_tmp/win_termserv_proc_spawn.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "ParentCommandLine.*.*\\svchost.exe.*" -and $_.message -match "ParentCommandLine.*.*termsvcs.*") -and -not ($_.message -match "Image.*.*\\rdpclip.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_tool_psexec.ps1 b/Rules/sigma_tmp/win_tool_psexec.ps1 new file mode 100644 index 00000000..c3d6659c --- /dev/null +++ b/Rules/sigma_tmp/win_tool_psexec.ps1 @@ -0,0 +1,4 @@ +Get-WinEvent -LogName System | where {($_.message -match "ServiceName.*PSEXESVC" -and (($_.ID -eq "7045" -and $_.Service File Name -eq "*\\PSEXESVC.exe") -or $_.ID -eq "7036")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\PSEXESVC.exe" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and $_.message -match "PipeName.*\\PSEXESVC") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\PSEXESVC.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_tools_relay_attacks.ps1 b/Rules/sigma_tmp/win_tools_relay_attacks.ps1 new file mode 100644 index 00000000..f4035ecc --- /dev/null +++ b/Rules/sigma_tmp/win_tools_relay_attacks.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*PetitPotam.*" -or $_.message -match "Image.*.*RottenPotato.*" -or $_.message -match "Image.*.*HotPotato.*" -or $_.message -match "Image.*.*JuicyPotato.*" -or $_.message -match "Image.*.*\\just_dce_.*" -or $_.message -match "Image.*.*Juicy Potato.*" -or $_.message -match "Image.*.*\\temp\\rot.exe.*" -or $_.message -match "Image.*.*\\Potato.exe.*" -or $_.message -match "Image.*.*\\SpoolSample.exe.*" -or $_.message -match "Image.*.*\\Responder.exe.*" -or $_.message -match "Image.*.*\\smbrelayx.*" -or $_.message -match "Image.*.*\\ntlmrelayx.*") -or ($_.message -match "CommandLine.*.*Invoke-Tater.*" -or $_.message -match "CommandLine.*.* smbrelay.*" -or $_.message -match "CommandLine.*.* ntlmrelay.*" -or $_.message -match "CommandLine.*.*cme smb .*" -or $_.message -match "CommandLine.*.* /ntlm:NTLMhash .*" -or $_.message -match "CommandLine.*.*Invoke-PetitPotam.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_transferring_files_with_credential_data_via_network_shares.ps1 b/Rules/sigma_tmp/win_transferring_files_with_credential_data_via_network_shares.ps1 new file mode 100644 index 00000000..95f8706e --- /dev/null +++ b/Rules/sigma_tmp/win_transferring_files_with_credential_data_via_network_shares.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and ($_.message -match "RelativeTargetName.*.*\\mimidrv.*" -or $_.message -match "RelativeTargetName.*.*\\lsass.*" -or $_.message -match "RelativeTargetName.*.*\\windows\\minidump\\.*" -or $_.message -match "RelativeTargetName.*.*\\hiberfil.*" -or $_.message -match "RelativeTargetName.*.*\\sqldmpr.*" -or $_.message -match "RelativeTargetName.*.*\\sam.*" -or $_.message -match "RelativeTargetName.*.*\\ntds.dit.*" -or $_.message -match "RelativeTargetName.*.*\\security.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_trust_discovery.ps1 b/Rules/sigma_tmp/win_trust_discovery.ps1 new file mode 100644 index 00000000..7eac9c31 --- /dev/null +++ b/Rules/sigma_tmp/win_trust_discovery.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\nltest.exe" -and ($_.message -match "CommandLine.*.*domain_trusts.*" -or $_.message -match "CommandLine.*.*all_trusts.*" -or $_.message -match "CommandLine.*.*/dclist.*")) -or ($_.message -match "Image.*.*\\dsquery.exe" -and $_.message -match "CommandLine.*.*trustedDomain.*") -or ($_.message -match "Image.*.*\\dsquery.exe" -and $_.message -match "CommandLine.*.*-filter.*" -and $_.message -match "CommandLine.*.*trustedDomain.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_uac_cmstp.ps1 b/Rules/sigma_tmp/win_uac_cmstp.ps1 new file mode 100644 index 00000000..44b5488f --- /dev/null +++ b/Rules/sigma_tmp/win_uac_cmstp.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmstp.exe" -and ($_.message -match "CommandLine.*.*/s.*" -or $_.message -match "CommandLine.*.*/au.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_uac_fodhelper.ps1 b/Rules/sigma_tmp/win_uac_fodhelper.ps1 new file mode 100644 index 00000000..ec6aa9a3 --- /dev/null +++ b/Rules/sigma_tmp/win_uac_fodhelper.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\fodhelper.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_uac_wsreset.ps1 b/Rules/sigma_tmp/win_uac_wsreset.ps1 new file mode 100644 index 00000000..4dce6b4d --- /dev/null +++ b/Rules/sigma_tmp/win_uac_wsreset.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "ParentImage.*.*\\wsreset.exe" -and -not ($_.message -match "Image.*.*\\conhost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_usb_device_plugged.ps1 b/Rules/sigma_tmp/win_usb_device_plugged.ps1 new file mode 100644 index 00000000..74c2ad9a --- /dev/null +++ b/Rules/sigma_tmp/win_usb_device_plugged.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational | where {(($_.ID -eq "2003" -or $_.ID -eq "2100" -or $_.ID -eq "2102")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_user_added_to_local_administrators.ps1 b/Rules/sigma_tmp/win_user_added_to_local_administrators.ps1 new file mode 100644 index 00000000..00672886 --- /dev/null +++ b/Rules/sigma_tmp/win_user_added_to_local_administrators.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4732" -and ($_.message -match "TargetUserName.*Administr.*" -or $_.message -match "TargetSid.*S-1-5-32-544")) -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.ps1 b/Rules/sigma_tmp/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.ps1 new file mode 100644 index 00000000..9905a6c1 --- /dev/null +++ b/Rules/sigma_tmp/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4673" -and $_.message -match "Service.*LsaRegisterLogonProcess()" -and $_.message -match "Keywords.*0x8010000000000000") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_user_creation.ps1 b/Rules/sigma_tmp/win_user_creation.ps1 new file mode 100644 index 00000000..f0deb738 --- /dev/null +++ b/Rules/sigma_tmp/win_user_creation.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.ID -eq "4720") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_user_driver_loaded.ps1 b/Rules/sigma_tmp/win_user_driver_loaded.ps1 new file mode 100644 index 00000000..2b1e7ead --- /dev/null +++ b/Rules/sigma_tmp/win_user_driver_loaded.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "4673" -and $_.message -match "PrivilegeList.*SeLoadDriverPrivilege" -and $_.message -match "Service.*-") -and -not (($_.message -match "ProcessName.*.*\\Windows\\System32\\Dism.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\rundll32.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\fltMC.exe" -or $_.message -match "ProcessName.*.*\\Windows\\HelpPane.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\mmc.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\svchost.exe" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\wimserv.exe" -or $_.message -match "ProcessName.*.*\\procexp64.exe" -or $_.message -match "ProcessName.*.*\\procexp.exe" -or $_.message -match "ProcessName.*.*\\procmon64.exe" -or $_.message -match "ProcessName.*.*\\procmon.exe" -or $_.message -match "ProcessName.*.*\\Google\\Chrome\\Application\\chrome.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_using_sc_to_change_sevice_image_path_by_non_admin.ps1 b/Rules/sigma_tmp/win_using_sc_to_change_sevice_image_path_by_non_admin.ps1 new file mode 100644 index 00000000..434ea2af --- /dev/null +++ b/Rules/sigma_tmp/win_using_sc_to_change_sevice_image_path_by_non_admin.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\sc.exe" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*binPath.*") -or ($_.message -match "CommandLine.*.*failure.*" -and $_.message -match "CommandLine.*.*command.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_using_settingsynchost_as_lolbin.ps1 b/Rules/sigma_tmp/win_using_settingsynchost_as_lolbin.ps1 new file mode 100644 index 00000000..eb183c90 --- /dev/null +++ b/Rules/sigma_tmp/win_using_settingsynchost_as_lolbin.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*")) -and ($_.message -match "ParentCommandLine.*.*cmd.exe /c.*" -and $_.message -match "ParentCommandLine.*.*RoamDiag.cmd.*" -and $_.message -match "ParentCommandLine.*.*-outputpath.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_verclsid_runs_com.ps1 b/Rules/sigma_tmp/win_verclsid_runs_com.ps1 new file mode 100644 index 00000000..0e9a089e --- /dev/null +++ b/Rules/sigma_tmp/win_verclsid_runs_com.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\verclsid.exe" -and $_.message -match "CommandLine.*.*/C.*" -and $_.message -match "CommandLine.*.*/S.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_visual_basic_compiler.ps1 b/Rules/sigma_tmp/win_visual_basic_compiler.ps1 new file mode 100644 index 00000000..eee87066 --- /dev/null +++ b/Rules/sigma_tmp/win_visual_basic_compiler.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\vbc.exe" -and $_.message -match "Image.*.*\\cvtres.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_volume_shadow_copy_mount.ps1 b/Rules/sigma_tmp/win_volume_shadow_copy_mount.ps1 new file mode 100644 index 00000000..b7b46eff --- /dev/null +++ b/Rules/sigma_tmp/win_volume_shadow_copy_mount.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {($_.message -match "Source.*Microsoft-Windows-Ntfs" -and $_.ID -eq "98" -and $_.message -match "DeviceName.*.*HarddiskVolumeShadowCopy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_vssaudit_secevent_source_registration.ps1 b/Rules/sigma_tmp/win_vssaudit_secevent_source_registration.ps1 new file mode 100644 index 00000000..b6b6532b --- /dev/null +++ b/Rules/sigma_tmp/win_vssaudit_secevent_source_registration.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {($_.message -match "AuditSourceName.*VSSAudit" -and ($_.ID -eq "4904" -or $_.ID -eq "4905")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_vul_cve_2020_0688.ps1 b/Rules/sigma_tmp/win_vul_cve_2020_0688.ps1 new file mode 100644 index 00000000..1186b44e --- /dev/null +++ b/Rules/sigma_tmp/win_vul_cve_2020_0688.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Application | where {($_.ID -eq "4" -and $_.message -match "Source.*MSExchange Control Panel" -and $_.message -match "Level.*Error" -and ($_.message -match ".*&__VIEWSTATE=.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_vul_cve_2020_1472.ps1 b/Rules/sigma_tmp/win_vul_cve_2020_1472.ps1 new file mode 100644 index 00000000..c68cc80b --- /dev/null +++ b/Rules/sigma_tmp/win_vul_cve_2020_1472.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName System | where {(($_.ID -eq "5829")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_vul_java_remote_debugging.ps1 b/Rules/sigma_tmp/win_vul_java_remote_debugging.ps1 new file mode 100644 index 00000000..12caa9e6 --- /dev/null +++ b/Rules/sigma_tmp/win_vul_java_remote_debugging.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and $_.message -match "CommandLine.*.*transport=dt_socket,address=.*" -and -not ($_.message -match "CommandLine.*.*address=127.0.0.1.*" -or $_.message -match "CommandLine.*.*address=localhost.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_webshell_detection.ps1 b/Rules/sigma_tmp/win_webshell_detection.ps1 new file mode 100644 index 00000000..407e8606 --- /dev/null +++ b/Rules/sigma_tmp/win_webshell_detection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe") -or ($_.message -match "ParentImage.*.*\\apache.*" -or $_.message -match "ParentImage.*.*\\tomcat.*")) -and (($_.ID -eq "1") -and (((($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and ($_.message -match "CommandLine.*.* user .*" -or $_.message -match "CommandLine.*.* use .*" -or $_.message -match "CommandLine.*.* group .*")) -or ($_.message -match "Image.*.*\\ping.exe" -and $_.message -match "CommandLine.*.* -n .*") -or ($_.message -match "CommandLine.*.*&cd&echo.*" -or $_.message -match "CommandLine.*.*cd /d .*")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.* /node:.*") -or ($_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "Image.*.*\\systeminfo.exe" -or $_.message -match "Image.*.*\\quser.exe" -or $_.message -match "Image.*.*\\ipconfig.exe" -or $_.message -match "Image.*.*\\pathping.exe" -or $_.message -match "Image.*.*\\tracert.exe" -or $_.message -match "Image.*.*\\netstat.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\vssadmin.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\tasklist.exe") -or ($_.message -match "CommandLine.*.* Test-NetConnection .*" -or $_.message -match "CommandLine.*.*dir \\.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_webshell_recon_detection.ps1 b/Rules/sigma_tmp/win_webshell_recon_detection.ps1 new file mode 100644 index 00000000..3b5cf145 --- /dev/null +++ b/Rules/sigma_tmp/win_webshell_recon_detection.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\apache.*" -or $_.message -match "ParentImage.*.*\\tomcat.*") -or ($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe")) -and (($_.message -match "Image.*.*\\cmd.exe") -and ($_.message -match "CommandLine.*.*perl --help.*" -or $_.message -match "CommandLine.*.*python --help.*" -or $_.message -match "CommandLine.*.*wget --help.*" -or $_.message -match "CommandLine.*.*perl -h.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_webshell_spawn.ps1 b/Rules/sigma_tmp/win_webshell_spawn.ps1 new file mode 100644 index 00000000..65393206 --- /dev/null +++ b/Rules/sigma_tmp/win_webshell_spawn.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\tomcat.exe" -or $_.message -match "ParentImage.*.*\\UMWorkerProcess.exe") -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_whoami_as_system.ps1 b/Rules/sigma_tmp/win_whoami_as_system.ps1 new file mode 100644 index 00000000..d1ca31a6 --- /dev/null +++ b/Rules/sigma_tmp/win_whoami_as_system.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\whoami.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_whoami_priv.ps1 b/Rules/sigma_tmp/win_whoami_priv.ps1 new file mode 100644 index 00000000..a3dc8e15 --- /dev/null +++ b/Rules/sigma_tmp/win_whoami_priv.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\whoami.exe" -and $_.message -match "CommandLine.*.*/priv.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_win10_sched_task_0day.ps1 b/Rules/sigma_tmp/win_win10_sched_task_0day.ps1 new file mode 100644 index 00000000..b199c1df --- /dev/null +++ b/Rules/sigma_tmp/win_win10_sched_task_0day.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.*/change.*" -and $_.message -match "CommandLine.*.*/TN.*" -and $_.message -match "CommandLine.*.*/RU.*" -and $_.message -match "CommandLine.*.*/RP.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_winword_dll_load.ps1 b/Rules/sigma_tmp/win_winword_dll_load.ps1 new file mode 100644 index 00000000..88b9f763 --- /dev/null +++ b/Rules/sigma_tmp/win_winword_dll_load.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\winword.exe" -and $_.message -match "CommandLine.*.*/l.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_wmi_backdoor_exchange_transport_agent.ps1 b/Rules/sigma_tmp/win_wmi_backdoor_exchange_transport_agent.ps1 new file mode 100644 index 00000000..c2c36245 --- /dev/null +++ b/Rules/sigma_tmp/win_wmi_backdoor_exchange_transport_agent.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\EdgeTransport.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_wmi_persistence.ps1 b/Rules/sigma_tmp/win_wmi_persistence.ps1 new file mode 100644 index 00000000..d375f9e1 --- /dev/null +++ b/Rules/sigma_tmp/win_wmi_persistence.ps1 @@ -0,0 +1,2 @@ +Get-WinEvent -LogName Microsoft-Windows-WMI-Activity/Operational | where {((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message +Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_wmi_persistence_script_event_consumer.ps1 b/Rules/sigma_tmp/win_wmi_persistence_script_event_consumer.ps1 new file mode 100644 index 00000000..6a0196ab --- /dev/null +++ b/Rules/sigma_tmp/win_wmi_persistence_script_event_consumer.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*C:\\WINDOWS\\system32\\wbem\\scrcons.exe" -and $_.message -match "ParentImage.*C:\\Windows\\System32\\svchost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_wmi_spwns_powershell.ps1 b/Rules/sigma_tmp/win_wmi_spwns_powershell.ps1 new file mode 100644 index 00000000..b6a33771 --- /dev/null +++ b/Rules/sigma_tmp/win_wmi_spwns_powershell.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\wmiprvse.exe") -and ($_.message -match "Image.*.*\\powershell.exe")) -and -not ($_.message -match "CommandLine.*null")) -and -not (-not CommandLine="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_wmiprvse_spawning_process.ps1 b/Rules/sigma_tmp/win_wmiprvse_spawning_process.ps1 new file mode 100644 index 00000000..d1c085a3 --- /dev/null +++ b/Rules/sigma_tmp/win_wmiprvse_spawning_process.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\WmiPrvSe.exe" -and -not (($_.message -match "0x3e7" -or $_.message -match "null") -or ($_.message -match "0x3e7" -or $_.message -match "null") -or $_.message -match "User.*NT AUTHORITY\\SYSTEM" -or ($_.message -match "Image.*.*\\WmiPrvSE.exe" -or $_.message -match "Image.*.*\\WerFault.exe"))) -and -not (-not LogonId="*")) -and -not (-not SubjectLogonId="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_wmiprvse_wbemcomn_dll_hijack.ps1 b/Rules/sigma_tmp/win_wmiprvse_wbemcomn_dll_hijack.ps1 new file mode 100644 index 00000000..d67dfe6f --- /dev/null +++ b/Rules/sigma_tmp/win_wmiprvse_wbemcomn_dll_hijack.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\\wbem\\wbemcomn.dll") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_workflow_compiler.ps1 b/Rules/sigma_tmp/win_workflow_compiler.ps1 new file mode 100644 index 00000000..c44d1c7b --- /dev/null +++ b/Rules/sigma_tmp/win_workflow_compiler.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\Microsoft.Workflow.Compiler.exe" -or ($_.message -match "OriginalFileName.*Microsoft.Workflow.Compiler.exe" -and $_.message -match "CommandLine.*.*.xml.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_wsreset_uac_bypass.ps1 b/Rules/sigma_tmp/win_wsreset_uac_bypass.ps1 new file mode 100644 index 00000000..af9ee8da --- /dev/null +++ b/Rules/sigma_tmp/win_wsreset_uac_bypass.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WSreset.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/Rules/sigma_tmp/win_xsl_script_processing.ps1 b/Rules/sigma_tmp/win_xsl_script_processing.ps1 new file mode 100644 index 00000000..ec98f589 --- /dev/null +++ b/Rules/sigma_tmp/win_xsl_script_processing.ps1 @@ -0,0 +1 @@ +Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*/format.*") -or $_.message -match "Image.*.*\\msxsl.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message diff --git a/testfiles/AS-REP Roasting.evtx b/testfiles/AS-REP Roasting.evtx new file mode 100644 index 00000000..9b34ff50 Binary files /dev/null and b/testfiles/AS-REP Roasting.evtx differ diff --git a/testfiles/Kerberoasting&ASREP_Roasting/Kerberoasting&ASREP_Roasting.pptx b/testfiles/Kerberoasting&ASREP_Roasting/Kerberoasting&ASREP_Roasting.pptx new file mode 100644 index 00000000..7ef3a419 Binary files /dev/null and b/testfiles/Kerberoasting&ASREP_Roasting/Kerberoasting&ASREP_Roasting.pptx differ diff --git a/testfiles/Kerberoasting&ASREP_Roasting/Logs/AS-REP Roasting.evtx b/testfiles/Kerberoasting&ASREP_Roasting/Logs/AS-REP Roasting.evtx new file mode 100644 index 00000000..9b34ff50 Binary files /dev/null and b/testfiles/Kerberoasting&ASREP_Roasting/Logs/AS-REP Roasting.evtx differ diff --git a/testfiles/Kerberoasting&ASREP_Roasting/Logs/Kerberoasting.evtx b/testfiles/Kerberoasting&ASREP_Roasting/Logs/Kerberoasting.evtx new file mode 100644 index 00000000..3dae16bd Binary files /dev/null and b/testfiles/Kerberoasting&ASREP_Roasting/Logs/Kerberoasting.evtx differ diff --git a/testfiles/Kerberoasting.evtx b/testfiles/Kerberoasting.evtx new file mode 100644 index 00000000..3dae16bd Binary files /dev/null and b/testfiles/Kerberoasting.evtx differ diff --git "a/testfiles/T1197_BITS Jobs_transfer\343\202\271\343\202\244\343\203\203\343\203\201\343\202\222\345\210\251\347\224\250\343\201\227\343\201\237\343\203\252\343\203\242\343\203\274\343\203\210\343\203\225\343\202\241\343\202\244\343\203\253\343\201\256\343\203\200\343\202\246\343\203\263\343\203\255\343\203\274\343\203\211.evtx" "b/testfiles/T1197_BITS Jobs_transfer\343\202\271\343\202\244\343\203\203\343\203\201\343\202\222\345\210\251\347\224\250\343\201\227\343\201\237\343\203\252\343\203\242\343\203\274\343\203\210\343\203\225\343\202\241\343\202\244\343\203\253\343\201\256\343\203\200\343\202\246\343\203\263\343\203\255\343\203\274\343\203\211.evtx" new file mode 100644 index 00000000..75c19630 Binary files /dev/null and "b/testfiles/T1197_BITS Jobs_transfer\343\202\271\343\202\244\343\203\203\343\203\201\343\202\222\345\210\251\347\224\250\343\201\227\343\201\237\343\203\252\343\203\242\343\203\274\343\203\210\343\203\225\343\202\241\343\202\244\343\203\253\343\201\256\343\203\200\343\202\246\343\203\263\343\203\255\343\203\274\343\203\211.evtx" differ diff --git a/testfiles/T1197_BITS Jobs_v1.pptx b/testfiles/T1197_BITS Jobs_v1.pptx new file mode 100644 index 00000000..c67cb762 Binary files /dev/null and b/testfiles/T1197_BITS Jobs_v1.pptx differ diff --git a/testfiles/kerberos_pwd_spray_4771.evtx b/testfiles/kerberos_pwd_spray_4771.evtx new file mode 100644 index 00000000..631e2c5b Binary files /dev/null and b/testfiles/kerberos_pwd_spray_4771.evtx differ diff --git a/testfiles/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx b/testfiles/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx new file mode 100644 index 00000000..db9a9fcd Binary files /dev/null and b/testfiles/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx differ